DLLHijackingScanner is a PoC for bypassing UAC using DLL hijacking and abusing the “Trusted Directories” verification.
Generate Header from CSV
The python script CsvToHeader.py
can be used to generate a header file. By default it will use the CSV file dll_hijacking_candidates.csv
that can be found here: dll_hijacking_candidates.csv.
The script will check for each portable executable(PE) the following condition:
asInvoker
highestAvailable
requireAdministrator
-c
argument, the script will check if the DLL to hijack is in the list of DLLs imported form PE table.python .\CsvToHeader.py -h
usage: CsvToHeader.py -f [DLL_PATH] -c
CsvToHeader can be used to generate a header file from a CSV.
optional arguments:
-h, –help show this help message and exit
-f [DLL_PATH] Path of the csv to convert (default=”dll_hijacking_candidates.csv”)
-c Enable import dll in PE (default=False)
-v, –version Show program’s version number and exit
To generate the header file you can use the following command:
python CsvToHeader.py > dll_hijacking_candidates.h
Generate the list of vulnerable PE and DLL
The files that will be used are DLLHijacking.exe
and test.dll
.
DLLHijacking.exe is the file that will be used to generate the list of vulnerable PE. It will perform the following steps:
C:\windows \system32
.C:\windows\system32\[TARGET.EXE]
to C:\windows \system32\[TARGET.EXE]
[CUSTOM_DLL_PATH]
to C:\windows \system32\[TARGET.DLL]
C:\windows \system32\[TARGET.EXE]
C:\ProgramData\exploit.txt
to see if the exploit was successful.DLLHijacking.exe will always generate a log file exploitable.log
with the following content:
E.g.
1,computerdefaults.exe,PROPSYS.dll
0,computerdefaults.exe,Secur32.dll
Execution
Command to run:
DLLHijacking.exe [DLL_PATH]
if no argument is passed, the script will use the DLL test.dll
which is stored in the resouce of DLLHijacking.exe
.
Tested on Windows 10 Pro (10.0.19043 N/A Build 19043).
test.dll
test.dll
is a simple dynamic library that will be use to see if the exploit is successfully. The DLL will create a file C:\ProgramData\exploit.txt
with the following content:
This file will be deleted once the exploit is complete.
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…