DLLHijackingScanner is a PoC for bypassing UAC using DLL hijacking and abusing the “Trusted Directories” verification.
Generate Header from CSV
The python script CsvToHeader.py can be used to generate a header file. By default it will use the CSV file dll_hijacking_candidates.csv that can be found here: dll_hijacking_candidates.csv.
The script will check for each portable executable(PE) the following condition:
asInvokerhighestAvailablerequireAdministrator-c argument, the script will check if the DLL to hijack is in the list of DLLs imported form PE table.python .\CsvToHeader.py -h
usage: CsvToHeader.py -f [DLL_PATH] -c
CsvToHeader can be used to generate a header file from a CSV.
optional arguments:
-h, –help show this help message and exit
-f [DLL_PATH] Path of the csv to convert (default=”dll_hijacking_candidates.csv”)
-c Enable import dll in PE (default=False)
-v, –version Show program’s version number and exit
To generate the header file you can use the following command:
python CsvToHeader.py > dll_hijacking_candidates.h
Generate the list of vulnerable PE and DLL
The files that will be used are DLLHijacking.exe and test.dll.
DLLHijacking.exe is the file that will be used to generate the list of vulnerable PE. It will perform the following steps:
C:\windows \system32.C:\windows\system32\[TARGET.EXE] to C:\windows \system32\[TARGET.EXE][CUSTOM_DLL_PATH] to C:\windows \system32\[TARGET.DLL]C:\windows \system32\[TARGET.EXE]C:\ProgramData\exploit.txt to see if the exploit was successful.DLLHijacking.exe will always generate a log file exploitable.log with the following content:
E.g.
1,computerdefaults.exe,PROPSYS.dll
0,computerdefaults.exe,Secur32.dll
Execution
Command to run:
DLLHijacking.exe [DLL_PATH]
if no argument is passed, the script will use the DLL test.dll which is stored in the resouce of DLLHijacking.exe.
Tested on Windows 10 Pro (10.0.19043 N/A Build 19043).
test.dll
test.dll is a simple dynamic library that will be use to see if the exploit is successfully. The DLL will create a file C:\ProgramData\exploit.txt with the following content:
This file will be deleted once the exploit is complete.
Have you ever come across a picture on the internet and wondered where it came…
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…
Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…