C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during RedTeam Operations to evade EDR’s.
Methodological Approach :
The tool basically acts on automating the following stages performed for DLL Hijacking:
- Discovery – Finding Potentially Vulnerable DLL Hijack paths
- Exploitation – Confirming whether the Confirmatory DLL was been loaded from the Hijacked path leading to a confirmation of 100% exploitable DLL Hijack!
Discovery Methodology :
- Provide Target binary path to ImpulsiveDLLHijack.exe
- Automation of ProcMon along with the execution of Target binary to find Potentially Vulnerable DLL Hijackable paths.
Exploitation Methodology :
Note: The “Entry Point not found” Error is been handled by the code programmatically no need to close the MsgBox manually 🙂 # Rather this would crash the code further****
- Once the DLL Hijacking process is completed for every Potentially Vulnerable DLL Hijack path we get the final output on the console as well as in a text file (C:\DLLLogs\output_logs.txt) in the following format:
- <DLLHijack_path> –> DLL Hijack Successful (if the Hijack was successful)
- <DLLHijack_path> –> DLL Hijack Unsuccessful (if the Hijack was unsuccessful)
- <DLLHijack_path> –> DLL Hijack Successful [Entry Point Not Found – Manual Analysis Required] (if the Entry point was not found but can be successful after manual analysis)
- <DLLHijack_path> –> DLL Hijack Successful [Entry Point Not Found] (if the hijack was successful even after the entry point was not found)
- <DLLHijack_path> –> Copy: Access to Path is Denied (Access denied)
**These Confirmed DLL Hijackable paths can later be weaponized during a Red Team Engagement to load a Malicious DLL Implant via a legitimate executable (such as OneDrive, Firefox, MSEdge, “Bring your own LOLBINs” etc.) and bypass State of the art EDR’s as most of them fail to detect DLL Hijacking as assessed by George Karantzas and Constantinos Patsakis as mentioned in there research paper: https://arxiv.org/abs/2108.10422
Source: Penetration Testing