DLL Hijacking automatization process
DLL hijacking is a techique which allows to abuse the library search order to gain execution permissions in a particular process. If the current user is able to write in the directories where the system performs the libraries search, it would be possible to include a malicious DLL on site. When the OS attempt to load the expected library, it will load the malicious one.
Commonly, Windows try to get the DLLs in the standard process location, but if the DLL is not found there, the process manager will search these libraries in some known directories:
The search order depends of SafeDllSearchMode.
For more information about SafeDllSearchMode, see https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order
if SafeDllSearchMode is enabled, the search order is as follows:
If SafeDllSearchMode is disabled, the search order is as follows:
Knowing that, I created grand theft dll (hereafter, gtdll). This application wants to automate the DLL hijacking process. Using gtdll for DLL hijacking attacks we will be able to analyze the processes behaviour in a little time, learning what DLLs are used by what process and if these DLLs are in place or not. When the tool detects that a DLL is not in place, it will try to write a malicious DLL in the paths (mentioned above).
git clone https://github.com/nnicogomez/grand-theft-dll.gitpip install -r requirements.txt
-process <process>: Mandatory parameter. Indicates the target process. This process should be active at the moment of execute the script. Don't include ".exe" extention.-autoexploitation: Switch parameter. If it is activated, script will try to perform the dll hijacking.-type <autoxplotation_mode>:f: First path mode. The script will inject the dll file in the first possible path.a: Annihilation mode. The script will inject the dll in all the paths.-dllp <dll_path>: Malicious dll path.-url <dll_url>: Download the dll from internet.
Get-Help .\gtdll.ps1
.\gtdll.ps1 -process explorer
grand-theft.dll - A Windows tool to perform DLL hijacking attacks.
Nicolás Gómez - Copyright © 2020
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.