Skip to main content

Posts

Showing posts with the label DLL Hijacking

Auto_DLL_Hijack_Suite_GUI

  This project provides a suite of two Python-based GUI tools designed to automate and streamline the process of discovering and testing potential DLL hijacking vulnerabilities in Windows applications. Overview This project provides a suite of two Python-based GUI tools designed to automate and streamline the process of discovering and testing potential DLL hijacking vulnerabilities in Windows applications. It leverages Sysinternals Process Monitor (Procmon) for data collection and provides a framework for testing identified hijack points with user-selected payloads. Many applications attempt to load Dynamic Link Libraries (DLLs) without specifying a full path. If these DLLs are not found in standard locations, an attacker might be able to place a malicious DLL with the same name in a location that the application searches earlier (e.g., the application’s own directory if it has weak permissions), leading to the malicious DLL being loaded and executed. Manually identifying all such...

Streamlining DLL Hijacking with Automated Testing

  I’ve developed a script that automates the DLL hijacking process. During my testing, I noticed that we often focus on DLLs marked as “Not Found” when testing for DLL hijacking. However, an interesting observation is that among these “Not Found” DLLs, a few (typically one or two) might actually execute, even though we don’t manually test all of them. This script helps automate the testing of all potential DLLs. Note that the payload execution still requires manual verification, as the script is currently a work in progress. Features: Do not perform testing on DLLs within the Windows directory. If the command prompt runs with administrative privileges, the script will ask if you want to execute with elevated permissions. Allows exploitation with either administrative or normal user privileges. It offers multiple payload options to choose from. Execution Process: Run  Run1_Auto_DLL_Hijacking_Admin.bat  with administrative privileges. It first launches Procmon and then prom...