├── Calc DLL POC ├── calc32.dll └── calc64.dll ├── ImpulsiveDLLHijack ├── ImpulsiveDLLHijack.sln └── ImpulsiveDLLHijack │ ├── App.config │ ├── ImpulsiveDLLHijack.csproj │ ├── Program.cs │ ├── Properties │ └── AssemblyInfo.cs │ └── packages.config ├── Precompiled- ImpulsiveDLLHijack ├── ImpulsiveDLLHijack.exe ├── ImpulsiveDLLHijack.exe.config ├── PeNet.Asn1.dll ├── PeNet.dll ├── System.Buffers.dll ├── System.Buffers.xml ├── System.Memory.dll ├── System.Memory.xml ├── System.Numerics.Vectors.dll ├── System.Numerics.Vectors.xml ├── System.Runtime.CompilerServices.Unsafe.dll ├── System.Runtime.CompilerServices.Unsafe.xml ├── System.Security.Cryptography.Pkcs.dll └── System.Security.Cryptography.Pkcs.xml ├── Prerequisites ├── MalDLL │ ├── MalDLL.sln │ └── MalDLL │ │ ├── MalDLL.vcxproj │ │ ├── MalDLL.vcxproj.filters │ │ ├── MalDLL.vcxproj.user │ │ ├── dllmain.cpp │ │ ├── framework.h │ │ ├── pch.cpp │ │ └── pch.h ├── Procmon.exe ├── maldll32.dll └── maldll64.dll └── README.md /Calc DLL POC/calc32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Calc DLL POC/calc32.dll -------------------------------------------------------------------------------- /Calc DLL POC/calc64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Calc DLL POC/calc64.dll -------------------------------------------------------------------------------- /ImpulsiveDLLHijack/ImpulsiveDLLHijack.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31205.134 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ImpulsiveDLLHijack", "ImpulsiveDLLHijack\ImpulsiveDLLHijack.csproj", "{614C8F13-68DD-4A30-BA8F-0FD261C218A0}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {614C8F13-68DD-4A30-BA8F-0FD261C218A0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {614C8F13-68DD-4A30-BA8F-0FD261C218A0}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {614C8F13-68DD-4A30-BA8F-0FD261C218A0}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {614C8F13-68DD-4A30-BA8F-0FD261C218A0}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {AE63472A-86C1-4C4B-AF11-40D25F63575B} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /ImpulsiveDLLHijack/ImpulsiveDLLHijack/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /ImpulsiveDLLHijack/ImpulsiveDLLHijack/ImpulsiveDLLHijack.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {614C8F13-68DD-4A30-BA8F-0FD261C218A0} 8 | Exe 9 | ImpulsiveDLLHijack 10 | ImpulsiveDLLHijack 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | none 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | true 38 | 39 | 40 | 41 | ..\packages\PeNet.2.8.1\lib\netstandard2.0\PeNet.dll 42 | 43 | 44 | ..\packages\PeNet.Asn1.1.5.1\lib\netstandard2.0\PeNet.Asn1.dll 45 | 46 | 47 | 48 | 49 | ..\packages\System.Buffers.4.5.1\lib\net461\System.Buffers.dll 50 | 51 | 52 | 53 | ..\packages\System.Memory.4.5.4\lib\net461\System.Memory.dll 54 | 55 | 56 | 57 | ..\packages\System.Numerics.Vectors.4.5.0\lib\net46\System.Numerics.Vectors.dll 58 | 59 | 60 | ..\packages\System.Runtime.CompilerServices.Unsafe.5.0.0\lib\net45\System.Runtime.CompilerServices.Unsafe.dll 61 | 62 | 63 | 64 | ..\packages\System.Security.Cryptography.Pkcs.5.0.1\lib\net461\System.Security.Cryptography.Pkcs.dll 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | -------------------------------------------------------------------------------- /ImpulsiveDLLHijack/ImpulsiveDLLHijack/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.IO; 7 | using System.Diagnostics; 8 | using System.Threading; 9 | using System.Windows; 10 | using System.Text.RegularExpressions; 11 | using System.Runtime.InteropServices; 12 | 13 | namespace ImpulsiveDLLHijack 14 | { 15 | class Program 16 | { 17 | [DllImport("user32.dll", SetLastError = true)] 18 | static extern IntPtr FindWindowA(string lpClassName, string lpWindowName); 19 | [DllImport("user32.dll", SetLastError = true)] 20 | public static extern int SendMessage(IntPtr hWnd, uint wMsg, IntPtr wParam, IntPtr lParam); 21 | static uint WM_CLOSE = 0x10; 22 | 23 | 24 | public static byte[] StringToByteArray(string hex) 25 | { 26 | return Enumerable.Range(0, hex.Length) 27 | .Where(x => x % 2 == 0) 28 | .Select(x => Convert.ToByte(hex.Substring(x, 2), 16)) 29 | .ToArray(); 30 | } 31 | 32 | public static void GenPMC(string hexString2,string filename) 33 | { 34 | // Generating Custom PMC File as per the process name and filters 35 | 36 | string currentworkingdirectory = Directory.GetCurrentDirectory(); 37 | string hexString1 = "A000000010000000200000008000000043006F006C0075006D006E007300000032006400280064007902640064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002C00000010000000280000000400000043006F006C0075006D006E0043006F0075006E0074000000070000002401000010000000240000000001000043006F006C0075006D006E004D006100700000008E9C0000759C0000769C0000779C0000879C0000789C0000799C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A400000010000000280000007C000000440062006700480065006C0070005000610074006800000043003A005C00500072006F006700720061006D002000460069006C00650073005C0044006500620075006700670069006E006700200054006F006F006C007300200066006F0072002000570069006E0064006F00770073002000280078003600340029005C00640062006700680065006C0070002E0064006C006C00200000001000000020000000000000004C006F006700660069006C00650000002C00000010000000280000000400000048006900670068006C006900670068007400460047000000000000002C00000010000000280000000400000048006900670068006C00690067006800740042004700000080FFFF001C000000100000001C000000000000005400680065006D00650000007C00000010000000200000005C0000004C006F00670046006F006E0074000000080000000000000000000000000000009001000000000000000000004D00530020005300680065006C006C00200044006C0067000000000000000000000000000000000000000000000000000000000000000000000000000000000088000000100000002C0000005C00000042006F006F006F006B006D00610072006B0046006F006E007400000008000000000000000000000000000000BC02000000000000000000004D00530020005300680065006C006C00200044006C006700000000000000000000000000000000000000000000000000000000000000000000000000000000002E000000100000002A0000000400000041006400760061006E006300650064004D006F00640065000000010000002A0000001000000026000000040000004100750074006F007300630072006F006C006C000000000000002E000000100000002A0000000400000048006900730074006F00720079004400650070007400680000001200000028000000100000002400000004000000500072006F00660069006C0069006E0067000000000000003800000010000000340000000400000044006500730074007200750063007400690076006500460069006C007400650072000000000000002C00000010000000280000000400000041006C0077006100790073004F006E0054006F007000000000000000360000001000000032000000040000005200650073006F006C00760065004100640064007200650073007300650073000000010000002600000010000000260000000000000053006F007500720063006500500061007400680000008400000010000000260000005E000000530079006D0062006F006C00500061007400680000007300720076002A00680074007400700073003A002F002F006D00730064006C002E006D006900630072006F0073006F00660074002E0063006F006D002F0064006F0077006E006C006F00610064002F00730079006D0062006F006C007300B8000000100000002800000090000000460069006C00740065007200520075006C006500730000000103000000759C000000000000012E000000"; // 1st Blob of PMC 38 | string hexString3 = "789C00000600000001140000004E004F005400200046004F0055004E00440000000000000000000000879C000005000000010A0000002E0064006C006C000000000000000000000033000000100000002E0000000500000048006900670068006C006900670068007400520075006C00650073000000010000000032000000100000002E0000000400000046006C0069006700680074005200650063006F00720064006500720000000000000032000000100000002E00000004000000520069006E006700420075006600660065007200530069007A00650000000000000030000000100000002C00000004000000520069006E0067004200750066006600650072004D0069006E00000000000000"; // 3rd Blob of PMC 39 | string finalstring = hexString1 + hexString2 + hexString3; // Concat the 3 Blobs of PMC File structure 40 | File.WriteAllBytes("config.pmc", StringToByteArray(finalstring)); // Write Custom PMC File 41 | Console.WriteLine("\n[+] Generated Custom PMC File : " + currentworkingdirectory + "\\config.pmc"); 42 | 43 | } 44 | 45 | public static List FindVulnHijacksPaths(string currentdirectory, string processpath, string filename, string inputarguments) 46 | { 47 | // Start Process-Monitor 48 | Console.WriteLine("[+] Starting Process-Monitor "); 49 | 50 | Process procmon1 = new Process(); 51 | ProcessStartInfo proc = new ProcessStartInfo(); 52 | proc.CreateNoWindow = true; 53 | proc.FileName = "Procmon.exe"; 54 | proc.Arguments = "/Minimized /AcceptEula /quiet /LoadConfig " + "\"" + currentdirectory + "\"" + "\\config.pmc /backingfile " + "\"" + currentdirectory + "\\logs.pml\""; 55 | procmon1.StartInfo = proc; 56 | procmon1.Start(); 57 | 58 | // Run the Target Process 59 | Thread.Sleep(10000); 60 | string filenamewithext = Path.GetFileName(processpath); 61 | Console.WriteLine("[+] Executing " + filenamewithext + " " + inputarguments + "!"); 62 | 63 | 64 | Process targetprocess = new Process(); 65 | ProcessStartInfo mainprocess = new ProcessStartInfo(); 66 | mainprocess.CreateNoWindow = true; 67 | mainprocess.FileName = processpath; 68 | mainprocess.Arguments = inputarguments; 69 | targetprocess.StartInfo = mainprocess; 70 | targetprocess.Start(); 71 | targetprocess.WaitForExit(10000); // Run target process for 20seconds! 72 | try 73 | { 74 | targetprocess.Kill(); 75 | Console.WriteLine("[+] Exiting " + filenamewithext); 76 | } 77 | catch (System.InvalidOperationException) 78 | { 79 | Console.WriteLine("[-] Process exited automatically"); 80 | } 81 | 82 | 83 | if (targetprocess.HasExited == true) 84 | { 85 | 86 | //Terminate Proc-Mon Process 87 | 88 | 89 | Process closeprocmon = new Process(); 90 | ProcessStartInfo closeie = new ProcessStartInfo(); 91 | closeie.CreateNoWindow = true; 92 | closeie.FileName = "Procmon.exe"; 93 | closeie.Arguments = "/terminate "; 94 | closeprocmon.StartInfo = closeie; 95 | closeprocmon.Start(); 96 | Console.WriteLine("[+] Exiting Process-Monitor"); 97 | procmon1.WaitForExit(); 98 | if (procmon1.HasExited == true) 99 | { 100 | // Save the Output of Procmon to CSV. 101 | Console.WriteLine("[+] Generating CSV ProcMon Log File: " + "\\vulnpaths.csv"); 102 | Process savecsv = new Process(); 103 | ProcessStartInfo csv = new ProcessStartInfo(); 104 | csv.CreateNoWindow = true; 105 | csv.FileName = "Procmon.exe"; 106 | csv.Arguments = "/Minimized /AcceptEula /quiet /SaveApplyFilter /saveas " + "\"" + currentdirectory + "\"" + "\\vulnpaths.csv /OpenLog " + "\"" + currentdirectory + "\\logs.pml\""; 107 | savecsv.StartInfo = csv; 108 | savecsv.Start(); 109 | savecsv.WaitForExit(); 110 | 111 | //Parse the CSV to Get the Potentially Vulnerable Paths :- 112 | 113 | Console.WriteLine("[+] Parsing ProcMon Log-File.."); 114 | var column5 = new List(); 115 | using (var rd = new StreamReader(currentdirectory + "\\vulnpaths.csv")) 116 | { 117 | while (!rd.EndOfStream) 118 | { 119 | var splits = rd.ReadLine().Split(','); 120 | column5.Add(splits[4]); 121 | 122 | } 123 | } 124 | 125 | int numofpaths = column5.Count; 126 | 127 | List finalpaths = new List(); // List of Final Paths 128 | 129 | Console.WriteLine("[+] List of Unique Potentially Vulnerable DLL Paths : " + filenamewithext + "\n"); 130 | 131 | foreach (var element in column5.Skip(1)) 132 | { 133 | string pattern = "\""; 134 | var regexpath = Regex.Replace(element, pattern, string.Empty); 135 | 136 | // Check if the directory of the following file paths exists 137 | 138 | string directoryName = Path.GetDirectoryName(regexpath); 139 | 140 | if (Directory.Exists(directoryName)) 141 | { 142 | 143 | 144 | finalpaths.Add(regexpath); // Write Paths to the Final Paths List 145 | 146 | } 147 | 148 | 149 | 150 | } 151 | return finalpaths; 152 | } 153 | 154 | 155 | } 156 | 157 | return new List(); 158 | 159 | } 160 | 161 | public static bool CheckMsgBox(string processpath) 162 | { 163 | // Check MsgBox -> Entry Point not found! 164 | 165 | string ordinal_windowname = Path.GetFileName(processpath) + " - Ordinal Not Found"; 166 | string entrypoint_windowname = Path.GetFileName(processpath) + " - Entry Point Not Found"; 167 | string applicationerror_windowname = Path.GetFileName(processpath) + " - Application Error"; 168 | bool msgpop = false; 169 | 170 | var ordinalhandle = FindWindowA(null, ordinal_windowname); 171 | var entrypointhandle = FindWindowA(null, entrypoint_windowname); 172 | var applicationerrorhandle = FindWindowA(null, applicationerror_windowname); 173 | 174 | 175 | while (ordinalhandle != IntPtr.Zero) 176 | { 177 | 178 | SendMessage(ordinalhandle, WM_CLOSE, IntPtr.Zero, IntPtr.Zero); 179 | msgpop = true; 180 | Thread.Sleep(5000); 181 | ordinalhandle = FindWindowA(null, ordinal_windowname); 182 | 183 | } 184 | while (entrypointhandle != IntPtr.Zero) 185 | { 186 | 187 | SendMessage(entrypointhandle, WM_CLOSE, IntPtr.Zero, IntPtr.Zero); 188 | msgpop = true; 189 | Thread.Sleep(5000); 190 | entrypointhandle = FindWindowA(null, entrypoint_windowname); 191 | 192 | } 193 | 194 | while (applicationerrorhandle != IntPtr.Zero) 195 | { 196 | 197 | SendMessage(applicationerrorhandle, WM_CLOSE, IntPtr.Zero, IntPtr.Zero); 198 | msgpop = true; 199 | Thread.Sleep(5000); 200 | applicationerrorhandle = FindWindowA(null, applicationerror_windowname); 201 | 202 | } 203 | 204 | return msgpop; 205 | 206 | 207 | 208 | 209 | } 210 | 211 | 212 | public static void WriteDLLLog(string dllpath,string message) 213 | { 214 | // write DLL hijack logs 215 | 216 | using (StreamWriter logger = File.AppendText("C:\\DLLLogs\\output_logs.txt")) 217 | { 218 | 219 | logger.WriteLine("[+] " + dllpath + " --> " + message); 220 | 221 | 222 | } 223 | 224 | 225 | 226 | } 227 | 228 | public static void ExecuteDLLHijack(List uniquepaths, string processpath, string currentpwd, string inputarguments) 229 | { 230 | // Execute DLL Hijack on the Vulnerable DLL Paths 231 | 232 | 233 | // Find whether the target process is x86 or x64 Architecture -> Depending on which the DLL will be acquired further 234 | string processname = Path.GetFileName(processpath); 235 | string processnamewithoutext = Path.GetFileNameWithoutExtension(processpath); 236 | var peparsing = new PeNet.PeFile(processpath); 237 | string PEMachineCode = peparsing.ImageNtHeaders.FileHeader.Machine.ToString(); 238 | 239 | ///Console.WriteLine("The machine code is: " + PEMachineCode); 240 | Console.WriteLine("\n"); 241 | Console.WriteLine("-------------------------------------------------------------------------------------------"); 242 | Console.WriteLine("----------------------------------PERFORMING DLL HIJACK------------------------------------"); 243 | Console.WriteLine("-------------------------------------------------------------------------------------------"); 244 | Console.WriteLine("\n PE Architecture: " + processnamewithoutext + "= " + PEMachineCode); 245 | int i = 1; 246 | foreach (var paths in uniquepaths) 247 | { 248 | 249 | Console.WriteLine("\n-------------------------------------------------------------------------------------------\n"); 250 | 251 | 252 | string mal32 = "maldll32.dll"; 253 | 254 | string mal64 = "maldll64.dll"; 255 | 256 | string dllfinalname = null; 257 | string maldllfile = currentpwd + "\\" + mal32; 258 | 259 | if (PEMachineCode == "I386") 260 | { 261 | // The Target process is 32 Bit --> Therefore DLL should be 32 bit! 262 | 263 | maldllfile = currentpwd + "\\" + mal32; 264 | dllfinalname = mal32; 265 | if (!File.Exists("maldll32.dll")) 266 | { 267 | Console.Write("\n[+] PreReq Check: maldll32.dll does not exist! \n"); 268 | System.Environment.Exit(1); 269 | } 270 | } 271 | else if (PEMachineCode == "Amd64") 272 | { 273 | // The Target process is 64 Bit --> Therefore DLL should be 64 bit! 274 | 275 | maldllfile = currentpwd + "\\" + mal64; 276 | dllfinalname = mal64; 277 | if (!File.Exists("maldll64.dll")) 278 | { 279 | Console.Write("\n[+] PreReq Check: maldll64.dll does not exist! \n"); 280 | System.Environment.Exit(1); 281 | } 282 | } 283 | else 284 | { 285 | Console.WriteLine("[+] Improper Architecture of " + processname); 286 | System.Environment.Exit(1); 287 | } 288 | Console.WriteLine("[+] " + i + ". DLL Hijacking: " + Path.GetFileName(paths)); 289 | string destinationpath = paths; 290 | 291 | try 292 | { 293 | 294 | // Copying malicious dll to Vulnerable DLL Paths 295 | 296 | File.Copy(maldllfile, destinationpath, true); 297 | File.SetAttributes(destinationpath, FileAttributes.Normal); 298 | Console.WriteLine(" -> Copy : " + dllfinalname + "-> " + destinationpath + " completed"); 299 | Thread.Sleep(5000); 300 | 301 | // Starting the Target process 302 | 303 | Process starttargetprocess = new Process(); 304 | ProcessStartInfo startie = new ProcessStartInfo(); 305 | startie.CreateNoWindow = true; 306 | startie.FileName = processpath; 307 | startie.Arguments = inputarguments; 308 | starttargetprocess.StartInfo = startie; 309 | starttargetprocess.Start(); 310 | Console.WriteLine(" -> Starting " + processname + "! (10 seconds)"); 311 | Thread.Sleep(10000); 312 | 313 | // Checking if any msgbox is popped up :- Ordinal - Application - Entry Point Not Found Error 314 | string msg = ""; 315 | bool MessagePopup = CheckMsgBox(processpath); 316 | if (MessagePopup == true) 317 | { 318 | 319 | //Console.WriteLine(" -> Note: The DLL " + paths + " was loaded but the export function did not match! Manual Analysis required.. "); // After loading the DLL the export function called by the target process was not present in the malicious dll leading to this issue, if the export function is matched the dll will be loaded successfully :) 320 | Console.WriteLine(" -> " + processname + " killed automatically"); 321 | Thread.Sleep(5000); 322 | string logdirectories = "C:\\DLLLogs\\"; 323 | if (Directory.Exists(logdirectories)) 324 | { 325 | // The Initial DLL Was executed -> Check 1 Completed 326 | string finaldllognames = logdirectories + processnamewithoutext + "_" + Path.GetFileName(paths); 327 | if (File.Exists(finaldllognames)) 328 | { 329 | Console.WriteLine(" [+] DLL Hijack Successful [Entry Point Not Found] -> DllName: " + Path.GetFileName(paths) + " | " + processname); 330 | Console.WriteLine(" -> Analyzing next DLL!"); 331 | msg = "DLL Hijack Successful - [Entry Point Not Found] "; 332 | WriteDLLLog(paths, msg); 333 | } 334 | else 335 | { 336 | 337 | Console.WriteLine(" [-] DLL Hijack Successful [Entry Point Not Found - Manual Analysis Required!]: " + paths); 338 | Console.WriteLine(" -> Analyzing next DLL!"); 339 | msg = "DLL Hijack Successful [Entry Point Not Found - Manual Analysis Required]"; 340 | WriteDLLLog(paths, msg); 341 | } 342 | 343 | 344 | } 345 | else 346 | { 347 | 348 | Console.WriteLine(" [-] DLL Hijack successful [Entry Point Not Found - Manual Analysis Required] " + paths); 349 | Console.WriteLine(" -> Analyzing next DLL!"); 350 | msg = "DLL Hijack successful [Entry Point Not Found - Manual Analysis Required]"; 351 | WriteDLLLog(paths, msg); 352 | } 353 | 354 | // File.SetAttributes(destinationpath, FileAttributes.Normal); 355 | Thread.Sleep(4000); 356 | File.Delete(destinationpath); 357 | Console.WriteLine(" -> Deleted: " + destinationpath); 358 | 359 | 360 | 361 | } 362 | else 363 | { 364 | try 365 | { 366 | starttargetprocess.WaitForExit(5000); 367 | starttargetprocess.Kill(); 368 | Console.WriteLine(" -> Killing " + processname + "!"); 369 | starttargetprocess.WaitForExit(5000); 370 | } 371 | catch 372 | { 373 | Process[] processes = Process.GetProcessesByName(processnamewithoutext); 374 | if (processes.Length == 0) 375 | { 376 | 377 | Console.WriteLine(" -> Already Killed " + processname + "!"); 378 | } 379 | else 380 | { 381 | Process[] runingProcess = Process.GetProcesses(); 382 | for (i = 0; i < runingProcess.Length; i++) 383 | { 384 | // compare equivalent process by their name 385 | if (runingProcess[i].ProcessName == processnamewithoutext) 386 | { 387 | // kill running process 388 | runingProcess[i].Kill(); 389 | } 390 | 391 | } 392 | Console.WriteLine("" + processname + " Killed!!"); 393 | 394 | } 395 | 396 | 397 | 398 | } 399 | 400 | // Checking if the Logs are been generated - C:\DLLLogs 401 | Thread.Sleep(5000); 402 | string logdirectory = "C:\\DLLLogs\\"; 403 | if (Directory.Exists(logdirectory)) 404 | { 405 | // The Initial DLL Was executed -> Check 1 Completed 406 | string finaldllogname = logdirectory + processnamewithoutext + "_" + Path.GetFileName(paths); 407 | if (File.Exists(finaldllogname)) 408 | { 409 | Console.WriteLine(" [+] DLL Hijack Successful -> DllName: " + Path.GetFileName(paths) + " | " + processname); 410 | Console.WriteLine(" -> Analyzing next DLL!"); 411 | msg = "DLL Hijack Successful"; 412 | WriteDLLLog(paths, msg); 413 | } 414 | else 415 | { 416 | 417 | Console.WriteLine(" [-] DLL Hijack Unsuccessful : " + paths); 418 | Console.WriteLine(" -> Analyzing next DLL!"); 419 | msg = "DLL Hijack Unsuccessful"; 420 | WriteDLLLog(paths, msg); 421 | } 422 | 423 | 424 | } 425 | else 426 | { 427 | 428 | Console.WriteLine(" [-] DLL Hijack Unsuccessful : " + paths); 429 | Console.WriteLine(" -> Analyzing next DLL!"); 430 | msg = "DLL Hijack Unsuccessful"; 431 | WriteDLLLog(paths, msg); 432 | } 433 | 434 | File.Delete(destinationpath); 435 | Console.WriteLine(" -> Deleted: " + destinationpath); 436 | 437 | } 438 | 439 | 440 | 441 | 442 | 443 | } 444 | catch (Exception ex) 445 | { 446 | if (ex is System.UnauthorizedAccessException) 447 | { 448 | try 449 | { 450 | File.Delete(destinationpath); 451 | } 452 | catch 453 | { 454 | 455 | } 456 | Console.WriteLine(" [-] Copy: Access to Path is Denied: " + destinationpath); 457 | string msge = "Copy: Access to Path is Denied"; 458 | WriteDLLLog(paths, msge); 459 | 460 | 461 | 462 | 463 | } 464 | 465 | } 466 | 467 | i += 1; 468 | Thread.Sleep(3000); 469 | } 470 | 471 | 472 | 473 | 474 | } 475 | 476 | public static void FinalOutput(string processname) 477 | { 478 | Console.WriteLine("\n----------------------------------------------------------------------------"); 479 | Console.WriteLine("-----------------------FINAL DLL HIJACK OUTPUT: " + processname + "-----------------"); 480 | Console.WriteLine("----------------------------------------------------------------------------\n"); 481 | 482 | string[] logs = File.ReadAllLines("C:\\DLLLogs\\output_logs.txt"); 483 | foreach (string logline in logs) 484 | { 485 | Console.WriteLine(logline); 486 | } 487 | 488 | } 489 | 490 | 491 | 492 | 493 | static void Main(string[] args) 494 | { 495 | 496 | Console.Write(@" 497 | 498 | ____ __ _ ____ __ __ __ ___ _ __ 499 | / _/___ ___ ____ __ __/ /____(_) _____ / __ \/ / / / / / / (_) (_)___ ______/ /__ 500 | / // __ `__ \/ __ \/ / / / / ___/ / | / / _ \/ / / / / / / / /_/ / / / / __ `/ ___/ //_/ 501 | _/ // / / / / / /_/ / /_/ / (__ ) /| |/ / __/ /_/ / /___/ /___/ __ / / / / /_/ / /__/ ,< 502 | /___/_/ /_/ /_/ .___/\__,_/_/____/_/ |___/\___/_____/_____/_____/_/ /_/_/_/ /\__,_/\___/_/|_| 503 | /_/ /___/ 504 | 505 | Author: https://twitter.com/knight0x07 506 | Github: https://github.com/knight0x07 507 | 508 | "); 509 | 510 | try 511 | { 512 | if (args[0] == "-path") 513 | { 514 | if (File.Exists(args[1])) 515 | { 516 | // Initiate the process 517 | 518 | //Provide Process Name for Finding Potential DLL Hijacks 519 | 520 | string logpathis = "C:\\DLLLogs"; 521 | if (Directory.Exists(logpathis)) 522 | { 523 | Directory.Delete(logpathis, true); 524 | } 525 | DirectoryInfo di = Directory.CreateDirectory(logpathis); 526 | using (StreamWriter sw = File.CreateText(logpathis + "\\output_logs.txt")); 527 | string currentpwd = Directory.GetCurrentDirectory(); 528 | Console.Write("\n[+] Initiating Impulsive DLL Hijack! "); 529 | if (!File.Exists("Procmon.exe")) 530 | { 531 | Console.Write("\n[+] PreReq Check: Procmon.exe does not exist! \n"); 532 | System.Environment.Exit(1); 533 | } 534 | string processpath = args[1]; 535 | string filename = Path.GetFileNameWithoutExtension(processpath); 536 | string processname = Path.GetFileName(args[1]); 537 | Console.Write("\n[+] Target Process Name: " + processname); 538 | string inputarguments = ""; 539 | try 540 | { 541 | inputarguments = args[2]; 542 | } 543 | catch (System.IndexOutOfRangeException) 544 | { 545 | 546 | } 547 | 548 | // Conversion to Hex String 549 | 550 | byte[] bytes = Encoding.Default.GetBytes(processname); 551 | string hexString = BitConverter.ToString(bytes); 552 | hexString = hexString.Replace("-", "00"); 553 | int lengthstring = hexString.Length; 554 | int bufferprocessname = 108; 555 | int padzeros = bufferprocessname - lengthstring; 556 | string padding = new String('0', padzeros); 557 | string hexString2 = hexString + padding; // 2nd Blob of PMC 558 | int lengthhexString2 = hexString2.Length; 559 | if (lengthhexString2 > bufferprocessname) 560 | { 561 | Console.WriteLine("\n[-] Error: Process Name Out of Bound.."); 562 | } 563 | else 564 | { 565 | 566 | GenPMC(hexString2, filename); // Generate Custom PMC config as per process name 567 | List finalpaths = FindVulnHijacksPaths(currentpwd, processpath, filename, inputarguments); // Find Potentially Vulnerable Hijack Paths 568 | List uniquepaths = finalpaths.Distinct().ToList(); // Remove Duplicate Paths 569 | foreach (var path in uniquepaths) 570 | { 571 | Console.WriteLine(" -> " + path); 572 | } 573 | ExecuteDLLHijack(uniquepaths, processpath, currentpwd, inputarguments); 574 | FinalOutput(processname); 575 | Console.WriteLine("\n\n[+] Final Log File stored at: " + logpathis + "\\output_logs.txt"); 576 | 577 | } 578 | 579 | 580 | 581 | } 582 | else 583 | { 584 | Console.WriteLine("\n[-] Error: Invalid File Path provided! "); 585 | } 586 | 587 | 588 | 589 | } 590 | else if (args[0] == "-h") 591 | { 592 | 593 | Console.WriteLine("\n[+] Command : ImpulsiveDLLHijack.exe -path "); 594 | 595 | 596 | } 597 | else 598 | { 599 | 600 | Console.WriteLine("\n[+] Execution Command: ImpulsiveDLLHijack.exe -path "); 601 | Console.WriteLine("[+] Help Command : ImpulsiveDLLHijack.exe -h "); 602 | 603 | } 604 | 605 | 606 | 607 | } 608 | catch (System.IndexOutOfRangeException) 609 | { 610 | 611 | Console.WriteLine("\n[+] Execution Command: ImpulsiveDLLHijack.exe -path "); 612 | Console.WriteLine("[+] Help Command : ImpulsiveDLLHijack.exe -h "); 613 | 614 | 615 | 616 | } 617 | } 618 | } 619 | } 620 | -------------------------------------------------------------------------------- /ImpulsiveDLLHijack/ImpulsiveDLLHijack/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("ImpulsiveDLLHijack")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("ImpulsiveDLLHijack")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("614c8f13-68dd-4a30-ba8f-0fd261c218a0")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /ImpulsiveDLLHijack/ImpulsiveDLLHijack/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/ImpulsiveDLLHijack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Precompiled- ImpulsiveDLLHijack/ImpulsiveDLLHijack.exe -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/ImpulsiveDLLHijack.exe.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/PeNet.Asn1.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Precompiled- ImpulsiveDLLHijack/PeNet.Asn1.dll -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/PeNet.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Precompiled- ImpulsiveDLLHijack/PeNet.dll -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/System.Buffers.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Precompiled- ImpulsiveDLLHijack/System.Buffers.dll -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/System.Buffers.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | System.Buffers 4 | 5 | 6 | 7 | Provides a resource pool that enables reusing instances of type . 8 | The type of the objects that are in the resource pool. 9 | 10 | 11 | Initializes a new instance of the class. 12 | 13 | 14 | Creates a new instance of the class. 15 | A new instance of the class. 16 | 17 | 18 | Creates a new instance of the class using the specifed configuration. 19 | The maximum length of an array instance that may be stored in the pool. 20 | The maximum number of array instances that may be stored in each bucket in the pool. The pool groups arrays of similar lengths into buckets for faster access. 21 | A new instance of the class with the specified configuration. 22 | 23 | 24 | Retrieves a buffer that is at least the requested length. 25 | The minimum length of the array. 26 | An array of type that is at least minimumLength in length. 27 | 28 | 29 | Returns an array to the pool that was previously obtained using the method on the same instance. 30 | A buffer to return to the pool that was previously obtained using the method. 31 | Indicates whether the contents of the buffer should be cleared before reuse. If clearArray is set to true, and if the pool will store the buffer to enable subsequent reuse, the method will clear the array of its contents so that a subsequent caller using the method will not see the content of the previous caller. If clearArray is set to false or if the pool will release the buffer, the array&#39;s contents are left unchanged. 32 | 33 | 34 | Gets a shared instance. 35 | A shared instance. 36 | 37 | 38 | -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/System.Memory.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Precompiled- ImpulsiveDLLHijack/System.Memory.dll -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/System.Memory.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | System.Memory 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/System.Numerics.Vectors.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Precompiled- ImpulsiveDLLHijack/System.Numerics.Vectors.dll -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/System.Runtime.CompilerServices.Unsafe.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Precompiled- ImpulsiveDLLHijack/System.Runtime.CompilerServices.Unsafe.dll -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/System.Runtime.CompilerServices.Unsafe.xml: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | System.Runtime.CompilerServices.Unsafe 5 | 6 | 7 | 8 | Contains generic, low-level functionality for manipulating pointers. 9 | 10 | 11 | Adds an element offset to the given reference. 12 | The reference to add the offset to. 13 | The offset to add. 14 | The type of reference. 15 | A new reference that reflects the addition of offset to pointer. 16 | 17 | 18 | Adds an element offset to the given reference. 19 | The reference to add the offset to. 20 | The offset to add. 21 | The type of reference. 22 | A new reference that reflects the addition of offset to pointer. 23 | 24 | 25 | Adds an element offset to the given void pointer. 26 | The void pointer to add the offset to. 27 | The offset to add. 28 | The type of void pointer. 29 | A new void pointer that reflects the addition of offset to the specified pointer. 30 | 31 | 32 | Adds a byte offset to the given reference. 33 | The reference to add the offset to. 34 | The offset to add. 35 | The type of reference. 36 | A new reference that reflects the addition of byte offset to pointer. 37 | 38 | 39 | Determines whether the specified references point to the same location. 40 | The first reference to compare. 41 | The second reference to compare. 42 | The type of reference. 43 | 44 | if and point to the same location; otherwise, . 45 | 46 | 47 | Casts the given object to the specified type. 48 | The object to cast. 49 | The type which the object will be cast to. 50 | The original object, casted to the given type. 51 | 52 | 53 | Reinterprets the given reference as a reference to a value of type . 54 | The reference to reinterpret. 55 | The type of reference to reinterpret. 56 | The desired type of the reference. 57 | A reference to a value of type . 58 | 59 | 60 | Returns a pointer to the given by-ref parameter. 61 | The object whose pointer is obtained. 62 | The type of object. 63 | A pointer to the given value. 64 | 65 | 66 | Reinterprets the given read-only reference as a reference. 67 | The read-only reference to reinterpret. 68 | The type of reference. 69 | A reference to a value of type . 70 | 71 | 72 | Reinterprets the given location as a reference to a value of type . 73 | The location of the value to reference. 74 | The type of the interpreted location. 75 | A reference to a value of type . 76 | 77 | 78 | Determines the byte offset from origin to target from the given references. 79 | The reference to origin. 80 | The reference to target. 81 | The type of reference. 82 | Byte offset from origin to target i.e. - . 83 | 84 | 85 | Copies a value of type to the given location. 86 | The location to copy to. 87 | A pointer to the value to copy. 88 | The type of value to copy. 89 | 90 | 91 | Copies a value of type to the given location. 92 | The location to copy to. 93 | A reference to the value to copy. 94 | The type of value to copy. 95 | 96 | 97 | Copies bytes from the source address to the destination address. 98 | The destination address to copy to. 99 | The source address to copy from. 100 | The number of bytes to copy. 101 | 102 | 103 | Copies bytes from the source address to the destination address. 104 | The destination address to copy to. 105 | The source address to copy from. 106 | The number of bytes to copy. 107 | 108 | 109 | Copies bytes from the source address to the destination address without assuming architecture dependent alignment of the addresses. 110 | The destination address to copy to. 111 | The source address to copy from. 112 | The number of bytes to copy. 113 | 114 | 115 | Copies bytes from the source address to the destination address without assuming architecture dependent alignment of the addresses. 116 | The destination address to copy to. 117 | The source address to copy from. 118 | The number of bytes to copy. 119 | 120 | 121 | Initializes a block of memory at the given location with a given initial value. 122 | The address of the start of the memory block to initialize. 123 | The value to initialize the block to. 124 | The number of bytes to initialize. 125 | 126 | 127 | Initializes a block of memory at the given location with a given initial value. 128 | The address of the start of the memory block to initialize. 129 | The value to initialize the block to. 130 | The number of bytes to initialize. 131 | 132 | 133 | Initializes a block of memory at the given location with a given initial value without assuming architecture dependent alignment of the address. 134 | The address of the start of the memory block to initialize. 135 | The value to initialize the block to. 136 | The number of bytes to initialize. 137 | 138 | 139 | Initializes a block of memory at the given location with a given initial value without assuming architecture dependent alignment of the address. 140 | The address of the start of the memory block to initialize. 141 | The value to initialize the block to. 142 | The number of bytes to initialize. 143 | 144 | 145 | Returns a value that indicates whether a specified reference is greater than another specified reference. 146 | The first value to compare. 147 | The second value to compare. 148 | The type of the reference. 149 | 150 | if is greater than ; otherwise, . 151 | 152 | 153 | Returns a value that indicates whether a specified reference is less than another specified reference. 154 | The first value to compare. 155 | The second value to compare. 156 | The type of the reference. 157 | 158 | if is less than ; otherwise, . 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | Reads a value of type from the given location. 169 | The location to read from. 170 | The type to read. 171 | An object of type read from the given location. 172 | 173 | 174 | Reads a value of type from the given location without assuming architecture dependent alignment of the addresses. 175 | The location to read from. 176 | The type to read. 177 | An object of type read from the given location. 178 | 179 | 180 | Reads a value of type from the given location without assuming architecture dependent alignment of the addresses. 181 | The location to read from. 182 | The type to read. 183 | An object of type read from the given location. 184 | 185 | 186 | Returns the size of an object of the given type parameter. 187 | The type of object whose size is retrieved. 188 | The size of an object of type . 189 | 190 | 191 | Bypasses definite assignment rules for a given value. 192 | The uninitialized object. 193 | The type of the uninitialized object. 194 | 195 | 196 | Subtracts an element offset from the given reference. 197 | The reference to subtract the offset from. 198 | The offset to subtract. 199 | The type of reference. 200 | A new reference that reflects the subtraction of offset from pointer. 201 | 202 | 203 | Subtracts an element offset from the given reference. 204 | The reference to subtract the offset from. 205 | The offset to subtract. 206 | The type of reference. 207 | A new reference that reflects the subtraction of offset from pointer. 208 | 209 | 210 | Subtracts an element offset from the given void pointer. 211 | The void pointer to subtract the offset from. 212 | The offset to subtract. 213 | The type of the void pointer. 214 | A new void pointer that reflects the subtraction of offset from the specified pointer. 215 | 216 | 217 | Subtracts a byte offset from the given reference. 218 | The reference to subtract the offset from. 219 | The offset to subtract. 220 | The type of reference. 221 | A new reference that reflects the subtraction of byte offset from pointer. 222 | 223 | 224 | Returns a to a boxed value. 225 | The value to unbox. 226 | The type to be unboxed. 227 | 228 | is , and is a non-nullable value type. 229 | 230 | is not a boxed value type. 231 | 232 | -or- 233 | 234 | is not a boxed . 235 | 236 | cannot be found. 237 | A to the boxed value . 238 | 239 | 240 | Writes a value of type to the given location. 241 | The location to write to. 242 | The value to write. 243 | The type of value to write. 244 | 245 | 246 | Writes a value of type to the given location without assuming architecture dependent alignment of the addresses. 247 | The location to write to. 248 | The value to write. 249 | The type of value to write. 250 | 251 | 252 | Writes a value of type to the given location without assuming architecture dependent alignment of the addresses. 253 | The location to write to. 254 | The value to write. 255 | The type of value to write. 256 | 257 | 258 | -------------------------------------------------------------------------------- /Precompiled- ImpulsiveDLLHijack/System.Security.Cryptography.Pkcs.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Precompiled- ImpulsiveDLLHijack/System.Security.Cryptography.Pkcs.dll -------------------------------------------------------------------------------- /Prerequisites/MalDLL/MalDLL.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31205.134 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MalDLL", "MalDLL\MalDLL.vcxproj", "{566E6C82-844F-4010-8F8E-66E7D2F95559}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {566E6C82-844F-4010-8F8E-66E7D2F95559}.Debug|x64.ActiveCfg = Release|x64 17 | {566E6C82-844F-4010-8F8E-66E7D2F95559}.Debug|x64.Build.0 = Release|x64 18 | {566E6C82-844F-4010-8F8E-66E7D2F95559}.Debug|x86.ActiveCfg = Debug|Win32 19 | {566E6C82-844F-4010-8F8E-66E7D2F95559}.Debug|x86.Build.0 = Debug|Win32 20 | {566E6C82-844F-4010-8F8E-66E7D2F95559}.Release|x64.ActiveCfg = Release|x64 21 | {566E6C82-844F-4010-8F8E-66E7D2F95559}.Release|x64.Build.0 = Release|x64 22 | {566E6C82-844F-4010-8F8E-66E7D2F95559}.Release|x86.ActiveCfg = Release|Win32 23 | {566E6C82-844F-4010-8F8E-66E7D2F95559}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {DEC8F83C-9D1D-4034-86AC-8B2F86A0FAF7} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Prerequisites/MalDLL/MalDLL/MalDLL.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {566e6c82-844f-4010-8f8e-66e7d2f95559} 25 | MalDLL 26 | 10.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | true 90 | Use 91 | pch.h 92 | _CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) 93 | MultiThreaded 94 | 95 | 96 | Windows 97 | false 98 | false 99 | 100 | 101 | 102 | 103 | Level3 104 | true 105 | true 106 | true 107 | true 108 | Use 109 | pch.h 110 | _CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) 111 | MultiThreaded 112 | 113 | 114 | Windows 115 | true 116 | true 117 | false 118 | false 119 | 120 | 121 | 122 | 123 | Level3 124 | true 125 | true 126 | Use 127 | pch.h 128 | _CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) 129 | MultiThreaded 130 | 131 | 132 | Windows 133 | false 134 | false 135 | 136 | 137 | 138 | 139 | Level3 140 | true 141 | true 142 | true 143 | true 144 | Use 145 | pch.h 146 | _CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) 147 | MultiThreaded 148 | 149 | 150 | Windows 151 | true 152 | true 153 | false 154 | false 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | Create 165 | Create 166 | Create 167 | Create 168 | 169 | 170 | 171 | 172 | 173 | -------------------------------------------------------------------------------- /Prerequisites/MalDLL/MalDLL/MalDLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /Prerequisites/MalDLL/MalDLL/MalDLL.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /Prerequisites/MalDLL/MalDLL/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "pch.h" 3 | #include "Windows.h" 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #pragma comment (lib, "Shlwapi.lib") 11 | 12 | HANDLE hThread; 13 | DWORD dwThread; 14 | 15 | 16 | __declspec(dllexport) DWORD WINAPI WriteLog() { 17 | 18 | // Create a Folder in C: to write logs! 19 | 20 | 21 | 22 | BOOL createfolder = CreateDirectory(L"C:\\DLLLogs", NULL); 23 | 24 | 25 | wchar_t path[MAX_PATH]; 26 | wchar_t processpath[MAX_PATH]; 27 | 28 | HMODULE hm = NULL; 29 | if (GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | 30 | GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, 31 | (LPCWSTR)&WriteLog, &hm) == 0) 32 | { 33 | return 0; 34 | } 35 | if (GetModuleFileName(hm, path, sizeof(path) / sizeof(wchar_t)) == 0) 36 | { 37 | return 0; 38 | } 39 | if (GetModuleFileName(NULL, processpath, sizeof(processpath) / sizeof(wchar_t)) == 0) 40 | { 41 | return 0; 42 | } 43 | 44 | // Get DLLName from Path :- 45 | 46 | LPCWSTR outputFile = L"C:\\DLLLogs\\"; 47 | LPCWSTR filepart = PathFindFileNameW(path); 48 | 49 | // Get ProcesName from Path 50 | 51 | LPCWSTR processnamepath = PathFindFileNameW(processpath); 52 | PathRemoveExtensionW(processpath); 53 | 54 | //Underscore 55 | 56 | LPCWSTR underscore = L"_"; 57 | 58 | 59 | // Concat Strings Format --> ProcessName_dllname.dll 60 | 61 | wchar_t destination1[MAX_PATH]; 62 | wchar_t source1[MAX_PATH]; 63 | wchar_t underscore1[2]; 64 | wchar_t source2[MAX_PATH]; 65 | wcscpy(destination1, outputFile); 66 | wcscpy(source1, processnamepath); 67 | wcscpy(source2, filepart); 68 | wcscpy(underscore1, underscore); 69 | wcsncat(destination1, source1, wcslen(processnamepath)); 70 | wcsncat(destination1, underscore1, wcslen(underscore)); 71 | wcsncat(destination1, source2, wcslen(filepart)); 72 | 73 | // Create File with DLL Filename --> format: ProcessName_dllname.dll :- 74 | 75 | HANDLE hCreateFile, hAppendFile; 76 | DWORD dwBytesWritten, dwBytesToWrite; 77 | 78 | hCreateFile = CreateFileW(destination1, GENERIC_WRITE, NULL, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL); 79 | CloseHandle(hCreateFile); 80 | 81 | hAppendFile = CreateFileW((LPCWSTR)destination1, FILE_APPEND_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 82 | 83 | if (hAppendFile == INVALID_HANDLE_VALUE) 84 | { 85 | return 0; 86 | } 87 | 88 | dwBytesToWrite = sizeof(outputFile) / sizeof(wchar_t); 89 | WriteFile(hAppendFile, (LPVOID)outputFile, dwBytesToWrite, &dwBytesWritten, NULL); 90 | 91 | CloseHandle(hAppendFile); 92 | 93 | } 94 | 95 | 96 | BOOL APIENTRY DllMain( HMODULE hModule, 97 | DWORD ul_reason_for_call, 98 | LPVOID lpReserved 99 | ) 100 | { 101 | switch (ul_reason_for_call) 102 | { 103 | case DLL_PROCESS_ATTACH: 104 | WriteLog(); 105 | break; 106 | case DLL_THREAD_ATTACH: 107 | case DLL_THREAD_DETACH: 108 | case DLL_PROCESS_DETACH: 109 | break; 110 | } 111 | return TRUE; 112 | } 113 | 114 | -------------------------------------------------------------------------------- /Prerequisites/MalDLL/MalDLL/framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 4 | // Windows Header Files 5 | #include 6 | -------------------------------------------------------------------------------- /Prerequisites/MalDLL/MalDLL/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to the pre-compiled header 2 | 3 | #include "pch.h" 4 | 5 | // When you are using pre-compiled headers, this source file is necessary for compilation to succeed. 6 | -------------------------------------------------------------------------------- /Prerequisites/MalDLL/MalDLL/pch.h: -------------------------------------------------------------------------------- 1 | // pch.h: This is a precompiled header file. 2 | // Files listed below are compiled only once, improving build performance for future builds. 3 | // This also affects IntelliSense performance, including code completion and many code browsing features. 4 | // However, files listed here are ALL re-compiled if any one of them is updated between builds. 5 | // Do not add files here that you will be updating frequently as this negates the performance advantage. 6 | 7 | #ifndef PCH_H 8 | #define PCH_H 9 | 10 | // add headers that you want to pre-compile here 11 | #include "framework.h" 12 | 13 | #endif //PCH_H 14 | -------------------------------------------------------------------------------- /Prerequisites/Procmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Prerequisites/Procmon.exe -------------------------------------------------------------------------------- /Prerequisites/maldll32.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Prerequisites/maldll32.dll -------------------------------------------------------------------------------- /Prerequisites/maldll64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/knight0x07/ImpulsiveDLLHijack/db0d672574ace46e5e6d5d22de7d2eafed07ca61/Prerequisites/maldll64.dll -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ImpulsiveDLLHijack 2 | 3 | C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during RedTeam Operations to evade EDR's. 4 | 5 | # 1. Methodological Approach : 6 | 7 | The tool basically acts on automating following stages performed for DLL Hijacking: 8 | 9 | - **Discovery** - Finding Potentially Vulnerable DLL Hijack paths 10 | - **Exploitation** - Confirming whether the Confirmatory DLL was been loaded from the Hijacked path leading to a confirmation of 100% exploitable DLL Hijack! 11 | 12 | **Discovery Methodology :** 13 | 14 | - Provide Target binary path to ImpulsiveDLLHijack.exe 15 | - Automation of ProcMon along with the execution of Target binary to find Potentially Vulnerable DLL Hijackable paths. 16 | 17 | **Exploitation Methodology :** 18 | 19 | - Parse Potentially Vulnerable DLL Hijack paths from CSV generated automatically via ProcMon. 20 | - Copy the Confirmatory DLL (as per the PE architecture) to the hijack paths one by one and execute the Target Binary for predefined time period simultaneously. 21 | - As the DLL hijacking process is in progress following are the outputs which can be gathered from the Hijack Scenario: 22 | * The Confirmatory DLL present on the potentially vulnerable Hijackable Path is loaded by the Target Binary we get following output on the console stating that the DLL Hijack was successful - **DLL Hijack Successful -> DLLName: | ** 23 | * The Confirmatory DLL present on the potentially vulnerable Hijackable Path is not loaded by the Target Binary we get following output on the console stating that the DLL Hijack was unsuccessful - **DLL Hijack Unsuccessful -> ** 24 | 25 | **Entry Point Not Found Scenarios:** 26 | 27 | - The Confirmatory DLL present on the potentially vulnerable Hijackable Path is not loaded by the Target Binary as the Entry Point of the DLL is different from our default entry point "DllMain" throwing an error - "Entry Point Not Found", we get following output on the console stating that the DLL Hijack was hijackable if the entry point was correct -> **DLL Hijack Successful -> [Entry Point Not Found - Manual Analysis Required!]: ** 28 | - The Confirmatory DLL present on the potentially vulnerable Hijackable Path is executed by the Target Binary even after the Entry Point of the DLL is different from our default entry point "DllMain" throwing an error "Entry Point Not Found", we get following output on the console stating that the DLL Hijack was success even after the entry point was not correct -> **DLL Hijack Successful -> [Entry Point Not Found]: ** 29 | 30 | **Note: The "Entry Point not found" Error is been handled by the code programmatically no need to close the MsgBox manually :) # Rather this would crash the code further****** 31 | 32 | - Once the DLL Hijacking process is completed for every Potentially Vulnerable DLL Hijack path we get the final output on the console as well as in a text file (C:\DLLLogs\output_logs.txt) in the following format: 33 | 34 | - --> DLL Hijack Successful (**if the Hijack was successful**) 35 | - --> DLL Hijack Unuccessful (**if the Hijack was unsuccessful**) 36 | - --> DLL Hijack Successful [Entry Point Not Found - Manual Analysis Required] (**if the Entry point was not found but can be successful after manual analysis**) 37 | - --> DLL Hijack Successful [Entry Point Not Found] (**if the hijack was successful even after the entry point was not found**) 38 | - --> Copy: Access to Path is Denied (**Access denied**) 39 | 40 | **These Confirmed DLL Hijackable paths can later be weaponized during a Red Team Engagement to load a Malicious DLL Implant via a legitimate executable (such as OneDrive,Firefox,MSEdge,"Bring your own LOLBINs" etc.) and bypass State of the art EDR's as most of them fail to detect DLL Hijacking as assessed by George Karantzas and Constantinos Patsakis as mentioned in there research paper: https://arxiv.org/abs/2108.10422 41 | 42 | 43 | 44 | # 2. Prerequisites: 45 | 46 | - **Procmon.exe** -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon 47 | - **Custom Confirmatory DLL's** : 48 | - These are DLL files which assist the tool to get the confirmation whether the DLL's are been successfully loaded from the identified hijack path 49 | - Compiled from the MalDLL project provided above (or use the precompiled binaries if you trust me!) 50 | - 32Bit dll name should be: maldll32.dll 51 | - 64Bit dll name should be: maldll64.dll 52 | - Install NuGet Package:** PeNet** -> https://www.nuget.org/packages/PeNet/ (Prereq while compiling the ImpulsiveDLLHijack project) 53 | 54 | **Note: i & ii prerequisites should be placed in the ImpulsiveDLLHijacks.exe's directory itself.** 55 | 56 | - **Build and Setup Information:** 57 | 58 | - **ImpulsiveDLLHijack** 59 | 60 | - Clone the repository in Visual Studio 61 | - Once project is loaded in Visual Studio go to "Project" --> "Manage NuGet packages" --> Browse for packages and install "PeNet" -> https://www.nuget.org/packages/PeNet/ 62 | - Build the project! 63 | - The ImpulsiveDLLHijack.exe will be inside the bin directory. 64 | 65 | - **And for Confirmatory DLL's:** 66 | 67 | - Clone the repository in Visual Studio 68 | - Build the project with x86 and x64 69 | - Rename x86 release as maldll32.dll and x64 release as maldll64.dll 70 | 71 | - **Setup:** Copy the Confirmatory DLL's (maldll32 & maldll64) in the ImpulsiveDLLHijack.exe directory & then execute ImpulsiveDLLHijack.exe :)) 72 | 73 | # 3. Usage: 74 | 75 | ![usage](https://user-images.githubusercontent.com/60843949/132341238-c6e0cad4-dfc1-4d8e-a011-73df17b652d6.PNG) 76 | 77 | # 4. Examples: 78 | 79 | - Target Executable: OneDrive.exe 80 | 81 | - Stage: Discovery 82 | 83 | ![first](https://user-images.githubusercontent.com/60843949/132492019-6dbb30aa-658f-4642-b9bd-69036d2d081a.PNG) 84 | 85 | - Stage: Exploitation 86 | 87 | - Successful DLL Hijacks: 88 | 89 | ![success_one](https://user-images.githubusercontent.com/60843949/132493144-78072724-c2c0-4390-b761-7bfb9abfcb5b.PNG) 90 | 91 | - Unsuccessful DLL Hijacks: 92 | 93 | ![unsuccessful](https://user-images.githubusercontent.com/60843949/132493860-d9df5fff-6cbc-4785-88a2-92d27cf128e2.PNG) 94 | 95 | - DLL is not loaded as the entry point is not identical! Manual Analysis might make it a successful DLL Hijack :) 96 | 97 | ![entrypoint_not_found](https://user-images.githubusercontent.com/60843949/132494965-9d3b302b-360c-48b1-b2a4-ec950fddd893.PNG) 98 | 99 | - DLL Hijack successful even after unidentical entry point! 100 | 101 | ![entry_pointnot found - but dll is executed](https://user-images.githubusercontent.com/60843949/132639672-b14aa124-2927-44b0-90b9-7e1f9497afd5.PNG) 102 | 103 | 104 | - Stage: Final Results and Logs 105 | 106 | - C:\DLLLogs\output_logs.txt: 107 | 108 | ![output_logs](https://user-images.githubusercontent.com/60843949/132496859-808bb809-9230-4aee-afef-fe71ef03e8b5.PNG) 109 | 110 | 111 | **Thankyou, Feedback would be greatly appreciated!** - knight! 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | --------------------------------------------------------------------------------