├── readme.md
├── sideload.c
├── test
    ├── name_mangling.c
    ├── test_dll.c
    └── name_mangling~.c
├── .gitignore
├── LICENSE
└── hijackdll_helper.py


/readme.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/lifenjoiner/hijackdll_helper/HEAD/readme.md


--------------------------------------------------------------------------------
/sideload.c:
--------------------------------------------------------------------------------
1 | 
2 | #include <windows.h>
3 | 
4 | __declspec(dllexport) void sideload (void)
5 | {
6 |     MessageBox (0, "test", "From DLL", MB_ICONINFORMATION);
7 | }
8 | 


--------------------------------------------------------------------------------
/test/name_mangling.c:
--------------------------------------------------------------------------------
1 | #include <stdlib.h>
2 | 
3 | __declspec(dllexport) int __cdecl    _e (int x) { return x; }
4 | __declspec(dllexport) int __cdecl    f (int x) { return x; }
5 | __declspec(dllexport) int __stdcall  g (int x) { return x; }
6 | __declspec(dllexport) int __fastcall h (int x) { return x; }
7 | 


--------------------------------------------------------------------------------
/test/test_dll.c:
--------------------------------------------------------------------------------
 1 | #include <stdlib.h>
 2 | #include <stdio.h>
 3 | 
 4 | int __cdecl    _e (int x);
 5 | int __cdecl    f (int x);
 6 | int __stdcall  g (int x);
 7 | int __fastcall h (int x);
 8 | 
 9 | int main(int argc, char **argv)
10 | {
11 |     printf("%d\n", _e(1));
12 |     printf("%d\n", f(2));
13 |     printf("%d\n", g(3));
14 |     printf("%d\n", h(4));
15 |     return 0;
16 | }
17 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Prerequisites
 2 | *.d
 3 | 
 4 | # Object files
 5 | *.o
 6 | *.ko
 7 | *.obj
 8 | *.elf
 9 | 
10 | # Linker output
11 | *.ilk
12 | *.map
13 | *.exp
14 | 
15 | # Precompiled Headers
16 | *.gch
17 | *.pch
18 | 
19 | # Libraries
20 | *.lib
21 | *.a
22 | *.la
23 | *.lo
24 | 
25 | # Shared objects (inc. Windows DLLs)
26 | *.dll
27 | *.so
28 | *.so.*
29 | *.dylib
30 | 
31 | # Executables
32 | *.exe
33 | *.out
34 | *.app
35 | *.i*86
36 | *.x86_64
37 | *.hex
38 | 
39 | # Debug files
40 | *.dSYM/
41 | *.su
42 | *.idb
43 | *.pdb
44 | 
45 | # Kernel Module Compile Results
46 | *.mod*
47 | *.cmd
48 | .tmp_versions/
49 | modules.order
50 | Module.symvers
51 | Mkfile.old
52 | dkms.conf
53 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 lifenjoiner
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/test/name_mangling~.c:
--------------------------------------------------------------------------------
 1 | // Created by hijackdll-helper
 2 | /* There should be dll hijacking possible first! */
 3 | /* cl.exe /Os /GD /LD /Fe */
 4 | /* https://en.wikipedia.org/wiki/Name_mangling */
 5 | 
 6 | #include <windows.h>
 7 | 
 8 | /*  Don't forward to itself!
 9 |     "C:\Windows\System32\version" is acceptable ;p
10 | */
11 | #define HIJACKED_DLL_NAME "name_mangling_"    //<--- modify
12 | 
13 | /* gcc does't support this. */
14 | #pragma comment(linker, "/EXPORT:__e="HIJACKED_DLL_NAME"._e,@1")
15 | #pragma comment(linker, "/EXPORT:_g@4="HIJACKED_DLL_NAME"._g@4,@2")
16 | #pragma comment(linker, "/EXPORT:f="HIJACKED_DLL_NAME".f,@3")
17 | #pragma comment(linker, "/EXPORT:h="HIJACKED_DLL_NAME".h,@4")
18 | 
19 | 
20 | // Add your implementations here, and comment the forwarders <---
21 | 
22 | extern int sideload();    //<---
23 | 
24 | /*  Less dependencies: _DllMainCRTStartup
25 |     More functions: DllMain
26 |     Take care of the core libs yourself: msvcrt, kernel32, ntdll, user32 */
27 | BOOL WINAPI _DllMainCRTStartup(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
28 | {
29 | 	switch (dwReason) {
30 | 	case DLL_PROCESS_ATTACH:
31 | 		sideload();    //<---
32 | 		break;
33 |     /*
34 | 	case DLL_PROCESS_DETACH:
35 |         break;
36 | 	case DLL_THREAD_ATTACH:
37 |         break;
38 | 	case DLL_THREAD_DETACH:
39 |         break;
40 |     */
41 | 	}
42 | 	return TRUE;
43 | }
44 | 


--------------------------------------------------------------------------------
/hijackdll_helper.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | #coding=utf-8
  3 | 
  4 | import os
  5 | import sys
  6 | import pefile
  7 | import traceback
  8 | 
  9 | source_code_template = '''\
 10 | // Created by hijackdll-helper
 11 | /* There should be dll hijacking possible first! */
 12 | /* cl.exe /Os /GD /LD /Fe */
 13 | /* https://en.wikipedia.org/wiki/Name_mangling */
 14 | 
 15 | #include <windows.h>
 16 | 
 17 | /*  Don't forward to itself!
 18 |     "C:\\Windows\\System32\\version" is acceptable ;p
 19 | */
 20 | #define HIJACKED_DLL_NAME "_DLL_NAME__"    //<--- modify
 21 | 
 22 | /* gcc does't support this. */
 23 | TEMPLATE_DLL_EXPORT
 24 | 
 25 | // Add your implementations here, and comment the forwarders <---
 26 | 
 27 | //extern int sideload();    //<---
 28 | 
 29 | /*  Less dependencies: _DllMainCRTStartup
 30 |     More functions: DllMain
 31 |     Take care of the core libs yourself: msvcrt, kernel32, ntdll, user32 */
 32 | BOOL WINAPI _DllMainCRTStartup(HMODULE hModule, DWORD dwReason, PVOID pvReserved)
 33 | {
 34 | 	switch (dwReason) {
 35 | 	case DLL_PROCESS_ATTACH:
 36 | 		//sideload();    //<---
 37 | 		break;
 38 |     /*
 39 | 	case DLL_PROCESS_DETACH:
 40 |         break;
 41 | 	case DLL_THREAD_ATTACH:
 42 |         break;
 43 | 	case DLL_THREAD_DETACH:
 44 |         break;
 45 |     */
 46 | 	}
 47 | 	return TRUE;
 48 | }
 49 | '''
 50 | 
 51 | '''
 52 |     cl.exe warning: export of "deleting destructor" may not run correctly
 53 |     msvcrt.dll: _adjust_fdiv
 54 |     是否是中转函数  如:KERNEL32.VerLanguageNameA
 55 | '''
 56 | def generate(outfile, new_dllname, symbols):
 57 |     export_text = ''
 58 |     for sym in symbols:
 59 |         export_text += '#pragma comment(linker, "/EXPORT:'
 60 |         if sym.name:
 61 |             """https://docs.microsoft.com/en-us/windows/desktop/Debug/pe-format#export-name-table"""
 62 |             name = sym.name.decode(encoding='ascii')
 63 |             """cl.exe, c: https://en.wikipedia.org/wiki/Name_mangling"""
 64 |             if name[0] == '_' and '@' not in name:
 65 |                 export_text += '_'
 66 |             export_text += '%s="HIJACKED_DLL_NAME".%s,@%d")\n' % (name, name, sym.ordinal)
 67 |         else:
 68 |             export_text += 'fun_%d="HIJACKED_DLL_NAME".#%d,@%d,NONAME")\n' % (sym.ordinal, sym.ordinal, sym.ordinal)
 69 |     
 70 |     out = open(outfile, "w+")
 71 |     out.writelines(source_code_template
 72 |         .replace('_DLL_NAME_', new_dllname)
 73 |         .replace('TEMPLATE_DLL_EXPORT', export_text))
 74 |     
 75 |     out.close()
 76 | 
 77 | def usage():
 78 |     print('Usage: '+ sys.argv[0] +'[dll files]')
 79 |     sys.exit(0)
 80 | 
 81 | def run(filename):
 82 |     try:
 83 |         pe = pefile.PE(filename)
 84 |         symbols = pe.DIRECTORY_ENTRY_EXPORT.symbols
 85 |         (filename_base, fileext) = os.path.splitext(os.path.basename(filename))
 86 |         filename_out = filename_base + '~.c'
 87 | 
 88 |         print('[-] Processing '+ filename)
 89 |         print('    Output: '+ filename_out)
 90 |         print('    Symbols: %d' % len(symbols))
 91 | 
 92 |         generate(filename_out, filename_base, symbols)
 93 | 
 94 |     except Exception as e:
 95 |         traceback.print_exc()
 96 |         pass
 97 | 
 98 | def main():
 99 |     if len(sys.argv) == 1:
100 |         usage()
101 |     else:
102 |         for arg in sys.argv[1:]:
103 |             run(arg)
104 | 
105 | 
106 | if __name__ == '__main__':
107 |     main()
108 | 


--------------------------------------------------------------------------------