Awesome
DLL Hijack Search Order BOF
What is this?
- This is a
Cobalt Strike
BOF
file, meant to use two arguments (path to begin, and aDLL
filename of interest), that will traverse theSafeSearch
order ofDLL
resolution - Optionally, this will also attempt to ascertain a
HANDLE
to the provided file (if found), and alert the operator of its mutability (WRITE
access)
What problem are you trying to solve?
- There are tools (mostly in
.NET
or otherwise) that do this job (traditionallyPowershell
-based), but I hadn't seen similar inC
at the time of writing. I may just be terrible atdorking
How do I build this?
- In this case, you have two options:
- Use the existing, compiled object file, located in the
dist
directory (AKA proceed to major step two) - Compile from source via the
Makefile
cd src
make clean
make
- Use the existing, compiled object file, located in the
- Load the
Aggressor
file, in theScript Manager
, located in thedist
directory
How do I modify this BOF
to not attempt to get a HANDLE
on the provided DLL
filename, if found?
- Within
./src/main.c
, modifydfsStruct.bCheckCreateFileA
anddfsStruct.bResultCreateFileA
toFALSE
. - Rebuild with the included build instructions
How do I use this?
- From a given
Beacon
:# For accessing the help menu prompt hijack_hunter help # Example usage hijack_hunter C:\Users\User\Desktop superLegit.dll
Any known downsides?
- We're still using the
Win32
API andDynamic Function Resolution
. This is for you to determine as far as "risk". - You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.