Home

Awesome

vcruntime140 proxy

DLL hijacking with vcruntime140

About

This code allows DLL hijacking in applications by placing the vcruntime140_1.dll library in the application folder, without modifying the executable files of the application.

How it works

Many modern applications built with platform building toolset version 140 (and higher) with run-time llibrary in multithread-DLL (/MD) mode put the vcruntime140_1.dll library in the import table or call it indirectly.

The original vcruntime140_1.dll library contains only a few exception handling functions (like CxxFrameHandler4).

Proxy loads itself, then loads the original vcruntime140_1.dll library if the corresponding Visual C++ Redistributable is installed, if the runtimes in the application are local (portable) , then it is enough to rename the original library to vcruntime140_2.dll.

Features

Sample

// include proxy
#include "vcruntime.h"

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
	if (ul_reason_for_call == DLL_PROCESS_ATTACH)
	{
		proxy::init_runtime();

		MessageBox(NULL, _T("DLL Injected!"), _T("Hello!"), MB_ICONINFORMATION);
	}
	if (ul_reason_for_call == DLL_PROCESS_DETACH)
	{
		proxy::free_runtime();
	}
	return TRUE;
}