Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   [C/ASM] Easy to use DLL hijacking examples (https://forum.exetools.com/showthread.php?t=18332)

FoxB 08-27-2022 16:55

ok
we can not load dll from %systemroot%\system32 in some situations.
the behavor is change if used the registry data for "SafeDllSearchMode" is set 1 in
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

or
"DevOverrideEnable" is set 1 in
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
with .local for the executable file extension

Stingered 08-28-2022 05:30

Quote:

Originally Posted by FoxB (Post 125838)
ok
we can not load dll from %systemroot%\system32 in some situations.
the behavior is change if used the registry data for "SafeDllSearchMode" is set 1 in
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

or
"DevOverrideEnable" is set 1 in
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
with .local for the executable file extension

I don't understand how setting SafeDllSearchMode to 1, change any behavior. Value 1 is enabled and ON by default (at least on current OS - XP/Win7 probably not). But this value only change the search order, not remove them:

Standard Search Order for Desktop Applications
The standard DLL search order used by the system depends on whether safe DLL search mode is enabled or disabled. Safe DLL search mode places the user's current directory later in the search order.

Safe DLL search mode is enabled by default. To disable this feature, create the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode registry value and set it to 0. Calling the SetDllDirectory function effectively disables SafeDllSearchMode while the specified directory is in the search path and changes the search order as described in this topic.

If SafeDllSearchMode is enabled, the search order is as follows:

The directory from which the application loaded.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The current directory.
The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.


If SafeDllSearchMode is disabled, the search order is as follows:

The directory from which the application loaded.
The current directory.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.


Also, the DevOverrideEnable is used for DLL redirection.

hxxps://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/Dlls/dynamic-link-library-redirection.md

There must be a PEfilename.exe.local file created in the same directory of the "older" DLL to allow the dependent application to load from the location on executable that need specific DLL.

I actually don't know if this even an issue due to DLL search order mechanics in place today. I know I use this in Win7 (for certain DLLs - maybe known DLLs? I can't recall), but on Win10/11 I just drop a .DLL I build into the folder of the EXE I want to patch it's memory. EXE loads my DLL and I can call Loadlibrary() to load \system32 DLL to handle any function requests that the EXE may call.

acme 09-08-2022 18:30

Wanna give big shout to everybody on this thread because shared very useful links and tips, I was working in a past project about DLL hijacking to and found many useful info here than from documentation alredy wrote around :)

Always the best people in here <3

Fyyre 09-16-2022 22:44

Quote:

Originally Posted by zeffy (Post 125834)
sure, here is the latest with git history. the one linked above is a little outdated, I think.

alt: hxxps://www11.zippyshare.com/v/5pjAlw1a/file.html

@zeffy

Hello my friend! (long time no speak!)

Told you those hook templates are awesome ; )


@FoxB - I cannot say I have encountered this behavior, not if using DLLs such as d3d9.dll or version.dll - or simply loading SysInternals ProcMon and watching all of the system32 Dlls it tries to load from the application directory ^^

-Fyyre

FoxB 09-17-2022 23:23

1 Attachment(s)
@Fyyre: i just compile the proxy 'version.dll' and try to use it.
on attached screen we can to see my 'version.dll' and original dll is not load from %systemroot%\system32\

same for 'iphlpapi.dll'


All times are GMT +8. The time now is 11:32.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2023, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX