#16
|
|||
|
|||
ok
we can not load dll from %systemroot%\system32 in some situations. the behavor is change if used the registry data for "SafeDllSearchMode" is set 1 in [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] or "DevOverrideEnable" is set 1 in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] with .local for the executable file extension |
The Following User Says Thank You to FoxB For This Useful Post: | ||
niculaita (08-27-2022) |
#17
|
|||
|
|||
Quote:
Standard Search Order for Desktop Applications The standard DLL search order used by the system depends on whether safe DLL search mode is enabled or disabled. Safe DLL search mode places the user's current directory later in the search order. Safe DLL search mode is enabled by default. To disable this feature, create the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode registry value and set it to 0. Calling the SetDllDirectory function effectively disables SafeDllSearchMode while the specified directory is in the search path and changes the search order as described in this topic. If SafeDllSearchMode is enabled, the search order is as follows: The directory from which the application loaded. The system directory. Use the GetSystemDirectory function to get the path of this directory. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory. The current directory. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path. If SafeDllSearchMode is disabled, the search order is as follows: The directory from which the application loaded. The current directory. The system directory. Use the GetSystemDirectory function to get the path of this directory. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path. Also, the DevOverrideEnable is used for DLL redirection. hxxps://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/Dlls/dynamic-link-library-redirection.md There must be a PEfilename.exe.local file created in the same directory of the "older" DLL to allow the dependent application to load from the location on executable that need specific DLL. I actually don't know if this even an issue due to DLL search order mechanics in place today. I know I use this in Win7 (for certain DLLs - maybe known DLLs? I can't recall), but on Win10/11 I just drop a .DLL I build into the folder of the EXE I want to patch it's memory. EXE loads my DLL and I can call Loadlibrary() to load \system32 DLL to handle any function requests that the EXE may call. Last edited by Stingered; 08-28-2022 at 05:47. |
The Following User Says Thank You to Stingered For This Useful Post: | ||
niculaita (09-08-2022) |
#18
|
|||
|
|||
Wanna give big shout to everybody on this thread because shared very useful links and tips, I was working in a past project about DLL hijacking to and found many useful info here than from documentation alredy wrote around
Always the best people in here <3 |
The Following User Says Thank You to acme For This Useful Post: | ||
binarylaw (09-22-2022) |
#19
|
||||
|
||||
Quote:
Hello my friend! (long time no speak!) Told you those hook templates are awesome ; ) @FoxB - I cannot say I have encountered this behavior, not if using DLLs such as d3d9.dll or version.dll - or simply loading SysInternals ProcMon and watching all of the system32 Dlls it tries to load from the application directory ^^ -Fyyre
__________________
Best Wishes, Fyyre -- https://github.com/Fyyre |
The Following User Says Thank You to Fyyre For This Useful Post: | ||
zeffy (09-17-2022) |
#20
|
|||
|
|||
@Fyyre: i just compile the proxy 'version.dll' and try to use it.
on attached screen we can to see my 'version.dll' and original dll is not load from %systemroot%\system32\ same for 'iphlpapi.dll' |
#21
|
|||
|
|||
I did this in a proyect for a customer in work, I used Nim and it worked on Windows 11. Have to try this version.
This attack vector ocurred when BrutelRatel was leaked, damn shame Windows still have this flaws. ===== Quote:
Last edited by RAMPage; 03-17-2023 at 22:55. Reason: Added Content. |
Tags |
dll, hijacking |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Windows Handle Hijacking | TechLord | General Discussion | 2 | 05-15-2017 20:11 |