Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 08-27-2022, 16:55
FoxB FoxB is offline
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 969
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 23
Thanks Rcvd at 709 Times in 294 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
ok
we can not load dll from %systemroot%\system32 in some situations.
the behavor is change if used the registry data for "SafeDllSearchMode" is set 1 in
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

or
"DevOverrideEnable" is set 1 in
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
with .local for the executable file extension
Reply With Quote
The Following User Says Thank You to FoxB For This Useful Post:
niculaita (08-27-2022)
  #17  
Old 08-28-2022, 05:30
Stingered Stingered is offline
Banned User
 
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 296
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
Quote:
Originally Posted by FoxB View Post
ok
we can not load dll from %systemroot%\system32 in some situations.
the behavior is change if used the registry data for "SafeDllSearchMode" is set 1 in
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]

or
"DevOverrideEnable" is set 1 in
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
with .local for the executable file extension
I don't understand how setting SafeDllSearchMode to 1, change any behavior. Value 1 is enabled and ON by default (at least on current OS - XP/Win7 probably not). But this value only change the search order, not remove them:

Standard Search Order for Desktop Applications
The standard DLL search order used by the system depends on whether safe DLL search mode is enabled or disabled. Safe DLL search mode places the user's current directory later in the search order.

Safe DLL search mode is enabled by default. To disable this feature, create the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode registry value and set it to 0. Calling the SetDllDirectory function effectively disables SafeDllSearchMode while the specified directory is in the search path and changes the search order as described in this topic.

If SafeDllSearchMode is enabled, the search order is as follows:

The directory from which the application loaded.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The current directory.
The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.


If SafeDllSearchMode is disabled, the search order is as follows:

The directory from which the application loaded.
The current directory.
The system directory. Use the GetSystemDirectory function to get the path of this directory.
The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.


Also, the DevOverrideEnable is used for DLL redirection.

hxxps://github.com/MicrosoftDocs/win32/blob/docs/desktop-src/Dlls/dynamic-link-library-redirection.md

There must be a PEfilename.exe.local file created in the same directory of the "older" DLL to allow the dependent application to load from the location on executable that need specific DLL.

I actually don't know if this even an issue due to DLL search order mechanics in place today. I know I use this in Win7 (for certain DLLs - maybe known DLLs? I can't recall), but on Win10/11 I just drop a .DLL I build into the folder of the EXE I want to patch it's memory. EXE loads my DLL and I can call Loadlibrary() to load \system32 DLL to handle any function requests that the EXE may call.

Last edited by Stingered; 08-28-2022 at 05:47.
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
niculaita (09-08-2022)
  #18  
Old 09-08-2022, 18:30
acme acme is offline
Friend
 
Join Date: Aug 2005
Posts: 30
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 8
Thanks Rcvd at 10 Times in 9 Posts
acme Reputation: 1
Wanna give big shout to everybody on this thread because shared very useful links and tips, I was working in a past project about DLL hijacking to and found many useful info here than from documentation alredy wrote around

Always the best people in here <3
Reply With Quote
The Following User Says Thank You to acme For This Useful Post:
binarylaw (09-22-2022)
  #19  
Old 09-16-2022, 22:44
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 273
Rept. Given: 89
Rept. Rcvd 86 Times in 39 Posts
Thanks Given: 167
Thanks Rcvd at 340 Times in 118 Posts
Fyyre Reputation: 86
Quote:
Originally Posted by zeffy View Post
sure, here is the latest with git history. the one linked above is a little outdated, I think.

alt: hxxps://www11.zippyshare.com/v/5pjAlw1a/file.html
@zeffy

Hello my friend! (long time no speak!)

Told you those hook templates are awesome ; )


@FoxB - I cannot say I have encountered this behavior, not if using DLLs such as d3d9.dll or version.dll - or simply loading SysInternals ProcMon and watching all of the system32 Dlls it tries to load from the application directory ^^

-Fyyre
__________________
Best Wishes,

Fyyre

--

https://github.com/Fyyre
Reply With Quote
The Following User Says Thank You to Fyyre For This Useful Post:
zeffy (09-17-2022)
  #20  
Old 09-17-2022, 23:23
FoxB FoxB is offline
VIP
 
Join Date: Jan 2002
Location: Earth...
Posts: 969
Rept. Given: 15
Rept. Rcvd 125 Times in 83 Posts
Thanks Given: 23
Thanks Rcvd at 709 Times in 294 Posts
FoxB Reputation: 100-199 FoxB Reputation: 100-199
@Fyyre: i just compile the proxy 'version.dll' and try to use it.
on attached screen we can to see my 'version.dll' and original dll is not load from %systemroot%\system32\

same for 'iphlpapi.dll'
Attached Images
File Type: jpg SNAG-0008.jpg (142.2 KB, 19 views)
Reply With Quote
  #21  
Old 03-17-2023, 11:07
RAMPage RAMPage is offline
Friend
 
Join Date: Mar 2023
Posts: 44
Rept. Given: 3
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 55
Thanks Rcvd at 23 Times in 12 Posts
RAMPage Reputation: 1
I did this in a proyect for a customer in work, I used Nim and it worked on Windows 11. Have to try this version.

This attack vector ocurred when BrutelRatel was leaked, damn shame Windows still have this flaws.


=====

Quote:
Shellcode Reflective DLL Injection

hxxs://github.com/daem0nc0re/TangledWinExec/tree/main/sRDI

Last edited by RAMPage; 03-17-2023 at 22:55. Reason: Added Content.
Reply With Quote
Reply

Tags
dll, hijacking

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Handle Hijacking TechLord General Discussion 2 05-15-2017 20:11


All times are GMT +8. The time now is 00:01.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )