• The Win­dows Appli­ca­tion Com­pat­i­bil­i­ty Frame­work (shim­ming) pro­vides a way to change the sys­tem behav­iour for an appli­ca­tion in order to func­tion like in old­er sys­tems. It works via the IAT Import address Table at load time and can change func­tions, library address­es etc. this way. Creating a shim A shim can be reg­is­tered with the sys­tem via…

  • DLL injection + hijacking

    Com­pile it native­ly or not: x86_64-w64-mingw32-gcc searchedName.cpp --shared -o searchedName.dll Restart the ser­vice / appli­ca­tion some­how and check if there is a new admin2 alive. Reflective DLL Injection See https://github.com/stephenfewer/ReflectiveDLLInjection

  • Modifying PE files

    PE Portable Exe­cu­tung or DLL Dynam­ic Link­ing Libraries can be edit­ed to remove or add capa­bil­i­ties or own code. Read and modify a PE file The fol­low­ing Python3 script reads a file, prints out a head­er, mod­i­fied it to remove ASLR and write a new file with­out this flag. f = pefile.PE('filename.exe') print(hex(f.OPTIONAL_HEADER.DllCharacteristics)) // print as hex to…