Open nerotix opened 1 year ago
NUL0x4C
commented
1 year ago The DllMain function is executed whenever the DLL is loaded into a process, so the loader should already execute when doing DLL hijacking. Did you try the project as is and it didnt work?
nerotix
commented
1 year ago That's also what I was thinking, since I also read it in the code. I'll give it another go. Will report back.
nerotix
commented
1 year ago Update: by default it's not working. I tried multiple dll hijacking attempts and none were succesful. The easiest to test it with is cryptbase.dll for microsoft teams. When I build a simple dll file that just pops up calculator, it works fine, when using atomLdr, nothing happens.
NUL0x4C
commented
1 year ago can you verify that AtomLdr.dll is getting loaded into the target process at least?
nerotix
commented
1 year ago can you verify that AtomLdr.dll is getting loaded into the target process at least?
Yeah, I verified with procmon that it does load the DLL.
NUL0x4C
commented
1 year ago Did you try executing WaitForSingleObject on the thread created here
nerotix
commented
1 year ago Did you try executing WaitForSingleObject on the thread created here
I have not, what would that look like? You mean a WaitForSingleObject after the if statement? so it doesn't continue until it's completed?
(more familiar with C#, perhaps you could show what that look like?)
nerotix
commented
1 year ago I've tried with WaitForSingleObject but no luck.. doesn't seem like anything happening, also nothing when exporting DllMain and using rundll32 to execute DllMain. Also tried enabling debugging mode but when uncommenting the line in Debug.h it throws errors "unresolved external symbol GetConsoleHandle".
vigil0x68
commented
8 months ago i think there is problems in unhook functions. After deleting refreshalldlls func from actualmain, it executes dllmain right after injection. How can it possible for suspended thread resumes itself after a while ?
vigil0x68
commented
8 months ago Are the direct syscall functions of inject.c directly dependent on the ntdll which will be unhooked ?
Loving the project thus far but running into an issue.
I export DllMain but when I run DllMain through rundll32, nothing happens.. when I run Atom, it does work. I want and try use this loader for DLL Hijacking so I was wondering if it's possible to run the code by calling DllMain. I tried a few things, but no luck so far. is there something I'm missing where it has to be the Atom function to be called or else it just doesn't work? I exported the DllMain function.
Edit: I also disabled to check to see if the dll was run by using the exported Atom function.