search

knight0x07 / ImpulsiveDLLHijack

C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.
495 stars 98 forks source link

bug fix & updated dll code for calc execution #1

Closed m0nkeyshell closed 3 years ago

m0nkeyshell commented 3 years ago

Fixed the Procmon argument bug & modified the dll code to execute calculator

knight0x07 commented 3 years ago

Hi m0nkeyshell,

Thanks for you're pull request, went through all the changes made in the files from you're end, had some points to discuss on:

  1. Procmon Argument bug: Can't see any change in the execution by adding a trailing space to the procmon command args as it is a generic "ProcessStartInfo.Arguments" statement there (according to me spacing doesn't matter there). Can you let me know what bug are you facing? it would be great :)

  2. Calc execution DLL: There are multiple points here: -> The execution of calculator would take place multiples times on every dllhijack path! Wouldn't it make the user a bit bored of the calc popping again and again? as the tool only shows dll hijack successful only when the dll is loaded by the target application because in the back-end it creates a log in the "DLLLLogs" directory upon DLL execution only, which is been parsed & read by the tool after execution of the target binary. -> I can implement calc popping functionality using CreateProcess() here , because after implementing that we can terminate the process by accessing the handle obtained by the CreateProcess, because Winexec does not terminate the Calc process so there are a lot of Calc popups on the windows after execution of the dll.

It would be great if a can get some insights regarding these points mentioned above.

Thanks! Knight \m/

m0nkeyshell commented 3 years ago

Hi, Thanks totally understood from your point for calc , regarding calc I face issue like client was not accepting the POC until I show them some code execution so what we can do instead we can have another dll to show impact

  1. When I compile the source code or when I try to use complied exe I was unable to use it as it will given me error of Procmon argument error. So when I add the space at the start of argument it worked :)

Thanks

knight0x07 commented 3 years ago

Hi m0nkeyshell,

I have added some compiled DLL's that pop calculator for POC purposes!

also regarding the Procmon bug: It was basically due to incorrect code written for parsing the directory path, I have fixed it now! This should work fine from now on :)

Thanks! Knight

m0nkeyshell commented 3 years ago

Thank you :)