DLL hijacking with vcruntime140
This code allows DLL hijacking in applications by placing the vcruntime140_1.dll library in the application folder, without modifying the executable files of the application.
Many modern applications built with platform building toolset version 140 (and higher) with run-time llibrary in multithread-DLL (/MD) mode put the vcruntime140_1.dll library in the import table or call it indirectly.
The original vcruntime140_1.dll library contains only a few exception handling functions (like CxxFrameHandler4).
Proxy loads itself, then loads the original vcruntime140_1.dll library if the corresponding Visual C++ Redistributable is installed, if the runtimes in the application are local (portable) , then it is enough to rename the original library to vcruntime140_2.dll.
// include proxy
#include "vcruntime.h"
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
proxy::init_runtime();
MessageBox(NULL, _T("DLL Injected!"), _T("Hello!"), MB_ICONINFORMATION);
}
if (ul_reason_for_call == DLL_PROCESS_DETACH)
{
proxy::free_runtime();
}
return TRUE;
}