DLL Hijack Search Order Enumeration BOF

Overview

DLL Hijack Search Order BOF

What is this?

  • This is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest), that will traverse the SafeSearch order of DLL resolution
  • Optionally, this will also attempt to ascertain a HANDLE to the provided file (if found), and alert the operator of its mutability (WRITE access)

What problem are you trying to solve?

  • There are tools (mostly in .NET or otherwise) that do this job (traditionally Powershell-based), but I hadn't seen similar in C at the time of writing. I may just be terrible at dorking

How do I build this?

  1. In this case, you have two options:
    1. Use the existing, compiled object file, located in the dist directory (AKA proceed to major step two)
    2. Compile from source via the Makefile
      1. cd src
      2. make clean
      3. make
  2. Load the Aggressor file, in the Script Manager, located in the dist directory

How do I modify this BOF to not attempt to get a HANDLE on the provided DLL filename, if found?

  • Within ./src/main.c, modify dfsStruct.bCheckCreateFileA and dfsStruct.bResultCreateFileA to FALSE.
  • Rebuild with the included build instructions

How do I use this?

  • From a given Beacon:
    # For accessing the help menu prompt
    hijack_hunter help
    
    # Example usage
    hijack_hunter C:\Users\User\Desktop superLegit.dll

Any known downsides?

  • We're still using the Win32 API and Dynamic Function Resolution. This is for you to determine as far as "risk".
  • You may attempt to incur a privileged action without sufficient requisite permissions. I can't keep you from burning your hand.

What does the output look like?

You might also like...
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.
Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.

VC-LTL - An elegant way to compile lighter binaries. 简体中文 I would like to turn into a stone bridge, go through 500 years of wind, 500 years of Sun, ra

Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

DLL Hooker using DLL Redirection
DLL Hooker using DLL Redirection

DLLHooker DLL Hooker using DLL Redirection. Development Environment IDE: Visual Studio 2019 Demonstration References [1] https://www.exploit-db.com/do

Modifies the hosts file in order to block sites hosting Kant's rat

In the Minecraft cheating community, it's not uncommon for clients or client cracks/leaks to be malware. The most famous example of this would be the Autumn client "crack", released by Kant. This application attempts to blacklist known hosts of Kant's malware, in order to prevent someone from accidentally getting themselves ratted.

This repository was created in order to keep local data with code in the cloud.
This repository was created in order to keep local data with code in the cloud.

Airplane Ino Данный репозиторий был создан для совсместной комфортной работы над проектом. В данном файле(README.md) будет размещена основная полезная

Rangeless - c++ LINQ -like library of higher-order functions for data manipulation

rangeless::fn range-free LINQ-like library of higher-order functions for manipulation of containers and lazy input-sequences. Documentation What it's

Example code for collecting weather data from an ESP32 and then uploading this data to InfluxDB in order to create a dashboard using Grafana.

InfluxGrafanaTutorial Example code for collecting weather data from an ESP32 and then uploading this data to InfluxDB in order to create a dashboard u

Owner
Somewhere, doing something.
null
A collection of DLLs that use search order hijacking to automatically inject specified DLLs.

?? Koaloader ?? A collection of DLLs that use search order hijacking to automatically inject specified DLLs. ?? Usage Simply place one of the proxy dl

null 59 Jan 4, 2023
A simple utility that cold patches dwm (uDWM.dll) in order to disable window rounded corners in Windows 11

Win11DisableRoundedCorners A simple utility that cold patches the Desktop Window Manager (uDWM.dll) in order to disable window rounded corners in Wind

Valentin-Gabriel Radu 516 Dec 27, 2022
Typesense is a fast, typo-tolerant search engine for building delightful search experiences.

Fast, typo tolerant, fuzzy search engine for building delightful search experiences ⚡ ??

Typesense 12k Jan 2, 2023
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 92 Nov 30, 2022
DLL Exports Extraction BOF with optional NTFS transactions.

DLL Exports Extraction BOF What is this? This is a Cobalt Strike BOF file, meant to use two or three arguments (path to DLL, and/or a third argument [

null 56 Nov 9, 2022
A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

PE Import Enumerator BOF What is this? This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, thi

null 78 Dec 1, 2022
A C++ concepts and range based character encoding and code point enumeration library

Travis CI (Linux:gcc) Text_view A C++ Concepts based character encoding and code point enumeration library. This project is the reference implementati

Tom Honermann 121 Sep 9, 2022
Add a directory to dynamic DLL search path on Windows.

DLLLoaderHelper Add a directory to DLL search path for Windows. Say you are building a library, :library_name, which loads some 3rd party shared libra

Cocoa 3 Dec 15, 2022
External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil

external_warzone_cheat External warzone cheat with manual mapped driver (function hook), overlay (nvidia hijack), simple esp, no recoil Offsests are N

NMan 109 Jan 2, 2023
Collection of DLL function export forwards for DLL export function proxying

dll-exports Collection of DLL function export forwards for DLL export function proxying. Typical usecase is for backdooring applications for persisten

Magnus Stubman 58 Dec 6, 2022