A collection of DLLs that use search order hijacking to automatically inject specified DLLs.

Overview

🐨 Koaloader 📥

A collection of DLLs that use search order hijacking to automatically inject specified DLLs.

🚀 Usage

Simply place one of the proxy dlls where a process is attempting to load it and setup the config file to load the DLLs that you wish to inject.

📚 Supported proxies

  • dinput8.dll
  • version.dll
  • xinput9_1_0.dll

Configuration

Koaloader comes with a configuration file Koaloader.json, which will be the same for any proxy dll. The config file conforms to the standard JSON format. The description of each available option is presented below:

  • logging: Enables or disables logging into a Koaloader.log file. Possible values: true, false (default).
  • targets: A list of strings that specify targeted executables. Koaloader will inject modules if, and only if:
    • The list of targets is empty
    • The list of targets includes the executable that has loaded Koaloader.
  • modules: A list of objects that describe modules that will be loaded in the order they were defined. Each object has the following properties:
    • path: A string that specifies absolute or relative path to a DLL. The relative path is with respect to the working directory, which may be different from the executable directory.

You can refer to the following config as an example.

Here we have defined 2 DLLs to load:

  • target.dll - via a path that is relative to the current working directory of the executable
  • eucalyptus.dll - via an absolute path.
{
  "logging": true,
  "targets": [ "program32.exe", "program64.exe" ],
  "modules": [
    {
      "path": "target.dll"
    },
    {
      "path": "C:/users/acidicoala/eucalyptus.dll"
    }
  ]
}

🛠 Development

🚥 Prerequisites

  • Git v2.13 or newer
  • CMake 3.21 or newer
  • VS 2019 Build Tools/IDE with Desktop Development with C++ installed.

Clone the project with its submodules:

git clone --recurse-submodules https://github.com/acidicoala/Koaloader.git

Run the build script with desired parameters:

./build.ps1 $Arch $Proxy $Config
  • $Arch - Program architecture. Valid values:
    • 32
    • 64
  • $Proxy - Proxy DLL to build. Valid values:
    • dinput8
    • version
    • xinput9_1_0
  • $Config - Build configuration. Valid values:
    • Debug
    • Release
    • RelWithDebInfo

Example:

./build.ps1 64 xinput9_1_0 Release

The final DLL will be located at build\$Arch\$Proxy\$Config

🔡 Commands

Update all submodules:

git submodule foreach git pull

Miscellaneous notes

  • Version is defined in version.txt
  • CMake project likely needs to be reloaded after changing files in the res directory.
  • GitHub actions will build the project on every push to master, but will prepare a draft release only if the last commit was tagged.
  • Proxy dll checklist:

👋 Acknowledgements

This project makes use of the following open source projects:

📄 License

This software is licensed under BSD Zero Clause License, terms of which are available in LICENSE.txt

You might also like...
Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

x64 Windows kernel driver mapper, inject unsigned driver using anycall
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Code Injection, Inject malicious payload via pagetables pml4.
Code Injection, Inject malicious payload via pagetables pml4.

PageTableInjection Code Injection, Inject malicious payload via pagetables pml4. Introduction This is just a proof-of-concept of the page table inject

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Inject a DLL into any program using this C++ program

DLL-Injection-Cpp Inject a DLL into any process using this C++ program Installation Go into a folder and open up Command Prompt. In command prompt run

Inject dll to cmd.exe to prevent file execution.

Console-Process-Execution Inject dll to cmd.exe to prevent file execution. Requierments: Microsoft Detours Library - https://github.com/microsoft/Deto

(FIXED) Since the one on github didn't work. (ALSO INCLUDES .DLL SO YOU CAN JUST INJECT INTO FORTNITE)
(FIXED) Since the one on github didn't work. (ALSO INCLUDES .DLL SO YOU CAN JUST INJECT INTO FORTNITE)

Marathon-Fortnite-Cheat-Fix-Leak Fortnite Marathon Cheat v18.20 FIXED [Leak] Getting started Open .sln with Visual Studio 2019 Compile batch build to

Jaws is an invisible programming language! Inject invisible code into other languages and files! Created for security research -- see blog post
Jaws is an invisible programming language! Inject invisible code into other languages and files! Created for security research -- see blog post

Jaws is an invisible interpreted programming language that was created for antivirus research. Since Jaws code is composed entirely of whitespace char

Releases(v2.4.0)
  • v2.4.0(May 11, 2022)

  • v2.3.1(May 9, 2022)

  • v2.3.0(Apr 2, 2022)

  • v2.2.0(Mar 6, 2022)

    📑 Changelog

    📚 New proxy library: TextShaping.dll

    🤖 New loading mode: New config option auto_load toggles automatic loading method. In auto mode, Koaloader will search DLLs in parent directories, and recursively in current directory, until it finds first DLL that matches a well-known name listed in README. It is turned on by default (set to true), enabling Koaloader to load a DLL with a well-known name without Koaloader.json file.

    New config option: Objects in module config option can now specify required parameter, which determines the Koaloader behavior when a given module was not found. Setting it to true makes Koaloader crash with message box when the provided DLL was not found. Setting it to false simply prints an error log and continues execution.

    Source code(tar.gz)
    Source code(zip)
    Koaloader-v2.2.0.zip(10.25 MB)
  • v2.1.0(Feb 25, 2022)

    📑 Changelog

    • New config option: enabled. This boolean field can be used to quickly enable/disable injection of all specified modules, without having to delete them from config file or renaming the proxy dll. Comes in handy during development and testing.
    • Previous release zip mistakenly included version.dll in every directory. This issue has been fixed in this release.
    Source code(tar.gz)
    Source code(zip)
    Koaloader-v2.1.0.zip(9.48 MB)
  • v2.0.0(Feb 23, 2022)

    📑 Changelog

    📚 Koaloader exports are now directly forwarded to the system DLL located in C:/Windows/System32 directory, bypassing dynamic path resolution. This facilitates building of any system DLL (with named exports) without any additional code. As a result, this release includes 16 new proxy DLLs. The full list is provided in README. The only disadvantage is that systems where Windows is installed on non C: drive are not supported. But given that this is an extremely rare scenario, it is an acceptable trade-off.

    Note

    The initial release zip mistakenly included version.dll in every folder. Please ignore it, as it has been an error in packaging step. This was manually fixed in the new release zip.

    Source code(tar.gz)
    Source code(zip)
    Koaloader-v2.0.0-fixed.zip(9.45 MB)
  • v1.2.1(Feb 3, 2022)

  • v1.1.0(Feb 2, 2022)

  • v1.0.0(Feb 1, 2022)

Owner
null
Automatically load dlls into any executables without replacing any files!

Automatically loaded dll using xinput9_1_0 proxy. Please put the modified xinput9_1_0.dll in the executable's directory.

null 14 Dec 24, 2022
DLL Hijack Search Order Enumeration BOF

DLL Hijack Search Order BOF What is this? This is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest)

null 121 Dec 13, 2022
Read file to console, automatically recognize file encoding, include ansi, utf16le, utf16be, utf8. Currently output ansi as gbk for chinese text search.

rgpre A tool for rg --pre. Read file to console, automatically recognize file encoding, include ansi, utf16le, utf16be, utf8. Currently output ansi as

null 3 Mar 18, 2022
Typesense is a fast, typo-tolerant search engine for building delightful search experiences.

Fast, typo tolerant, fuzzy search engine for building delightful search experiences ⚡ ??

Typesense 12k Jan 2, 2023
Just loop forever, with sleep for specified seconds

loopever Just loop forever, with sleep for specified time Build & Install $ mkdkir build $ cd build $ cmake .. $ make $ make install Run $ loopever 0

Tomohito Nakayama 1 Oct 24, 2021
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking ServiceMove is a POC code for an interestin

Chris Au 190 Nov 14, 2022
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

UAC bypass - DLL hijacking Description This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification. Summary

null 239 Nov 30, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 6 Oct 19, 2022
An example of COM hijacking using a proxy DLL.

COM-Hijacking An example of COM hijacking using a proxy DLL. Demo using getmac/wbemprox.dll In this demo, we use the fact that the getmac.exe command

Solomon Sklash 15 Sep 15, 2022
Text utilities, including beam search decoding, tokenizing, and more, built for use in Flashlight.

Flashlight Text: Fast, Lightweight Utilities for Text Quickstart | Installation | Python Documentation | Citing Flashlight Text is a fast, minimal lib

null 31 Dec 15, 2022