A collection of DLLs that use search order hijacking to automatically inject specified DLLs.

Overview

🐨 Koaloader πŸ“₯

A collection of DLLs that use search order hijacking to automatically inject specified DLLs.

πŸš€ Usage

Simply place one of the proxy dlls where a process is attempting to load it and setup the config file to load the DLLs that you wish to inject.

πŸ“š Supported proxies

  • dinput8.dll
  • version.dll
  • xinput9_1_0.dll

βš™ Configuration

Koaloader comes with a configuration file Koaloader.json, which will be the same for any proxy dll. The config file conforms to the standard JSON format. The description of each available option is presented below:

  • logging: Enables or disables logging into a Koaloader.log file. Possible values: true, false (default).
  • targets: A list of strings that specify targeted executables. Koaloader will inject modules if, and only if:
    • The list of targets is empty
    • The list of targets includes the executable that has loaded Koaloader.
  • modules: A list of objects that describe modules that will be loaded in the order they were defined. Each object has the following properties:
    • path: A string that specifies absolute or relative path to a DLL. The relative path is with respect to the working directory, which may be different from the executable directory.

You can refer to the following config as an example.

Here we have defined 2 DLLs to load:

  • target.dll - via a path that is relative to the current working directory of the executable
  • eucalyptus.dll - via an absolute path.
{
  "logging": true,
  "targets": [ "program32.exe", "program64.exe" ],
  "modules": [
    {
      "path": "target.dll"
    },
    {
      "path": "C:/users/acidicoala/eucalyptus.dll"
    }
  ]
}

πŸ›  Development

πŸš₯ Prerequisites

  • Git v2.13 or newer
  • CMake 3.21 or newer
  • VS 2019 Build Tools/IDE with Desktop Development with C++ installed.

Clone the project with its submodules:

git clone --recurse-submodules https://github.com/acidicoala/Koaloader.git

Run the build script with desired parameters:

./build.ps1 $Arch $Proxy $Config
  • $Arch - Program architecture. Valid values:
    • 32
    • 64
  • $Proxy - Proxy DLL to build. Valid values:
    • dinput8
    • version
    • xinput9_1_0
  • $Config - Build configuration. Valid values:
    • Debug
    • Release
    • RelWithDebInfo

Example:

./build.ps1 64 xinput9_1_0 Release

The final DLL will be located at build\$Arch\$Proxy\$Config

πŸ”‘ Commands

Update all submodules:

git submodule foreach git pull

Miscellaneous notes

  • Version is defined in version.txt
  • CMake project likely needs to be reloaded after changing files in the res directory.
  • GitHub actions will build the project on every push to master, but will prepare a draft release only if the last commit was tagged.
  • Proxy dll checklist:

πŸ‘‹ Acknowledgements

This project makes use of the following open source projects:

πŸ“„ License

This software is licensed under BSD Zero Clause License, terms of which are available in LICENSE.txt

You might also like...
An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory

memory-module-loader memory-module-loader is an implementation of a Windows loader that can load dynamic-link libraries (DLLs) directly from memory. T

A BOF for enumerating version information for DLLs associated for a Beacon process.
A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

Shows different icons for 64 and 32-bit DLLs. Register with RegSvr32 to install

DllIconHandler This project demonstrates how to create a Shell Icon Handler, that is loaded by Explorer.exe. An icon handler can show different icons

Custom DLLs for a really hard Half-Life Mod

Half Life 1 SDK LICENSE Half Life 1 SDK CopyrightΒ© Valve Corp. THIS DOCUMENT DESCRIBES A CONTRACT BETWEEN YOU AND VALVE CORPORATION (β€œValve”). PLEASE

Modifies the hosts file in order to block sites hosting Kant's rat

In the Minecraft cheating community, it's not uncommon for clients or client cracks/leaks to be malware. The most famous example of this would be the Autumn client "crack", released by Kant. This application attempts to blacklist known hosts of Kant's malware, in order to prevent someone from accidentally getting themselves ratted.

Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

x64 Windows kernel driver mapper, inject unsigned driver using anycall
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Code Injection, Inject malicious payload via pagetables pml4.
Code Injection, Inject malicious payload via pagetables pml4.

PageTableInjection Code Injection, Inject malicious payload via pagetables pml4. Introduction This is just a proof-of-concept of the page table inject

EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode
EarlyBird process hollowing technique (BOF) - Spawns a process in a suspended state, inject shellcode, hijack main thread with APC, and execute shellcode

HOLLOW - Cobalt Strike BOF Authors: Bobby Cooke (@0xBoku) Justin Hamilton (@JTHam0) Octavio Paguaga (@OakTree__) Matt Kingstone (@n00bRage) Beacon Obj

Releases(v2.4.0)
  • v2.4.0(May 11, 2022)

  • v2.3.1(May 9, 2022)

  • v2.3.0(Apr 2, 2022)

  • v2.2.0(Mar 6, 2022)

    πŸ“‘ Changelog

    πŸ“š New proxy library: TextShaping.dll

    πŸ€– New loading mode: New config option auto_load toggles automatic loading method. In auto mode, Koaloader will search DLLs in parent directories, and recursively in current directory, until it finds first DLL that matches a well-known name listed in README. It is turned on by default (set to true), enabling Koaloader to load a DLL with a well-known name without Koaloader.json file.

    βš™ New config option: Objects in module config option can now specify required parameter, which determines the Koaloader behavior when a given module was not found. Setting it to true makes Koaloader crash with message box when the provided DLL was not found. Setting it to false simply prints an error log and continues execution.

    Source code(tar.gz)
    Source code(zip)
    Koaloader-v2.2.0.zip(10.25 MB)
  • v2.1.0(Feb 25, 2022)

    πŸ“‘ Changelog

    • New config option: enabled. This boolean field can be used to quickly enable/disable injection of all specified modules, without having to delete them from config file or renaming the proxy dll. Comes in handy during development and testing.
    • Previous release zip mistakenly included version.dll in every directory. This issue has been fixed in this release.
    Source code(tar.gz)
    Source code(zip)
    Koaloader-v2.1.0.zip(9.48 MB)
  • v2.0.0(Feb 23, 2022)

    πŸ“‘ Changelog

    πŸ“š Koaloader exports are now directly forwarded to the system DLL located in C:/Windows/System32 directory, bypassing dynamic path resolution. This facilitates building of any system DLL (with named exports) without any additional code. As a result, this release includes 16 new proxy DLLs. The full list is provided in README. The only disadvantage is that systems where Windows is installed on non C: drive are not supported. But given that this is an extremely rare scenario, it is an acceptable trade-off.

    Note

    The initial release zip mistakenly included version.dll in every folder. Please ignore it, as it has been an error in packaging step. This was manually fixed in the new release zip.

    Source code(tar.gz)
    Source code(zip)
    Koaloader-v2.0.0-fixed.zip(9.45 MB)
  • v1.2.1(Feb 3, 2022)

  • v1.1.0(Feb 2, 2022)

  • v1.0.0(Feb 1, 2022)

Owner
null
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021
DLL Hijack Search Order Enumeration BOF

DLL Hijack Search Order BOF What is this? This is a Cobalt Strike BOF file, meant to use two arguments (path to begin, and a DLL filename of interest)

null 121 Dec 13, 2022
Read file to console, automatically recognize file encoding, include ansi, utf16le, utf16be, utf8. Currently output ansi as gbk for chinese text search.

rgpre A tool for rg --pre. Read file to console, automatically recognize file encoding, include ansi, utf16le, utf16be, utf8. Currently output ansi as

null 3 Mar 18, 2022
Typesense is a fast, typo-tolerant search engine for building delightful search experiences.

Fast, typo tolerant, fuzzy search engine for building delightful search experiences ⚑ ??

Typesense 12k Jan 2, 2023
New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking ServiceMove is a POC code for an interestin

Chris Au 190 Nov 14, 2022
Just loop forever, with sleep for specified seconds

loopever Just loop forever, with sleep for specified time Build & Install $ mkdkir build $ cd build $ cmake .. $ make $ make install Run $ loopever 0

Tomohito Nakayama 1 Oct 24, 2021
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.

UAC bypass - DLL hijacking Description This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification. Summary

null 239 Nov 30, 2022
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 6 Oct 19, 2022
An example of COM hijacking using a proxy DLL.

COM-Hijacking An example of COM hijacking using a proxy DLL. Demo using getmac/wbemprox.dll In this demo, we use the fact that the getmac.exe command

Solomon Sklash 15 Sep 15, 2022
Text utilities, including beam search decoding, tokenizing, and more, built for use in Flashlight.

Flashlight Text: Fast, Lightweight Utilities for Text Quickstart | Installation | Python Documentation | Citing Flashlight Text is a fast, minimal lib

null 31 Dec 15, 2022