Collection of DLL function export forwards for DLL export function proxying

Related tags

Miscellaneous dll-exports
Overview

dll-exports

Collection of DLL function export forwards for DLL export function proxying.

Typical usecase is for backdooring applications for persistence purposes. E.g:

  1. inspect the target application you wish to backdoor with procmon, see which DLLs it loads via the static IAT. You can clearly see this as the application tries to load Windows DLLs first from the applications own folder before attempting to load them from System32/SysWOW64.
  2. pick one, a common target is C:\Windows\System32\version.dll
  3. fire up Visual Studio, generate a new DLL project
  4. add the code from here https://github.com/magnusstubman/dll-exports/blob/main/win10.19042/System32/version.dll.cpp
  5. add your own maliciousness e.g. malware, e.g. as I did in https://dumpco.re/blog/alternative-to-lsass-dumping
  6. compile - remember to compile for correct architecture
  7. copy your newly compiled DLL to the target application's home directory
  8. restart application and see it load your code, while preserving functionality

generator.py generates a list of DLLs in the target folders and use pefile to generate a list of exported functions for each, that are written to individual files containing relevant linker directives. E.g. for C:\Windows\System32\version.dll:

https://github.com/magnusstubman/dll-exports/blob/main/win10.19042/System32/version.dll.cpp

#pragma comment(linker, "/export:GetFileVersionInfoA=\"C:\\Windows\\System32\\version.GetFileVersionInfoA\"")
#pragma comment(linker, "/export:GetFileVersionInfoByHandle=\"C:\\Windows\\System32\\version.GetFileVersionInfoByHandle\"")
#pragma comment(linker, "/export:GetFileVersionInfoExA=\"C:\\Windows\\System32\\version.GetFileVersionInfoExA\"")
#pragma comment(linker, "/export:GetFileVersionInfoExW=\"C:\\Windows\\System32\\version.GetFileVersionInfoExW\"")
#pragma comment(linker, "/export:GetFileVersionInfoSizeA=\"C:\\Windows\\System32\\version.GetFileVersionInfoSizeA\"")
#pragma comment(linker, "/export:GetFileVersionInfoSizeExA=\"C:\\Windows\\System32\\version.GetFileVersionInfoSizeExA\"")
#pragma comment(linker, "/export:GetFileVersionInfoSizeExW=\"C:\\Windows\\System32\\version.GetFileVersionInfoSizeExW\"")
#pragma comment(linker, "/export:GetFileVersionInfoSizeW=\"C:\\Windows\\System32\\version.GetFileVersionInfoSizeW\"")
#pragma comment(linker, "/export:GetFileVersionInfoW=\"C:\\Windows\\System32\\version.GetFileVersionInfoW\"")
#pragma comment(linker, "/export:VerFindFileA=\"C:\\Windows\\System32\\version.VerFindFileA\"")
#pragma comment(linker, "/export:VerFindFileW=\"C:\\Windows\\System32\\version.VerFindFileW\"")
#pragma comment(linker, "/export:VerInstallFileA=\"C:\\Windows\\System32\\version.VerInstallFileA\"")
#pragma comment(linker, "/export:VerInstallFileW=\"C:\\Windows\\System32\\version.VerInstallFileW\"")
#pragma comment(linker, "/export:VerLanguageNameA=\"C:\\Windows\\System32\\version.VerLanguageNameA\"")
#pragma comment(linker, "/export:VerLanguageNameW=\"C:\\Windows\\System32\\version.VerLanguageNameW\"")
#pragma comment(linker, "/export:VerQueryValueA=\"C:\\Windows\\System32\\version.VerQueryValueA\"")
#pragma comment(linker, "/export:VerQueryValueW=\"C:\\Windows\\System32\\version.VerQueryValueW\"")

Note

I havn't taken KnownDLLs into account. Keep in mind that the DLLs listed in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs and any DLL that they load is also considered to be a known DLL, thus the standard search order does not apply.

References

You might also like...
A blender import/export system for Defold

defold-blender-export A blender import/export system for Defold Setup Notes There are no exhaustive documents for this tool yet. Its just not complete

David Lannan 27 Dec 30, 2022
(C++) Integrity dynamic link library made in C++ that you can export to C#

C-Integrity-Library ✔ (C++) Integrity dynamic link library made in C++ that can export to C# C# Exports [DllImport("Exports.dll")] public static exter

null 1 Jan 20, 2022
a convergence of ideas. read-only fossil export

MNOLTH A convergence of ideas. Mnolth is the core environment I use for composing computer music, as well as the multimedia that occasionally accomp

Paul Batchelor 4 Apr 18, 2022
A tool to convert Call of Duty XBIN/EXPORT files to and from each other.

exportxbin exportxbin is an enhanced version of export2bin included in the Call of Duty: Black Ops III Mod Tools. Its main goal is to provide users wi

Philip 3 Jan 22, 2022
C-function for traversing files/directories effectively and calling a given function with each encountered file and a void-pointer as parameters

C-function for traversing files/directories effectively and calling a given function with each encountered file and a void-pointer as parameters

null 1 Jun 27, 2022
Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

null 12 Dec 26, 2022
stackwalkerc - Windows single header stack walker in C (DbgHelp.DLL)
stackwalkerc - Windows single header stack walker in C (DbgHelp.DLL)

stackwalkerc - Windows single header stack walker in C (DbgHelp.DLL) Features Can be used in C or C++ code Super simple API Single header library make

Sepehr Taghdisian 29 Jul 4, 2022
Wrapper DLL for NieR Automata (PC ver.) to disable LODs & fix AO issues

NieRAutomata-LodMod An XInput/DXGI wrapper DLL that hooks into NieR Automata (Steam ver.) and disables object LODs, improving visual quality & fixing

emoose 24 Jul 9, 2022
Automatically inject a DLL into the selected process with VAC3 bypass.
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021
Owner
Magnus Stubman
hax hax hax!
Magnus Stubman
GitHub
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Micca 2 Nov 24, 2021
Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.

VC-LTL - An elegant way to compile lighter binaries. 简体中文 I would like to turn into a stone bridge, go through 500 years of wind, 500 years of Sun, ra

Chuyu Team 266 Jan 1, 2023
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 6 Oct 19, 2022
DLL Hooker using DLL Redirection

DLLHooker DLL Hooker using DLL Redirection. Development Environment IDE: Visual Studio 2019 Demonstration References [1] https://www.exploit-db.com/do

Jack Ren 1 Jan 21, 2022
A personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to be used in conjunction with these exploits.

This repository contains a personal collection of Windows CVE I have turned in to exploit source, as well as a collection of payloads I've written to

null 85 Dec 28, 2022
A gdnative plugin for Godot's UWP export to add xbox live integration

GodotXbox Current instructions for setting up DLL, steps to setup project for contributing/modifying are coming soon. It should be noted that Godot's

Cregg Hancock 37 Oct 31, 2022
📃 Export WeChat chat histories to HTML files.

wechat-export Export WeChat chat histories to HTML files. Preview This script generates a HTML file for each contact's chat history. Currently it supp

Zihua Li 607 Dec 15, 2022
Unix pager (with very rich functionality) designed for work with tables. Designed for PostgreSQL, but MySQL is supported too. Works well with pgcli too. Can be used as CSV or TSV viewer too. It supports searching, selecting rows, columns, or block and export selected area to clipboard.

Unix pager (with very rich functionality) designed for work with tables. Designed for PostgreSQL, but MySQL is supported too. Works well with pgcli too. Can be used as CSV or TSV viewer too. It supports searching, selecting rows, columns, or block and export selected area to clipboard.

Pavel Stehule 1.9k Jan 4, 2023
Pure Data patch export to lv2 plugin using heavy compiler + dpf example

Pure Data patch export to lv2 plugin using heavy compiler + dpf example Work in progress - Takes an audio input and writes to a 0.5 seconds buffers. 4

Qwrtst 3 Dec 27, 2022
Get air quality & CO2 data from SM300D2 & Senseair S8 with ESP32, and export as OpenMetrics (Prometheus exporter) via WiFi.

ESP Air Sensor Get air quality & CO2 data from SM300D2 & Senseair S8 with ESP32, and export as OpenMetrics (Prometheus exporter) via WiFi. I used to h

Shell Chen 4 Feb 6, 2022