slyd0g/DLLHijackTest

Stars
326
Rank 129,027 (Top 3 %)
Language
PowerShell
Created over 4 years ago
Updated about 4 years ago

slyd0g/DLLHijackTest

slyd0g

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

DLL and PowerShell script to assist with finding DLL hijacks

DLLHijackTest

Blogpost

https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0

Usage

Use Procmon to obtain a CSV file of potential DLL hijacks
Modify outputFile variable within write.cpp
Build the project for the appropriate architecture
Open powershell.exe and load Get-PotentialDLLHijack.ps1 into memory
- . .\Get-PotentialDLLHijack.ps1
Run Get-PotentialDLLHijack with the appropriate flags
- Example:
  - Get-PotentialDLLHijack -CSVPath .\Logfile.CSV -MaliciousDLLPath .\DLLHijackTest.dll -ProcessPath "C:\Users\John\AppData\Local\Programs\Microsoft VS Code\Code.exe"
- -CSVPath takes in a path to a .csv file exported from Procmon
- -MaliciousDLLPath takes in a path to your compiled hijack DLL
- -ProcessPath takes in a path to the executable you want to run
- -ProcessArguments takes in commandline arguments you want to pass to the executeable
View the contents of outputFile for found DLL hijacks
- Run strings.exe on the outputFile to clean up the output paths
Party!!!

PrimaryTokenTheft

Steal a primary token and spawn cmd.exe using the stolen token

SharpClipboard

C# Clipboard Monitor

WhiteChocolateMacademiaNut

Interact with Chromium-based browsers' debug port to view open tabs, installed extensions, and cookies

UrbanBishopLocal

A port of FuzzySecurity's UrbanBishop project for inline shellcode execution

SwiftSpy

macOS keylogger, clipboard monitor, and screenshotter

SwiftInMemoryLoading

Swift implementation of in-memory Mach-O loading on macOS

LNKMod

C# project to create or modify existing LNKs

TimeStomper

PoC that manipulates Windows file times using SetFileTime() API

ObjCShellcodeLoader

macOS shellcode loader written in Objective-C

SK8RAT

C++ implant that interfaces with a SK8PARK server

SharpCrashEventLog

C# port of LogServiceCrash

DylibHijackTest

Discover DYLD_INSERT_LIBRARIES hijacks on macOS

SwiftParseTCC

Use "Full Disk Access" permissions to read the contents of TCC.db and display it in human-readable format

SK8PARK

Python 3 server used to control SK8RAT implant

SharpRoast-Parser

Bash one-liner that will parse harmj0y's SharpRoast or Rebeus kerberoast into hashcat crack-able format.

XORShellcodeLoader

Loads shellcode from a resource file.

SwiftLiverpool

Enumerate Location Services using CoreLocation API on macOS

pwnVNC

Python script that will attempt connection to unauthenticated VNC sessions on the entire Internet and take a screenshot of the user's current session.

SharpCryptUnprotectData

C-Sharp-Out-Minidump

C# implementation of Out-Minidump.ps1

SwiftPlist

Partial rewrite of the `plutil` utility on macOS

MiniShare-1.4.1-RCE

MiniShare 1.4.1 remote buffer overflow leading to RCE.

Debian8JessieSetup

Run on a fresh install of Debian 8 Jessie to create a new user, give sudo privileges, update your system, update your source list and more!

TestingDLL

TestingDLL using ShellExecuteA to spawn processes

XORcipher

Script will ask you to encrypt or decrypt a message by XORing the message with a OTP.