DLL hijacks still have value today but our approach to finding them may not always be the best. PATH hijacks are easy to find but miss things earlier in the search order. Loading Procmon on target isn't always safe. You may not be able to exfil on the target app to test in a lab.
5
80
190
Today I'm pushing up HijackHunter to the OffensiveC# repo. This tool works by parsing the IAT and delay load table of a PE and testing each import for potential hijacks. If a hijack is detected, it will tell you why it determined it and how to abuse it. github.com/matterpreter/Offe…

5:33 PM · Aug 10, 2020

2
163
265
GIF
Features: - x86 & x64 support - Recursive import search (dependency walker) - No external requirements (no PeNet!) - Written entirely in C# for easy deployment via C2
3
0
7
I drew a great deal of inspiration from @_ForrestOrr's Siofra (github.com/forrest-re/siofra…) and heavily referenced @spottheplanet's post on manually parsing PE headers (ired.team/miscellaneous-reve…).
2
15
38
Also, huge shout out to @monoxgas for writing my favorite post on DLL hijack tradecraft ever, which reignited my interest in this technique silentbreaksecurity.com/adap…
1
16
63
Replying to @matterpreter
I can see that It has some problems when parsing x64 executables, do you plan on fixing it? thx for your work :)
1
0
1
Feel free to open an issue on GitHub with details about the error you're receiving and I'll be happy to take a look.
0
0
0