DLLirant icon indicating copy to clipboard operation
DLLirant copied to clipboard

Published 20 hours ago verified publisher icon Sh0ckFR

Metadata

DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.

DLLirant

DLLirant is a tool to automatize the DLL Hijacking and DLL Proxying researches on a specified binary.

alt text

Live Demo

alt text

How to install

  • Install LLVM for Windows: https://llvm.org/builds/
  • Do not forget to check the "Add LLVM to the system PATH for current user" during the installation.
  • Install pefile from pip:
pip3 install pefile

How to use

Use the cd command to your DLLirant directory and to test a binary:

python3 DLLirant.py -f "C:\THEFULLPATH\YourBinary.exe"

If you want to create a proxy dll, you can use the -p option on the original vulnerable dll (read https://itm4n.github.io/dll-proxying/ for more informations):

python3 DLLirant.py -p "C:\THEFULLPATH\VulnerableDLL.dll"

How it works

The script will create an output directory in the same directory of DLLirant.py, copy the targeted binary to the output directory.

Via the pefile library, the script will extract the dll names required by the binary, and test each imports functions available one by one by compilate a custom DLL with the required exported functions.

If a function required by the binary is executed, the custom DLL will create a C:\\DLLirant\\output.txt file and display a MessageBox to be sure that a DLL Hijacking is possible.

A results.txt will be also created in the DLLirant directory with all potential DLL Hijacking available.

A file admin-required.txt will also be available for the potential DLL Hijacking who require specific privileges.

If a binary require a DLL from the system or another one, you can create a import directory in the same directory of DLLirant.py the script will copy all your DLL files in the output directory with your targeted binary.

Know issues

  • ERROR: The process "39456" not found. -> This is a normal behavior, DLLirant try to kill the process automatically, if the process is already killed, you will see this exception, just ignore it.

Technical posts (in French)

  • https://sh0ckfr.com/pages/martine-a-la-recherche-de-la-dll-hijacking-perdue/
  • https://sh0ckfr.com/pages/martin-et-le-dll-proxying-de-cristal/

Credits

  • am0nsec
  • DallasFR
  • Justin Bui from SpecterOps for his blogpost and the idea: https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
  • itm4n for his blogpost about DLL Proxying: https://itm4n.github.io/dll-proxying/
  • bik3te
  • The authors of the pefile library: https://github.com/erocarrera/pefile

Metadata

316
Stars
50
Forks
Watchers

Owner

verified publisher icon Sh0ckFR

Metadata

DLLirant is a tool to automatize the DLL Hijacking researches on a specified binary.

Back