static string HijackChecks(PEDetails peDetails, bool isDynamic) { // Check KnownDLLs List <string> knownDlls = GetKnownDlls(); foreach (string knownDll in knownDlls) { if (peDetails.Name.ToLower().Equals(knownDll.ToLower())) { return(" [KnownDLL]"); } } // Check against the API set if (peDetails.Name.ToLower().StartsWith("api-ms-win-") || peDetails.Name.ToLower().StartsWith("ext-ms-win-")) { return(" [API Set]"); } // Hacky way to catch if (CheckDirectoryWritePermissions(g_basePath) && peDetails.Name != "ntdll.dll") { if (!File.Exists(g_basePath + @"\" + peDetails.Name)) { peDetails.HijackAttribute = "writableProgDirDllMissing"; peDetails.Path = g_basePath + @"\" + peDetails.Name; if (isDynamic) { peDetails.Name = peDetails.Name + " (Delayed Load)"; } g_Hijackables.Add(peDetails); return(" [HIJACKABLE] "); } else { peDetails.HijackAttribute = "writableProgDirDllExists"; peDetails.Path = g_basePath + @"\" + peDetails.Name; if (isDynamic) { peDetails.Name = peDetails.Name + " (Delayed Load)"; } g_Hijackables.Add(peDetails); return(" [HIJACKABLE]"); } } // Check if the current user can write to the EXE's directory if (peDetails.Path != null && !peDetails.Path.ToLower().StartsWith(Environment.SystemDirectory.ToLower()) && // Check to make sure we aren't hitting hijacks that require modifying a sensitive directory !peDetails.Path.ToLower().StartsWith(Environment.GetFolderPath(Environment.SpecialFolder.Windows).ToLower())) { if (CheckDirectoryWritePermissions(peDetails.Path)) { peDetails.HijackAttribute = "writableProgDirDllMissing"; if (isDynamic) { peDetails.Name = peDetails.Name + " (Delayed Load)"; } g_Hijackables.Add(peDetails); return(" [HIJACKABLE] "); } else { peDetails.HijackAttribute = "writableProgDirDllExists"; if (isDynamic) { peDetails.Name = peDetails.Name + " (Delayed Load)"; } g_Hijackables.Add(peDetails); return(" [HIJACKABLE]"); } } else if (peDetails.Path.ToLower().StartsWith(Environment.SystemDirectory.ToLower())) { return(" [System32]"); } else if (peDetails.Path.ToLower().StartsWith(Environment.GetFolderPath(Environment.SpecialFolder.Windows).ToLower())) { return(" [Windir]"); } if (peDetails.Path == null) { peDetails.HijackAttribute = "globallyMissingDll"; if (isDynamic) { peDetails.Name = peDetails.Name + " (Delayed Load)"; } g_Hijackables.Add(peDetails); return(" [HIJACKABLE]"); } if (peDetails.Path.StartsWith(Environment.CurrentDirectory)) { return(" [Current Directory]"); } // %PATH% hijacks string pathEnvVar = Environment.GetEnvironmentVariable("PATH"); string[] envPaths = pathEnvVar.Split(new char[1] { Path.PathSeparator }); foreach (string envPath in envPaths) { // If the path is writable if (CheckDirectoryWritePermissions(envPath)) { if (peDetails.Path.StartsWith(envPath)) { peDetails.HijackAttribute = "writableEnvPathDllExists"; peDetails.Path = envPath; if (isDynamic) { peDetails.Name = peDetails.Name + " (Delayed Load)"; } g_Hijackables.Add(peDetails); return(" [HIJACKABLE]"); } else { peDetails.HijackAttribute = "writableEnvPathDllMissing"; peDetails.Path = envPath; if (isDynamic) { peDetails.Name = peDetails.Name + " (Delayed Load)"; } g_Hijackables.Add(peDetails); return(" [HIJACKABLE]"); } } } return(null); }
public ErrCode SavePE(PEDetails ped, out int id) { ErrCode err = SiteProvider.CurrentProvider.SavePE(ped, out id); return err; }
static void RecursiveHunter(string fileName, byte[] fileBytes, bool isRoot, string target, int indent) { PEDetails targetFile = new PEDetails { Name = fileName, Path = Path.GetDirectoryName(fileName), Arch = UnsafeHelpers.GetPeArchitecture(fileBytes) }; targetFile.staticImports = UnsafeHelpers.GetStaticImports(fileBytes, targetFile.Arch); targetFile.dynamicImports = UnsafeHelpers.GetDynamicImports(fileBytes, targetFile.Arch); string spacing = new string(' ', indent + 4); // Used for text formatting if (isRoot) // We only want to print this bit for the target EXE and not for imported DLLs during recursion { if (targetFile.staticImports.Count > 0) { Console.WriteLine(spacing + "[+] Found {0} static imports!", targetFile.staticImports.Count); } if (targetFile.dynamicImports.Count > 0) { Console.WriteLine(spacing + "[+] Found {0} dynamic imports!", targetFile.dynamicImports.Count); } if (!quietMode) { Console.WriteLine("[>] Beginning hijack checks"); } } if (target == "static") { if (targetFile.staticImports != null) { foreach (string dll in targetFile.staticImports) { if (!dll.StartsWith("api-ms-win") && !dll.StartsWith("ext-ms-win")) // We won't process members of the API Set { try { // First see if we can find the DLL in any of the SafeDllSearchMode search order targetFile.Name = dll; string output = spacing + "└─ " + targetFile.Name; targetFile.Path = FindFilePath(dll, Path.GetDirectoryName(targetFile.Path)); string hijackResult = HijackChecks(targetFile, false); if (targetFile.Path != null) { if (!quietMode) { Console.WriteLine(output + hijackResult); } // Start processing it through recursion byte[] newFile = File.ReadAllBytes(targetFile.Path); RecursiveHunter(targetFile.Path, newFile, false, "static", indent + 6); } else // Handle DLLs that are missing from the search order { if (!quietMode) { Console.WriteLine(output + " [HIJACKABLE]"); } } } catch (Exception ex) { // A NullReferenceException expected to happen at the end of ever recursive search chain if (!(ex is NullReferenceException)) { throw; } } } } } } else if (target == "dynamic") { foreach (string dll in targetFile.dynamicImports) { if (!dll.StartsWith("api-ms-win") && !dll.StartsWith("ext-ms-win")) // We won't process members of the API Set { try { // First see if we can find the DLL in any of the SafeDllSearchMode search order targetFile.Name = dll; string output = spacing + "└─ " + targetFile.Name; targetFile.Path = FindFilePath(dll, Path.GetDirectoryName(targetFile.Path)); string hijackResult = HijackChecks(targetFile, true); if (targetFile.Path != null) { // Print out the found DLL... if (!quietMode) { Console.WriteLine(output + hijackResult); } // and start processing it through recursion byte[] newFile = File.ReadAllBytes(targetFile.Path); //RecursiveHunter(targetFile.Path, newFile, false, "static", indent + 6); // No recursion for dynamic loads currently due to bugs. Feel free to PR though :) } else // Handle DLLs that are missing from the search order { if (!quietMode) { Console.WriteLine(output + " [HIJACKABLE]"); } } } catch (Exception ex) { // A NullReferenceException expected to happen at the end of ever recursive search chain if (!(ex is NullReferenceException)) { throw; } } } } } }