static string HijackChecks(PEDetails peDetails, bool isDynamic)
{
// Check KnownDLLs
List <string> knownDlls = GetKnownDlls();
foreach (string knownDll in knownDlls)
{
if (peDetails.Name.ToLower().Equals(knownDll.ToLower()))
{
return(" [KnownDLL]");
}
}
// Check against the API set
if (peDetails.Name.ToLower().StartsWith("api-ms-win-") || peDetails.Name.ToLower().StartsWith("ext-ms-win-"))
{
return(" [API Set]");
}
// Hacky way to catch
if (CheckDirectoryWritePermissions(g_basePath) && peDetails.Name != "ntdll.dll")
{
if (!File.Exists(g_basePath + @"\" + peDetails.Name))
{
peDetails.HijackAttribute = "writableProgDirDllMissing";
peDetails.Path = g_basePath + @"\" + peDetails.Name;
if (isDynamic)
{
peDetails.Name = peDetails.Name + " (Delayed Load)";
}
g_Hijackables.Add(peDetails);
return(" [HIJACKABLE] ");
}
else
{
peDetails.HijackAttribute = "writableProgDirDllExists";
peDetails.Path = g_basePath + @"\" + peDetails.Name;
if (isDynamic)
{
peDetails.Name = peDetails.Name + " (Delayed Load)";
}
g_Hijackables.Add(peDetails);
return(" [HIJACKABLE]");
}
}
// Check if the current user can write to the EXE's directory
if (peDetails.Path != null &&
!peDetails.Path.ToLower().StartsWith(Environment.SystemDirectory.ToLower()) && // Check to make sure we aren't hitting hijacks that require modifying a sensitive directory
!peDetails.Path.ToLower().StartsWith(Environment.GetFolderPath(Environment.SpecialFolder.Windows).ToLower()))
{
if (CheckDirectoryWritePermissions(peDetails.Path))
{
peDetails.HijackAttribute = "writableProgDirDllMissing";
if (isDynamic)
{
peDetails.Name = peDetails.Name + " (Delayed Load)";
}
g_Hijackables.Add(peDetails);
return(" [HIJACKABLE] ");
}
else
{
peDetails.HijackAttribute = "writableProgDirDllExists";
if (isDynamic)
{
peDetails.Name = peDetails.Name + " (Delayed Load)";
}
g_Hijackables.Add(peDetails);
return(" [HIJACKABLE]");
}
}
else if (peDetails.Path.ToLower().StartsWith(Environment.SystemDirectory.ToLower()))
{
return(" [System32]");
}
else if (peDetails.Path.ToLower().StartsWith(Environment.GetFolderPath(Environment.SpecialFolder.Windows).ToLower()))
{
return(" [Windir]");
}
if (peDetails.Path == null)
{
peDetails.HijackAttribute = "globallyMissingDll";
if (isDynamic)
{
peDetails.Name = peDetails.Name + " (Delayed Load)";
}
g_Hijackables.Add(peDetails);
return(" [HIJACKABLE]");
}
if (peDetails.Path.StartsWith(Environment.CurrentDirectory))
{
return(" [Current Directory]");
}
// %PATH% hijacks
string pathEnvVar = Environment.GetEnvironmentVariable("PATH");
string[] envPaths = pathEnvVar.Split(new char[1] {
Path.PathSeparator
});
foreach (string envPath in envPaths)
{
// If the path is writable
if (CheckDirectoryWritePermissions(envPath))
{
if (peDetails.Path.StartsWith(envPath))
{
peDetails.HijackAttribute = "writableEnvPathDllExists";
peDetails.Path = envPath;
if (isDynamic)
{
peDetails.Name = peDetails.Name + " (Delayed Load)";
}
g_Hijackables.Add(peDetails);
return(" [HIJACKABLE]");
}
else
{
peDetails.HijackAttribute = "writableEnvPathDllMissing";
peDetails.Path = envPath;
if (isDynamic)
{
peDetails.Name = peDetails.Name + " (Delayed Load)";
}
g_Hijackables.Add(peDetails);
return(" [HIJACKABLE]");
}
}
}
return(null);
}
public ErrCode SavePE(PEDetails ped, out int id)
{
ErrCode err = SiteProvider.CurrentProvider.SavePE(ped, out id);
return err;
}
static void RecursiveHunter(string fileName, byte[] fileBytes, bool isRoot, string target, int indent)
{
PEDetails targetFile = new PEDetails
{
Name = fileName,
Path = Path.GetDirectoryName(fileName),
Arch = UnsafeHelpers.GetPeArchitecture(fileBytes)
};
targetFile.staticImports = UnsafeHelpers.GetStaticImports(fileBytes, targetFile.Arch);
targetFile.dynamicImports = UnsafeHelpers.GetDynamicImports(fileBytes, targetFile.Arch);
string spacing = new string(' ', indent + 4); // Used for text formatting
if (isRoot) // We only want to print this bit for the target EXE and not for imported DLLs during recursion
{
if (targetFile.staticImports.Count > 0)
{
Console.WriteLine(spacing + "[+] Found {0} static imports!", targetFile.staticImports.Count);
}
if (targetFile.dynamicImports.Count > 0)
{
Console.WriteLine(spacing + "[+] Found {0} dynamic imports!", targetFile.dynamicImports.Count);
}
if (!quietMode)
{
Console.WriteLine("[>] Beginning hijack checks");
}
}
if (target == "static")
{
if (targetFile.staticImports != null)
{
foreach (string dll in targetFile.staticImports)
{
if (!dll.StartsWith("api-ms-win") && !dll.StartsWith("ext-ms-win")) // We won't process members of the API Set
{
try
{
// First see if we can find the DLL in any of the SafeDllSearchMode search order
targetFile.Name = dll;
string output = spacing + "└─ " + targetFile.Name;
targetFile.Path = FindFilePath(dll, Path.GetDirectoryName(targetFile.Path));
string hijackResult = HijackChecks(targetFile, false);
if (targetFile.Path != null)
{
if (!quietMode)
{
Console.WriteLine(output + hijackResult);
}
// Start processing it through recursion
byte[] newFile = File.ReadAllBytes(targetFile.Path);
RecursiveHunter(targetFile.Path, newFile, false, "static", indent + 6);
}
else // Handle DLLs that are missing from the search order
{
if (!quietMode)
{
Console.WriteLine(output + " [HIJACKABLE]");
}
}
}
catch (Exception ex)
{
// A NullReferenceException expected to happen at the end of ever recursive search chain
if (!(ex is NullReferenceException))
{
throw;
}
}
}
}
}
}
else if (target == "dynamic")
{
foreach (string dll in targetFile.dynamicImports)
{
if (!dll.StartsWith("api-ms-win") && !dll.StartsWith("ext-ms-win")) // We won't process members of the API Set
{
try
{
// First see if we can find the DLL in any of the SafeDllSearchMode search order
targetFile.Name = dll;
string output = spacing + "└─ " + targetFile.Name;
targetFile.Path = FindFilePath(dll, Path.GetDirectoryName(targetFile.Path));
string hijackResult = HijackChecks(targetFile, true);
if (targetFile.Path != null)
{
// Print out the found DLL...
if (!quietMode)
{
Console.WriteLine(output + hijackResult);
}
// and start processing it through recursion
byte[] newFile = File.ReadAllBytes(targetFile.Path);
//RecursiveHunter(targetFile.Path, newFile, false, "static", indent + 6); // No recursion for dynamic loads currently due to bugs. Feel free to PR though :)
}
else // Handle DLLs that are missing from the search order
{
if (!quietMode)
{
Console.WriteLine(output + " [HIJACKABLE]");
}
}
}
catch (Exception ex)
{
// A NullReferenceException expected to happen at the end of ever recursive search chain
if (!(ex is NullReferenceException))
{
throw;
}
}
}
}
}
}
