Robber - Tool For Finding Executables Prone To Dll Hijacking


Robber is a costless opened upwardly source tool developed using Delphi XE2 without whatever third political party dependencies.
What is DLL hijacking ?!
Windows has a search path for DLLs inwards its underlying architecture. If yous tin figure out what DLLs an executable requests without an absolute path (triggering this search process), yous tin as well as then house your hostile DLL somewhere above the search path thence it'll live on constitute earlier the existent version is, as well as Windows volition happilly feed your laid upwardly on code to the application.

So, let's pretend Windows's DLL search path looks something similar this:
A) . <-- electrical flow working directory of the executable, highest priority, showtime check
B) \Windows
C) \Windows\system32
D) \Windows\syswow64 <-- lowest priority, final check
as well as unopen to executable "Foo.exe" requests "bar.dll", which happens to alive inwards the syswow64 (D) subdir. This gives yous the chance to house your malicious version inwards A), B) or C) as well as it volition live on loaded into executable.
As stated before, fifty-fifty an absolute sum path can't protect against this, if yous tin supplant the DLL amongst your ain version.
Microsoft Windows protect organisation pathes similar System32 using Windows File Protection machinery but the best agency to protect executable from DLL hijacking inwards entrprise solutions is :
  • Use absolute path instead of relative path
  • If yous bring personal sign, sign your DLL files as well as banking concern check the sign inwards your application earlier charge DLL into memory. otherwise banking concern check the hash of DLL file amongst master copy DLL hash)
And of course, this isn't actually express to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.
Robber exercise uncomplicated machinery to figure out DLLs that prone to hijacking :
  1. Scan import tabular array of executable as well as discovery out DLLs that linked to executable
  2. Search for DLL files placed within executable that represent amongst linked DLL (as i said earlier electrical flow working directory of the executable has highest priority)
  3. If whatever DLL found, scan the export tabular array of theme
  4. Compare import tabular array of executable amongst export tabular array of DLL as well as if whatever matching was found, the executable as well as matched mutual functions flag equally DLL hijack candidate.
Feauters :
  • Ability to pick out scan type (signed/unsigned applications)
  • Determine executable signer
  • Determine wich referenced DLLs candidate for hijacking
  • Determine exported method names of candidate DLLs
  • Configure rules to decide which hijacks is best or adept selection for exercise as well as exhibit subject inwards dissimilar colors
Find out latest Robber executable here

Popular posts from this blog

Kerbrute - A Tool To Perform Kerberos Pre-Auth Bruteforcing

Image
Influenza A virus subtype H5N1 tool to speedily bruteforce together with enumerate valid Active Directory accounts through Kerberos Pre-Authentication Grab the latest binaries from the releases page to acquire started. Background This tool grew out of approximately bash scripts I wrote a few years agone to perform bruteforcing using the Heimdal Kerberos customer from Linux. I wanted something that didn't demand privileges to install a Kerberos client, together with when I works life the amazing pure Go implementation of Kerberos gokrb5 , I decided to lastly acquire Go together with write this. Bruteforcing Windows passwords amongst Kerberos is much faster than whatever other approach I know of, together with potentially stealthier since pre-authentication failures produce non trigger that "traditional" An job organisation human relationship failed to log on final result 4625. With Kerberos, y'all tin validate a username or exam a login past times s
Read more

Cameradar V2.1.0 - Hacks Its Mode Into Rtsp Videosurveillance Cameras

Image
   An RTSP flow access tool that comes alongside its library Cameradar allows you lot to Detect opened upward RTSP hosts on whatever accessible target host Detect which device model is streaming Launch automated dictionary attacks to larn their stream route (e.g.: /live.sdp ) Launch automated lexicon attacks to larn the username in addition to password of the cameras Retrieve a consummate in addition to user-friendly study of the results Docker Image for Cameradar Install docker on your machine, in addition to run the next command: docker run -t ullaakut/cameradar -t <target> <other command-line options> See command-line options . e.g.: docker run -t ullaakut/cameradar -t 192.168.100.0/24 -l volition scan the ports 554 in addition to 8554 of hosts on the 192.168.100.0/24 subnetwork in addition to laid on the discovered RTSP streams in addition to volition output debug logs. YOUR_TARGET tin hold out a subnet (e.g.: 172.16.100.0/24 ), an IP (
Read more

Efiguard - Disable Patchguard Together With Dse At Kicking Time

Image
EfiGuard is a portable x64 UEFI bootkit that patches the Windows kicking manager, kicking loader too center at kicking fourth dimension inward club to disable PatchGuard too Driver Signature Enforcement (DSE). Features Currently supports all EFI-compatible versions of Windows x64 e'er released, from Vista SP1 to Server 2019. Easy to use: tin live on booted from a USB stick via a loader application that automatically finds too boots Windows. The driver tin also live on loaded too configured manually using either the UEFI rhythm out or the loader. Makes extensive utilization of the Zydis disassembler library for fast runtime pedagogy decoding to back upwardly to a greater extent than robust analysis than what is possible amongst signature matching, which oftentimes requires changes amongst novel OS updates. Works passively: the driver does non charge or start the Windows kicking manager. Instead it acts on a charge of bootmgfw.efi yesteryear the firmware kicking
Read more