劫持自启动程序
通过篡改、替换或代理原dll文件来达到劫持。
1.DLL替换:用恶意DLL替换合法的DLL。
2.DLL搜索顺序劫持:在应用程序指定的不带路径的DLL中。根据搜索顺序,将恶意DLL放在实际DLL之前的搜索位置。大部分时候都是目标应用程序的工作目录。(微软文档:https://docs.microsoft.com/zh-cn/windows/win32/dlls/dynamic-link-library-search-order)
3.Phantom DLL劫持:丢弃一个恶意的DLL来代替合法应用程序尝试加载的丢失/不存在的DLL。
4.DLL重定向:通过编辑,改变DLL被搜索的位置,例如%PATH%环境变量,或.exe.manifest/.exe.local文件。
5.WinSxS DLL替换:用恶意DLL替换WinSxS文件夹中合法的DLL。
6.相对路径DLL劫持:将合法的应用程序复制到用户可写文件夹中,并添加恶意DLL。
寻找开机自启的exe文件,并使用Process Explorer寻找是否有not found的dll文件,有的话直接放在对应位置(顺便提交拿一个CVE),没有就替换正常要加载的dll。建议做一个dll转发来保证程序正常运行。
厚颜无耻的放一个自己的文章:
可以考虑搭配下面这个文章实现user权限的劫持
此处列出“c:\windows\system32”中易受DLL Hijacking的所有可执行文件。每个可执行文件的旁边是一个或多个可以被劫持的DLL,以及被调用的DLL的函数,可以方便的进行利用。
来源:
Auto-elevated | Executable | DLL | Procedure |
✔️ | bthudtask.exe | DEVOBJ.dll | DllMain |
✔️ | computerdefaults.exe | CRYPTBASE.DLL | DllMain |
✔️ | computerdefaults.exe | edputil.dll | DllMain |
✔️ | computerdefaults.exe | edputil.dll | EdpGetIsManaged |
✔️ | computerdefaults.exe | MLANG.dll | ConvertINetUnicodeToMultiByte |
✔️ | computerdefaults.exe | MLANG.dll | DllMain |
✔️ | computerdefaults.exe | PROPSYS.dll | DllMain |
✔️ | computerdefaults.exe | PROPSYS.dll | PSCreateMemoryPropertyStore |
✔️ | computerdefaults.exe | PROPSYS.dll | PSPropertyBag_WriteDWORD |
✔️ | computerdefaults.exe | Secur32.dll | DllMain |
✔️ | computerdefaults.exe | SSPICLI.DLL | DllMain |
✔️ | computerdefaults.exe | SSPICLI.DLL | GetUserNameExW |
✔️ | computerdefaults.exe | WININET.dll | DllMain |
✔️ | computerdefaults.exe | WININET.dll | GetUrlCacheEntryBinaryBlob |
✔️ | dccw.exe | ColorAdapterClient.dll | DllMain |
✔️ | dccw.exe | dxva2.dll | DllMain |
✔️ | dccw.exe | mscms.dll | DccwReleaseDisplayProfileAssociationList |
✔️ | dccw.exe | mscms.dll | DllMain |
✔️ | dccw.exe | mscms.dll | WcsGetCalibrationManagementState |
✔️ | dccw.exe | mscms.dll | WcsSetCalibrationManagementState |
✔️ | dccw.exe | USERENV.dll | DllMain |
✔️ | easinvoker.exe | AUTHZ.dll | DllMain |
✔️ | easinvoker.exe | netutils.dll | DllMain |
✔️ | easinvoker.exe | samcli.dll | DllMain |
✔️ | easinvoker.exe | SAMLIB.dll | DllMain |
✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | DllMain |
✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | FlushInProcTraceSession |
✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | InitializeInProcLogger |
✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | InitializeInProcTraceFlushTrigger |
✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | InitializeInProcTraceSession |
✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | ShutdownInProcLogger |
✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | ShutdownInProcTraceSession |
✔️ | easpolicymanagerbrokerhost.exe | InprocLogger.dll | StopInProcTraceSession |
✔️ | easpolicymanagerbrokerhost.exe | policymanager.dll | DllMain |
✔️ | fodhelper.exe | CRYPTBASE.DLL | DllMain |
✔️ | fodhelper.exe | edputil.dll | DllMain |
✔️ | fodhelper.exe | edputil.dll | EdpGetIsManaged |
✔️ | fodhelper.exe | MLANG.dll | ConvertINetUnicodeToMultiByte |
✔️ | fodhelper.exe | MLANG.dll | DllMain |
✔️ | fodhelper.exe | PROPSYS.dll | DllMain |
✔️ | fodhelper.exe | PROPSYS.dll | PSCreateMemoryPropertyStore |
✔️ | fodhelper.exe | PROPSYS.dll | PSPropertyBag_WriteDWORD |
✔️ | fodhelper.exe | Secur32.dll | DllMain |
✔️ | fodhelper.exe | SSPICLI.DLL | DllMain |
✔️ | fodhelper.exe | SSPICLI.DLL | GetUserNameExW |
✔️ | fodhelper.exe | WININET.dll | DllMain |
✔️ | fodhelper.exe | WININET.dll | GetUrlCacheEntryBinaryBlob |
✔️ | fsavailux.exe | DEVOBJ.dll | DllMain |
✔️ | fxsunatd.exe | FXSAPI.dll | DllMain |
✔️ | fxsunatd.exe | FXSAPI.dll | FaxConnectFaxServerW |
✔️ | fxsunatd.exe | IPHLPAPI.DLL | DllMain |
✔️ | fxsunatd.exe | PROPSYS.dll | DllMain |
✔️ | immersivetpmvscmgrsvr.exe | DEVOBJ.dll | DllMain |
✔️ | iscsicli.exe | DEVOBJ.dll | DllMain |
✔️ | iscsicli.exe | ISCSIDSC.dll | DllMain |
✔️ | iscsicli.exe | ISCSIDSC.dll | GetIScsiVersionInformation |
✔️ | iscsicli.exe | ISCSIUM.dll | DiscpAllocMemory |
✔️ | iscsicli.exe | ISCSIUM.dll | DiscpRegisterHeap |
✔️ | iscsicli.exe | ISCSIUM.dll | DllMain |
✔️ | iscsicli.exe | WMICLNT.dll | DllMain |
✔️ | mdsched.exe | bcd.dll | DllMain |
✔️ | mschedexe.exe | MaintenanceUI.dll | DllMain |
✔️ | msconfig.exe | ATL.DLL | AtlModuleInit |
✔️ | msconfig.exe | ATL.DLL | AtlModuleRegisterClassObjects |
✔️ | msconfig.exe | ATL.DLL | DllMain |
✔️ | msconfig.exe | bcd.dll | DllMain |
✔️ | msdt.exe | ATL.DLL | DllMain |
✔️ | msdt.exe | Cabinet.dll | DllMain |
✔️ | msdt.exe | SSPICLI.DLL | DllMain |
✔️ | msdt.exe | UxTheme.dll | DllMain |
✔️ | msdt.exe | wer.dll | DllMain |
✔️ | msdt.exe | WINHTTP.dll | DllMain |
✔️ | multidigimon.exe | NInput.dll | DllMain |
✔️ | netplwiz.exe | CRYPTBASE.dll | DllMain |
✔️ | netplwiz.exe | DSROLE.dll | DllMain |
✔️ | netplwiz.exe | DSROLE.dll | DsRoleGetPrimaryDomainInformation |
✔️ | netplwiz.exe | NETPLWIZ.dll | DllMain |
✔️ | netplwiz.exe | NETPLWIZ.dll | UsersRunDllW |
✔️ | netplwiz.exe | netutils.dll | DllMain |
✔️ | netplwiz.exe | netutils.dll | NetApiBufferFree |
✔️ | netplwiz.exe | PROPSYS.dll | DllMain |
✔️ | netplwiz.exe | samcli.dll | DllMain |
✔️ | netplwiz.exe | samcli.dll | NetUserGetInfo |
✔️ | netplwiz.exe | SAMLIB.dll | DllMain |
✔️ | netplwiz.exe | SAMLIB.dll | SamConnect |
✔️ | netplwiz.exe | SAMLIB.dll | SamEnumerateDomainsInSamServer |
✔️ | netplwiz.exe | SAMLIB.dll | SamFreeMemory |
✔️ | optionalfeatures.exe | DUI70.dll | DllMain |
✔️ | optionalfeatures.exe | DUI70.dll | InitProcessPriv |
✔️ | optionalfeatures.exe | DUI70.dll | RegisterBaseControls |
✔️ | optionalfeatures.exe | DUI70.dll | RegisterCommonControls |
✔️ | optionalfeatures.exe | DUI70.dll | RegisterExtendedControls |
✔️ | optionalfeatures.exe | DUI70.dll | RegisterStandardControls |
✔️ | optionalfeatures.exe | msi.dll | DllMain |
✔️ | optionalfeatures.exe | OLEACC.dll | CreateStdAccessibleObject |
✔️ | optionalfeatures.exe | OLEACC.dll | DllMain |
✔️ | optionalfeatures.exe | OLEACC.dll | GetRoleTextW |
✔️ | optionalfeatures.exe | osbaseln.dll | CloseOsBaseline |
✔️ | optionalfeatures.exe | osbaseln.dll | DllMain |
✔️ | optionalfeatures.exe | osbaseln.dll | OpenOsBaseline |
✔️ | optionalfeatures.exe | PROPSYS.dll | DllMain |
✔️ | perfmon.exe | ATL.DLL | DllMain |
✔️ | perfmon.exe | credui.dll | DllMain |
✔️ | perfmon.exe | SspiCli.dll | DllMain |
✔️ | printui.exe | IPHLPAPI.DLL | DllMain |
✔️ | printui.exe | printui.dll | DllMain |
✔️ | printui.exe | printui.dll | PrintUIEntryW |
✔️ | printui.exe | PROPSYS.dll | DllMain |
✔️ | printui.exe | puiapi.dll | DllMain |
✔️ | recdisc.exe | bcd.dll | DllMain |
✔️ | recdisc.exe | Cabinet.dll | DllMain |
✔️ | recdisc.exe | ReAgent.dll | DllMain |
✔️ | rstrui.exe | bcd.dll | DllMain |
✔️ | rstrui.exe | ktmw32.dll | DllMain |
✔️ | rstrui.exe | SPP.dll | DllMain |
✔️ | rstrui.exe | SPP.dll | SxTracerGetThreadContextRetail |
✔️ | rstrui.exe | SRCORE.dll | DllMain |
✔️ | rstrui.exe | SRCORE.dll | SrFreeRestoreStatus |
✔️ | rstrui.exe | VSSAPI.DLL | DllMain |
✔️ | rstrui.exe | VssTrace.DLL | DllMain |
✔️ | rstrui.exe | wer.dll | DllMain |
✔️ | sdclt.exe | bcd.dll | DllMain |
✔️ | sdclt.exe | Cabinet.dll | DllMain |
✔️ | sdclt.exe | CLDAPI.dll | CfGetPlaceholderStateFromAttributeTag |
✔️ | sdclt.exe | CLDAPI.dll | DllMain |
✔️ | sdclt.exe | CRYPTBASE.DLL | DllMain |
✔️ | sdclt.exe | edputil.dll | DllMain |
✔️ | sdclt.exe | edputil.dll | EdpGetIsManaged |
✔️ | sdclt.exe | FLTLIB.DLL | DllMain |
✔️ | sdclt.exe | PROPSYS.dll | DllMain |
✔️ | sdclt.exe | PROPSYS.dll | PSCreateMemoryPropertyStore |
✔️ | sdclt.exe | PROPSYS.dll | PSPropertyBag_WriteDWORD |
✔️ | sdclt.exe | ReAgent.dll | DllMain |
✔️ | sdclt.exe | SPP.dll | DllMain |
✔️ | sdclt.exe | SPP.dll | SxTracerGetThreadContextRetail |
✔️ | sdclt.exe | SspiCli.dll | DllMain |
✔️ | sdclt.exe | SspiCli.dll | GetUserNameExW |
✔️ | sdclt.exe | UxTheme.dll | DllMain |
✔️ | sdclt.exe | VSSAPI.DLL | DllMain |
✔️ | sdclt.exe | VssTrace.DLL | DllMain |
✔️ | sdclt.exe | wer.dll | DllMain |
✔️ | sdclt.exe | WTSAPI32.dll | DllMain |
✔️ | systempropertiesadvanced.exe | bcd.dll | DllMain |
✔️ | systempropertiesadvanced.exe | credui.dll | DllMain |
✔️ | systempropertiesadvanced.exe | DNSAPI.dll | DllMain |
✔️ | systempropertiesadvanced.exe | DSROLE.DLL | DllMain |
✔️ | systempropertiesadvanced.exe | DSROLE.DLL | DsRoleGetPrimaryDomainInformation |
✔️ | systempropertiesadvanced.exe | LOGONCLI.DLL | DllMain |
✔️ | systempropertiesadvanced.exe | netid.dll | CreateNetIDPropertyPage |
✔️ | systempropertiesadvanced.exe | netid.dll | DllMain |
✔️ | systempropertiesadvanced.exe | NETUTILS.DLL | DllMain |
✔️ | systempropertiesadvanced.exe | SRVCLI.DLL | DllMain |
✔️ | systempropertiesadvanced.exe | WINBRAND.dll | DllMain |
✔️ | systempropertiesadvanced.exe | WINSTA.dll | DllMain |
✔️ | systempropertiesadvanced.exe | WKSCLI.DLL | DllMain |
✔️ | systempropertiescomputername.exe | bcd.dll | DllMain |
✔️ | systempropertiescomputername.exe | WINSTA.dll | DllMain |
✔️ | systempropertiesdataexecutionprevention.exe | bcd.dll | DllMain |
✔️ | systempropertiesdataexecutionprevention.exe | WINSTA.dll | DllMain |
✔️ | systempropertieshardware.exe | bcd.dll | DllMain |
✔️ | systempropertieshardware.exe | WINSTA.dll | DllMain |
✔️ | systempropertiesprotection.exe | bcd.dll | DllMain |
✔️ | systempropertiesprotection.exe | WINSTA.dll | DllMain |
✔️ | systempropertiesremote.exe | bcd.dll | DllMain |
✔️ | systempropertiesremote.exe | WINSTA.dll | DllMain |
✔️ | systemreset.exe | bcd.dll | BcdCloseObject |
✔️ | systemreset.exe | bcd.dll | BcdCloseStore |
✔️ | systemreset.exe | bcd.dll | BcdFlushStore |
✔️ | systemreset.exe | bcd.dll | BcdGetElementData |
✔️ | systemreset.exe | bcd.dll | BcdOpenObject |
✔️ | systemreset.exe | bcd.dll | BcdOpenStore |