Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible to call DllMain directly for use in DLL hijacking #3

Open
nerotix opened this issue Mar 27, 2023 · 10 comments
Open

Possible to call DllMain directly for use in DLL hijacking #3

nerotix opened this issue Mar 27, 2023 · 10 comments

Comments

@nerotix
Copy link

nerotix commented Mar 27, 2023
edited
Loading

Loving the project thus far but running into an issue.

I export DllMain but when I run DllMain through rundll32, nothing happens.. when I run Atom, it does work. I want and try use this loader for DLL Hijacking so I was wondering if it's possible to run the code by calling DllMain. I tried a few things, but no luck so far. is there something I'm missing where it has to be the Atom function to be called or else it just doesn't work? I exported the DllMain function.

Edit: I also disabled to check to see if the dll was run by using the exported Atom function.
@NUL0x4C
Copy link
Owner

NUL0x4C commented Mar 29, 2023

The DllMain function is executed whenever the DLL is loaded into a process, so the loader should already execute when doing DLL hijacking. Did you try the project as is and it didnt work?

@nerotix
Copy link
Author

nerotix commented Mar 30, 2023

That's also what I was thinking, since I also read it in the code. I'll give it another go. Will report back.

@nerotix
Copy link
Author

nerotix commented Mar 30, 2023

Update: by default it's not working. I tried multiple dll hijacking attempts and none were succesful. The easiest to test it with is cryptbase.dll for microsoft teams. When I build a simple dll file that just pops up calculator, it works fine, when using atomLdr, nothing happens.

@NUL0x4C
Copy link
Owner

NUL0x4C commented Mar 30, 2023

can you verify that AtomLdr.dll is getting loaded into the target process at least?

@nerotix
Copy link
Author

nerotix commented Mar 30, 2023

can you verify that AtomLdr.dll is getting loaded into the target process at least?

Yeah, I verified with procmon that it does load the DLL.

@NUL0x4C
Copy link
Owner

NUL0x4C commented Mar 31, 2023

Did you try executing WaitForSingleObject on the thread created here

@nerotix
Copy link
Author

nerotix commented Mar 31, 2023

Did you try executing WaitForSingleObject on the thread created here

I have not, what would that look like? You mean a WaitForSingleObject after the if statement? so it doesn't continue until it's completed?

(more familiar with C#, perhaps you could show what that look like?)

@nerotix
Copy link
Author

nerotix commented Apr 3, 2023
edited
Loading

I've tried with WaitForSingleObject but no luck.. doesn't seem like anything happening, also nothing when exporting DllMain and using rundll32 to execute DllMain. Also tried enabling debugging mode but when uncommenting the line in Debug.h it throws errors "unresolved external symbol GetConsoleHandle".

@vigil0x68
Copy link

i think there is problems in unhook functions. After deleting refreshalldlls func from actualmain, it executes dllmain right after injection. How can it possible for suspended thread resumes itself after a while ?

@vigil0x68
Copy link

Are the direct syscall functions of inject.c directly dependent on the ntdll which will be unhooked ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nerotix @NUL0x4C @vigil0x68