False positive or incorrect execution?

Question

False positive or incorrect execution?

0xElessar opened this issue 3 years ago · 3 comments

Great tool! Thank you, @knight0x07 .

Quick question. I checked the notepad++ application. It found some problems, for example:

[+] C:\Notepad++\dbghelp.dll --> DLL Hijack Successful [Entry Point Not Found - Manual Analysis Required]
[+] C:\Notepad++\MSASN1.dll --> DLL Hijack Successful

However, when I tried the same attack by clicking Notepad++ executable, or running it from cmd.exe, the 'vulnerable' DLL was always ignored. I am wondering why this happens. I can see the notepad++ behaviour (for example: errors when Entry Point was not found) when your tool is running, but when I try to execute notepad++ nothing happens.

Does your tool start an application is some specific way? How I can simulate this easily?

Any ideas are very welcomed :)

thanks!

Answer 1 · 2021-09-22T08:28:08.000Z

Update: I am sorry I am an idiot. I used wrong payload architecture. I switched to x86, and this worked beautifully! Apologies.

Answer 2 · 2021-09-22T15:00:47.000Z

Hi 0xElessar,

No worries! do let me know if you face any issues or have any other feedback's! :)

Hope the tool helps you find and exploit more DLL-Hijacks!

Thanks & Regards,
Knight \m/

Answer 3 · 2021-09-22T15:13:55.000Z

It works great, @knight0x07. Great idea and execution. It helps so much!!! Big thank you for sharing this tool!