DLLHSC

In our blog post about DLL Search Order hijacking exploring the fundamentals of DLL Search Order and how Context's Intelligence and Response teams have seen this mechanism being abused as a means of conducting network intrusions in real environments we introduced a tool (DLLHSC) developed by the Context Assurance team.

DLLHSC is an application designed to automate the scan of a provided executable image, generate leads - that can later be manually assessed - and report potential paths of taking advantage of the DLL search order with the ultimate goal to load a payload DLL in the address space of the provided image via search order hijacking.

The tool implements 3 modes of operation: Lightweight Mode (-l), List Modules Mode (-lm) and Run-Time Mode (-rt). To demonstrate these modes the legitimate Microsoft utility OleView.exe (MD5: D1E6767900C85535F300E08D76AAC9AB) was scanned.

The flag -l parses the import table of the provided executable, applies filters and attempts to weaponize imported modules by placing a payload DLL in the application's current directory.

The flag -lm launches the provided executable and prints the modules it loads that do not belong in the KnownDLLs list neither are WinSxS dependencies. This mode is aimed to give an idea of DLLs that may be used as a payload and it only exists to generate leads for the analyst.

The flag -rt prints the modules the provided executable image loads in its address space when launched as a process. This is achieved by hooking the LoadLibrary and LoadLibraryEx APIs via Microsoft Detours.
 

You can find the source code of DLLHSC as well as compiled binaries for x86 and x64 architecture on our GitHub page.

The tool is released under MIT License. By downloading this tool you are agreeing to the following license agreement.

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider
ASSURE Cyber Supplier - CAA