DLL hijacking vulnerability scanner and PE infector tool
- Scanner mode, meant for identifying vulnerabilities in a desired target program (or set of programs) during the reconnaissance phase of an attack.
The vulnerability scanner in Siofra is capable of identifying all of the easily confirmed and potential DLL hijacking vulnerabilities in a specified location (this can be the direct path to a PE or a path in which to recursively scan all eligible PE files). It does this by using static analysis, enumerating potential import dependencies via
1. The first and most common is through the Import Address Table (IAT). Siofra excels at identifying and exploiting DLLs that are imported this way. Since they will be loaded by the target program before even its own entry point is called, they are reliable targets for exploitation in the sense that we can know they will cause our payload to be immediately executed when the target program is launched.
2. Another way DLLs are loaded into a program is via the Delayload Import Table. As the name suggests, the execution of these DLLs is delayed and they cannot be relied upon for persistent exploitation of a target program (since their loading is conditional upon other logic within the target program).
3. Another way DLLs are loaded is via an explicit call to LoadLibraryA/W, LoadLibraryExA/W, or one of the Ldr*Ntdll.dll functions. These particular DLLs are very interesting from the point of view of an attacker since they are not visible by performing a static analysis on the PE file and often correspond to unknown and unpatched vulnerabilities beneath the radar of the average vulnerability scanner. However similar to delay-load imports, the logic behind the loading of these DLLs is conditional and custom to any given program (which means we cannot reliably assume it will load our infected DLL).
- Infection mode, meant for infecting legitimate copies of the vulnerable modules identified during the reconnaissance phase of an attack for payload delivery during the exploitation phase of an attack.
The most unique (and powerful) feature of Siofra is the ability to perform PE infections on both 32 and 64-bit DLL files, generating custom shellcodes based on user input. Specifically, this tool has the ability to modify a DLL in such a way that it will cause either an executable to be launched or a library to be loaded (the path of which in both cases is custom/user-specified) while perfectly preserving the functionality of the original DLL. The infected DLL produced by Siofra will have identical exports, section names, and code as its original did.
Πηγή : securityonline