We’ll use this code:īOOL APIENTRY DllMain ( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) Let’s compile a DLL and try to see if it gets loaded in KeePass2 if we rename it. Thus, this DLL might be a good candidate for hijacking. However, this is normally a system DLL and is present in C:\Windows\System32: Here KeePass tries to a DLL called UxTheme.dll, but tries to load it for its own installation folder in C:\Program Files\KeePass Password Safe 2. Search for CreateFile on a DLL that returns with the error NAME NOT FOUND, such as this one here: The easiest way to find potential hijackable DLL is to search with promon. If an attacker is able to place a malicious DLL file in one of these directories with the same name as a legitimate DLL file, the application will load the malicious DLL instead of the legitimate one, allowing the attacker to execute arbitrary code in the process.
The system directory: C:\Windows\System32.The directory from which the application loaded.When an application attempts to load a DLL file, it will search for the file in a specific order. Table of contentĭLL hijacking is a type of attack where you take advantage of an application’s search order for loading dynamic-link libraries. Let’s find another way to get that Master Password. Problem: KeeFarce/ KeeThief don’t work anymore. You are on an engagement, admin on a workstation and just now retrieved a KeePass2 Database. My goal was to see if I could find a way to intercept the Master Password of a KeePass2 database.
With the recent KeePass2 disputed CVE-2023-24055 and all the fuss around it, it motivated me to finish a little project I had started last year.
0 kommentar(er)
