Let’s compile a DLL and try to see if it gets loaded in KeePass2 if we rename it. Thus, this DLL might be a good candidate for hijacking. However, this is normally a system DLL and is present in C:\Windows\System32: Here KeePass tries to a DLL called UxTheme.dll, but tries to load it for its own installation folder in C:\Program Files\KeePass Password Safe 2. Search for CreateFile on a DLL that returns with the error NAME NOT FOUND, such as this one here: The easiest way to find potential hijackable DLL is to search with promon. If an attacker is able to place a malicious DLL file in one of these directories with the same name as a legitimate DLL file, the application will load the malicious DLL instead of the legitimate one, allowing the attacker to execute arbitrary code in the process. Directories specified in the PATH environment variable. ![]()
0 Comments
Leave a Reply. |