Tools needed:
- Windows virtual machine
- Kali linux
- DVTA application
- Process Monitor
- MSFVENOM
By taking advantage of the way some Windows applications look for and load Dynamic Link Libraries, a technique known as “DLL hijacking” allows malicious code to be injected into an application (DLL).
This tutorial will showcase a simple DLL hijacking via the DVTA application. The application can be downloaded here.
Download the application to your windows machine before running the application start up process monitor.
Process Monitor is a sophisticated Windows monitoring program that displays process/thread activity, file system activity, and registry activity in real time.
Lets’ run the DVTA application.
Disable the following tabs in the toolbar to reduce the noise of the process monitoring:
- Show Registry activity
- Show Network activity
Once the application is executed , click filter in Process monitor and add the following filters:
- Process Name is DVTA.exe
- Result is NAME NOT FOUND
- PATH begins with < where the DVTA/bin/release folder is located in the machine>
We can see couple of DLLs that were used but not found during the execution of the application.
Let’s craft a payload with the CRYPTBASE.dll
Head to you attacking machine and use msfvenom to craft a payload
Transfer the payload to the DVTA folder by a python webserver.
Let’s set up a listener with msfconsole and use the multi handler exploit.
Set the necessary options and run the exploit.
Head back to the victim machine and run the application again with the newly crafted payload inside the folder.
Check your attacking machine and a meterpreter session is gained.
Persecure : my learning archive 