How did u do DLL hijack ? im stuck with that step
To anyone struggling with this, I understand there isn’t much guidance. I have finally figured this out, at least for the first question. to do a DLLinjection, you need to go into command prompt and type this command to rename the reflective_dll.x64.dll to WININET.dll
ren reflective_dll.x64.dll WININET.dll
Then move that to the Desktop by first navigating to the directory it is in
cd /Tools/Reflective DLLInjection/WININET.dll /Users/Administrator/Desktop
As far as moving calc.exe to the desktop from the command prompt, It keeps saying access denied for me. So instead, copy the file from file explorer located in the Local Disk drive(C:) from windows and system32, and paste it onto the desktop. This will give the “Hello from DLL Main!” when clicking on the calc application on the desktop.
After this, go into the event viewer and follow those directions to get you to the sysmon event ids, click on filter log, and change the ALL EVENT IDS to 7, click ok. When you go to click on find, you will get the right log with the correct SHA 256 hash typing in WININET.dll, not calc.exe.
2 Likes
For anyone outhere still struggling these are the steps I took:
- Open folder Tools and locate the
sysmonconfig-export.xml. Used Find to locate the correct line >>ImageLoad. Then replaced include with exclude. Save - In CMD go to C:\Tools\sysmon with cd and run ```
sysmon.exe -c sysmonconfig-export.xml - Open Event Viewer and navigate to “Applications and Services” → “Microsoft” → “Windows” → “Sysmon” to verify the Event ID 7 appears
- In C:\Tools\Reflective DLLInjection rename reflective_dll.x64.dll to WININET.dll and drag and drop to Desktop
- In C:\Windows\System32 locate calc.exe right click Copy/Paste to Desktop.
- Execute calc.exe and should receive the MessageBox
- Go back to event viewer and filter through Filter Current Log by Event ID 7 in Event IDs field
- Use Find to locate the calc.exe events. Mine was the first one that it found.
Note: if you make a mistake you might have to restart the instance to start again another clean instance
Good luck
2 Likes
Thanks, very well instructed.
Thank you
Thank you, this solution is works for me <3
Thank you for posting these instructions. I was able to work through them a find the answer.
Hi rae, first thank you so much, i would like to know on how did you solve the problem? i couldn’t have event 7 i tried everything that i could think of, I also analzyed all the logs and filter the logs. i couldnt find the answer, i even filter the answer to the filter box, but nothing really correspond. I’m just curious on how to solve the problem, thank you so much. All the best
thanks so much bro