Video není dostupné.
Omlouváme se.
All About DLL Hijacking - My Favorite Persistence Method
Vložit
- čas přidán 18. 08. 2024
- 00:00 - Intro
00:25 - Why DLL Hijack is my favorite persistence, talk about a few others
02:03 - Going over the source code to our sample applications to talk about DLL Hijacking
03:20 - Compiling our executable and dll then transfering it to our windows box
04:50 - Using Process Monitor to show standard DLL Hijacking (when a DLL Does not exist)
06:10 - Showing the order windows tries to load the DLL (Directory of binary then PATH)
07:20 - Talking about a somewhat common mistake when people make edits to the PATH (ex: Java/Python/etc)
09:00 - Placing the DLL test.exe is looking for and achieving code execution
11:25 - Showing if we can write in c:\Windows, we can hijack most dll's explorer.exe loads from system32.
14:00 - Messing up using Process Monitor for a bit, sorry should have prepped a bit more
15:30 - Showing why explorer is unique, then putting CSCAPI.DLL into c:\Windows\... This would get ran anytime a user logs into the system
17:55 - DLL Hijacking OneDrive for user level persistence
19:30 - Wrapping up, talking about some videos where I talk more about creating DLL's which can help with this
ippsec i am so amazed that your channel is so organized and consistent as well as putting timestamps in each video you release i do not know how thank you, you made it easy for us to learn i appreciate it too much 🖤🖤
This is such good information. It's surprising that DLL hijacking isn't talked about more in this community. This is core education for any aspiring red teamer.
It is talked a lot but you dont see it because you just look at channel where only basic stuff is teach
lul
14:55 "Let's see... is there a process name?"
>Proceeds to pass directly over "Process Name" no less than 3 times.
Great video all the same. Subscribed.
Me at 8 in the morning after many hours of HTB "Im in a weird state" xD Love your videos, very organized and just full of information 👌
Maybe these shortcuts don't work if you're in a vm, but on windows 10 if you hit win+x it will open a menu, if you then hit i, it will open powershell, if you do win+x and then a, it will open powershell as admin.
These shortcuts work for the english version of windows, other languages sometimes have other keys once you're inside the menu.
Very informative video!
Thank you for sharing another great video. I'm grateful for the knowledge you've shared. I've lived in this area for 10 years and I'm excited to share this with my team, especially with the "kids". Your video will help them understand the topic much faster than my long and sometimes boring lectures.
So MANY of the episodes are bangers
OMG Nice timing ippsec! was doing a thick client test and actually trying some dll hijacking stuff. lol this is really helpful.
It is always a pleasure watching Your videos. Thank You Ippsec!
The right daily dose of cyber security, thank you so much for this awesome demo.so well explained.
Thanks for the amazing content IppSec! Love your channel, keep em coming!
😁wow that’s cool 👍the best part
Amazing video IppSec, thanks
wow this video showed a couple of cool ideas, which were unknown to me. got my sub
Very Helpful! Please do more like this. Thanks!
Amazing content, thanks for sharing
Amazing video.Thank you ❤️
More persistence and slipping under the radar! :D
Wow)) It is fantastic
Helpful videos! Love your content.
Would love to catch a live stream some day on Twitch.
thanks for the video...it would be great if you share some evasion techniques of (modern AV/EDR..) using DLL hijacking.
That sounds like a very dangerous thing to share. I wouldn't do a video on something so weaponizable.
Just use base64 encoding works all the time
Offensive Security has entered the chat.
@@ippsec if I'm not wrong your doing part of cybersecurity and penetration testing and of course they are part of it any thanks you help us every day😊
pepsic is an anagram of ippsec.
Pretty awesome !
you are great, i love it
Another great video...
Oh didn't realize you are on Twitch now. I'll be sure to check out your streams.
Great video!
Amazing info
this is so awesome
Being new at DLL hijacking, I am having trouble understanding how DLL proxying works. Would love a dedicated video about that topic. Cheers!
It’s not high on my priority list because it’s not valuable for defenders to understand that concept. I try to keep it at a basics level for red team stuff.
If anyone is curious like myself about DLL proxying, check this out czcams.com/video/tSdyfaJ7T50/video.html
Wonderful.
thnaks for content !
such good info...
and doing it live helps a lot to avoid those 'natural' mistakes...
ps: you site design seems just useful... no sh***... just all the juice...
❤️
Hey ippsec, I am not able to cd or dir ..\.dotnet\ I tried different ways but it is not working. I am using Windows 11. is it the one causing issues or what is it ?
But is is possible to write the code that you did in c++ with c#? Because when i do it and i try i'm getting error trying to access peotected memory
Waw, u r such a gem
I fell like you are quite swifty with winapi, any tips? Maybe some video with basics? I don't know why but when I see MS documentation I just want to puke, I barely understand anything
First
If cscapi.dll is replaced by your customized one, won't it affect the normal behavior of explorer.exe?
Normally if you don’t use a dll proxy technique yes. However, I think explorer just imports cscapi but doesn’t use it
sir you did not show how to fix it
can you do priv esc with this? Find some app running as system with a missing dll and slap a fake dll into writeable path to run some commands would be my guess
Yes, that is certainly possible.
Some apps you can replace a DLL they load with your own and gain privs that way
@@hexagon6290 yeah thats the goal, I need to find some weak (writeable and loading dlls that arent in KnownDlls) file running as NT Authority.
@@hexagon6290 you dont need to replace an existing DLL for that... i didnt looked the video so idk if ippsec talks about it but im sure he did, you just see what DLL isnt found by known software installed in the victim workstation on a writable directory
hey ippsec. Is it possible to watch the twitch live stream history?
Nope, think i said it at the start of the video but at this time, I don't plan on releasing VOD's for my streams.
@@ippsec I'm sorry I missed it. By the way, thanks for everything you taught me.
No worries, I plan on uploading raw clips or redoing them like this one for the YT. I’m just more comfortable in interacting with people live if there’s no record of it. I may setup the patreon again and post recordings there, just don’t want to do it before it’s a routine
heeyyy
ipp
dll
Can you do more content about win api with c
I got a cat ?
Man oh man. More of this type of content please. Anyone know of a way to bypass cdn or cloud providers to find origin IP? My trusty python script that always works is failing on some of these cloud hosted sites or cloud firewall
The website needs a domain renewal. Anyway thanks for the content.
Ippsec thank you very much