Robber – Robber Is Open Source Tool For Finding Executables Prone To DLL Hijacking

Robber - Robber Is Open Source Tool For Finding Executables Prone To DLL Hijacking

Robber is a free open supply device developed utilizing Delphi XE2 with none third get together dependencies.

Windows has a search path for DLLs in its underlying structure. If you’ll be able to work out what DLLs an executable requests with out an absolute path (triggering this search course of), you’ll be able to then place your hostile DLL someplace increased up the search path so it’s going to be discovered earlier than the actual model is, and Windows will happilly feed your assault code to the applying.

So, let’s fake Windows’s DLL search path appears one thing like this:

A) . <– present working listing of the executable, highest precedence, first test

B) Windows

C) Windowssystem32

D) Windowssyswow64 <– lowest precedence, final test

and a few executable “Foo.exe” requests “bar.dll”, which occurs to dwell within the syswow64 (D) subdir. This offers you the chance to position your malicious model in A), B) or C) and will probably be loaded into executable.
As acknowledged earlier than, even an absolute full path cannot defend towards this, if you happen to can change the DLL with your individual model.
Microsoft Windows defend system pathes like System32 utilizing Windows File Protection mechanism however one of the simplest ways to guard executable from DLL hijacking in entrprise options is :

  • Use absolute path as an alternative of relative path
  • If you’ve gotten private signal, signal your DLL recordsdata and test the check in your software earlier than load DLL into reminiscence. in any other case test the hash of DLL file with unique DLL hash)

And in fact, this is not actually restricted to Windows both. Any OS which permits for dynamic linking of exterior libraries is theoretically vulnerable to this.
Robber use easy mechanism to determine DLLs that liable to hijacking :

  1. Scan import desk of executable and discover out DLLs that linked to executable
  2. Search for DLL recordsdata positioned inside executable that match with linked DLL (as i stated earlier than present working listing of the executable has highest precedence)
  3. If any DLL discovered, scan the export desk of theme
  4. Compare import desk of executable with export desk of DLL and if any matching was discovered, the executable and matched widespread capabilities flag as DLL hijack candidate.

Feauters :

  • Ability to pick out scan kind (signed/unsigned purposes)
  • Determine executable signer
  • Determine wich referenced DLLs candidate for hijacking
  • Determine exported methodology names of candidate DLLs
  • Configure guidelines to find out which hijacks is greatest or sensible choice to be used and present theme in numerous colours

Find out latest Robber executable here


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.