aDLL: Adventure of Dynamic Lynk Library

by do son ·

aDLL – Adventure of Dynamic Lynk Library

aDLL is a binary analysis tool focused on the automatic discovery of DLL Hijacking vulnerabilities. The tool analyzes the image of the binary loaded in memory to search for DLLs loaded at load-time and makes use of the Microsoft Detours library to intercept calls to the LoadLibrary/LoadLibraryEx functions to analyze the DLLs loaded at run-time. The purpose is to obtain a list of DLLs that are not found by the executable in those folders where they are searched.

Getting Started

To start using aDLL a compiled executable is available in the Binaries folder. It is recommended to use the version whose architecture (32-bit or 64-bit) matches the version of the executable to be analyzed.

For the correct functioning of the tool, it is necessary that the DLLs “hook32”, “hook64”, “informer32” and “informer64” are located in the same directory as the executable aDLL.exe.

Prerequisites

aDLL has been developed and tested on Windows 10 systems. If the system is old and/or Visual Studio is not installed, it is possible that the tool will throw an error like “VCRUNTIME140.dll not found”. In this case, the Visual C++ Redistributable update must be installed. An update can be found here.

Compilation

To modify/recompile the tool is recommended the use of Visual Studio 2015 or later. The Visual Studio solution consists of three projects: aDLL, Hook e Informer. _ -aDLL: must be compiled as an executable. If linking errors occur, it will be necessary to add the shlwapi.lib library using the Visual Studio linker as an additional dependency._ _ -Hook: must be compiled as a DLL with the same architecture as the executable to be analyzed. The resulting Hook file must be renamed to hook32.dll or hook64.dll as appropriate. If you wish to analyze executables of both architectures it will be necessary to have both DLLs in the same directory as aDLL.exe._ _ -Informer: same as Hook. Must be compiled as a DLL and renamed to informer32.dll or informer64.dll._

Usage

Copyright (c) 2021 ideaslocas

Source: https://github.com/ideaslocas/

Tags: aDLL