Siofra - DLL hijacking vulnerability scanner and PE infector tool
Windows has historically had significant issues with DLL hijacking vulnerabilities, and over the years Microsoft has implemented security mechanisms in an attempt to mitigate such attacks. While analyzing an advanced persistent threat (APT) in early 2017, I was shown how surprisingly vulnerable Windows still is to such attacks, even after decades of patching specific vulnerabilities and implementing new security mechanisms. In this particular APT alone, there were three separate vulnerabilities in three different applications all being leveraged for persistence.
The capabilities of this tool can be divided into two categories (intended for the two stages of carrying out this genre of attack):
- Scanner mode, meant for identifying vulnerabilities in a desired target program (or set of programs) during the reconnaissance phase of an attack.
- Infection mode, meant for infecting legitimate copies of the vulnerable modules identified during the reconnaissance phase of an attack for payload delivery during the exploitation phase of an attack.