Wednesday, October 6, 2010

Enhanced DLLHijackAuditKit

/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */

http://core.yehg.net/lab/pr0js/files.php/%5Byehg.net%5D_DLLHijackAuditKitx.zip

Modified by
Aung Khant, YGN Ethical Hacker Group, Yangon, Myanmar
http://yehg.net

- Added sleep timer suport
- Added regex support to scan only desired application and its associated file extensions


Why did we modify?

By default, DLLHijackAuditKit scans all associated file extensions with all installed applications in default timer of 3 seconds.
DLLHijackAuditor from SecurityXploded is great for targetting only one application.
However, according to our testing, it sometimes misses flaws.

So, we tried to save time by adding timer support and regex support to our favorite HDM's
DLLHijackAuditKit.

How is useful?


Sleep timer - for some applications like Adobe CS, which takes a few seconds to reach fully usable state
              You do need to look at both analyze.js and audit.js for the two variables below.
              You should adjust them depending on the application's loading time.
             
    var snap_time = 1000;
    var sleep_time = 5000;
   
Regex           - for each application you want and your desired extensions

    scan_app  -  You need to look at the default data value of your desired application extension
                 in regedit editor.
                 It could be like Adobe.Illustrator.ColorBook
                 then you can
    scan_app = /Adobe.Illustrator/gi;   



Warning

DLLHijackAuditKit also missed flaws sometimes.
If it doesn't show exploitability, do manual analysis.

  
__________________________________________________


Vulnerabilities produced from DLLHijackAuditKit


http://core.yehg.net/lab/#advisories.dll-hijacking