Remember that these attackers have been granted FILE_ADD_FILE. The attack.dll is
coded to do bad stuff in DllMain and then return execution back to the real DLL. Next
the attackers create a new file in this directory called [program-name].exe.manifest. In
this example, the attacker??™s file will be accesschk.exe.manifest.
C:\tools>type accesschk.exe.manifest
version="6.0.0.0"
processorArchitecture="x86"
name="redirector"
type="win32"
/>
DLL Redirection
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
name="user32.dll"
/>
It??™s not important to understand exactly how the manifest file works??”you can just
learn how to make it work for you. You can read up on manifest files at http://
msdn2.microsoft.com/en-gb/library/ms766454.aspx if you??™d like. Finally, let??™s simulate
the administrator running AccessChk. The debugger will showwhich DLLs are loaded.
Pages:
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766