diff --git a/HijackHunter/Program.cs b/HijackHunter/Program.cs index 04d8283..d41c0e0 100755 --- a/HijackHunter/Program.cs +++ b/HijackHunter/Program.cs @@ -16,20 +16,35 @@ class Program // Global list for tracking all hijacks through recursion public static List g_Hijackables = new List(); public static bool quietMode = false; + static void Main(string[] args) { + string fileName; // Make sure the target file exists - string fileName = args[0]; + try + { + fileName = args[0]; + } + catch(Exception m) + { + Console.WriteLine(m.ToString()); + return; + } g_basePath = Path.GetDirectoryName(fileName); + if(g_basePath == "") + { + string tmp = fileName; + fileName = String.Concat(".\\", tmp); + } if (!File.Exists(fileName)) { Console.WriteLine("[-] Can't access {0}", fileName); return; } - if (fileName.ToLower().StartsWith(@"c:\windows\")) - { - Console.WriteLine("[!] You're targeting OS components. This is prone to false positives."); + if (fileName.ToLower().StartsWith(@"c:\windows\")) + { + Console.WriteLine("[!] You're targeting OS components. This is prone to false positives."); } if (args.Length > 1 && args[1] == "-quiet") @@ -102,6 +117,7 @@ static void Main(string[] args) { Console.WriteLine("[-] No hijacks found"); } + } public struct PEDetails @@ -116,7 +132,8 @@ public struct PEDetails static void RecursiveHunter(string fileName, byte[] fileBytes, bool isRoot, string target, int indent) { - PEDetails targetFile = new PEDetails + + PEDetails targetFile = new PEDetails { Name = fileName, Path = Path.GetDirectoryName(fileName), @@ -157,8 +174,9 @@ static void RecursiveHunter(string fileName, byte[] fileBytes, bool isRoot, stri targetFile.Path = FindFilePath(dll, Path.GetDirectoryName(targetFile.Path)); string hijackResult = HijackChecks(targetFile, false); - if (targetFile.Path != null) + if (targetFile.Path != null && !targetFile.Path.Contains("system32")) // recursing into system32 breaks the program. { + if (!quietMode) { Console.WriteLine(output + hijackResult); } // Start processing it through recursion byte[] newFile = File.ReadAllBytes(targetFile.Path); @@ -166,7 +184,10 @@ static void RecursiveHunter(string fileName, byte[] fileBytes, bool isRoot, stri } else // Handle DLLs that are missing from the search order { - if (!quietMode) { Console.WriteLine(output + " [HIJACKABLE]"); } + if (!quietMode) + { + Console.WriteLine(output + " --> " + hijackResult); + } } } catch (Exception ex) @@ -240,8 +261,9 @@ static string HijackChecks(PEDetails peDetails, bool isDynamic) return " [API Set]"; } - // Hacky way to catch - if (CheckDirectoryWritePermissions(g_basePath) && peDetails.Name != "ntdll.dll") + // Hacky way to catch --> works sometimes. Skipped 1 part and it works + // CheckDirectoryWritePermissions(g_basePath) && peDetails.Name != "ntdll.dll" + if (peDetails.Name != "ntdll.dll") { if (!File.Exists(g_basePath + @"\" + peDetails.Name)) { @@ -380,11 +402,17 @@ static List GetKnownDlls() static bool CheckDirectoryWritePermissions(string path) { // https://stackoverflow.com/a/1281638 + DirectorySecurity acl; bool writeAllow = false; bool writeDeny = false; - DirectorySecurity acl = Directory.GetAccessControl(path); - if (acl == null) + try + { + acl = Directory.GetAccessControl(path); + } + catch (Exception) // null ACL errors out with exceptions regardless of checking for null. + { return false; + } AuthorizationRuleCollection accessRules = acl.GetAccessRules(true, true, typeof(SecurityIdentifier)); if (accessRules == null)