DLLHijackHunter

DLLHijackHunter is an automated Windows DLL hijacking detection tool designed to go beyond traditional static analysis by discovering, validating, and confirming DLL hijacking opportunities with zero false positives. It's the only tool that proves hijacks actually work before reporting them, making findings actionable for security professionals.

Key Features:

• Multi-Phase Pipeline:

  1. Discovery: Identifies binaries loading DLLs from writable locations, leveraging a Static Engine (for Services, Tasks, Startup, COM, Run Keys), PE Analyzer (for Import Tables, Delay Loads, Manifests, Exports), and ETW Engine (for real-time DLL load monitoring) combined with a Search Order Calculator.
  2. Filtration: Employs an 8-gate filter pipeline to eliminate false positives. This includes "Hard Gates" for binary elimination (API Set Schema, Known DLLs, Writability Filters) and "Soft Gates" for confidence adjustment (WinSxS Manifest, Privilege Delta, LoadLibraryEx Flags, Signature Verification, Error Handled Load Filters).
  3. Canary Confirmation: Deploys a harmless canary DLL to the hijack path and triggers the victim binary to confirm the hijack's exploitability. The canary DLL proxy-exports all original functions, reports achieved privilege, integrity level, and SeDebug status via a named pipe, and self-cleans after testing.
  4. Scoring & Reporting: Ranks findings by exploitability using a tiered confidence system (CONFIRMED, HIGH, MEDIUM, LOW) and generates detailed console, JSON, or HTML reports.

• Comprehensive Hijack Type Detection: Detects 10 types of DLL hijacks including Phantom DLL, Search Order, Side-Loading, ENV PATH, .local Redirect, KnownDLL Bypass, CWD Hijack, AppInit DLLs, IFEO, and AppCert DLLs, with varying stealth ratings.

• Unique Selling Proposition: Unlike other tools that merely suggest potential hijacks, DLLHijackHunter actively proves the exploitability, reports the achieved privilege level, and indicates reboot persistence, ensuring actionable intelligence.

Usage:

• Prerequisites: Requires Windows 10/11 or Windows Server 2016+, .NET 8.0 Runtime (or self-contained build), and recommended Administrator privileges for full functionality.
• Scan Profiles: Offers various profiles like aggressive (full audit), strict (high-confidence), safe (production-safe, read-only), and redteam (confirmed exploitable only).
• CLI Options: Supports targeting specific binaries or directories, setting minimum confidence thresholds, and disabling canary confirmation or ETW for specific use cases.

Safety:

DLLHijackHunter is a detection tool, not an exploitation framework. Canary DLLs contain no malicious payload, only report metadata, and are automatically cleaned up. Proxy exports ensure target applications remain fully functional. Users are advised to use --profile safe for production systems and always obtain proper authorization before scanning.