Skip to content

pr701/vcproxy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

vcruntime140 proxy

DLL hijacking with vcruntime140

About

This code allows DLL hijacking in applications by placing the vcruntime140_1.dll library in the application folder, without modifying the executable files of the application.

How it works

Many modern applications built with platform building toolset version 140 (and higher) with run-time llibrary in multithread-DLL (/MD) mode put the vcruntime140_1.dll library in the import table or call it indirectly.

The original vcruntime140_1.dll library contains only a few exception handling functions (like CxxFrameHandler4).

Proxy loads itself, then loads the original vcruntime140_1.dll library if the corresponding Visual C++ Redistributable is installed, if the runtimes in the application are local (portable) , then it is enough to rename the original library to vcruntime140_2.dll.

Features

  • Small size
  • Easy to use
  • Support for inject in to many modern applications, without modifying the application files.

Sample

// include proxy
#include "vcruntime.h"

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
	if (ul_reason_for_call == DLL_PROCESS_ATTACH)
	{
		proxy::init_runtime();

		MessageBox(NULL, _T("DLL Injected!"), _T("Hello!"), MB_ICONINFORMATION);
	}
	if (ul_reason_for_call == DLL_PROCESS_DETACH)
	{
		proxy::free_runtime();
	}
	return TRUE;
}

About

DLL hijacking with vcruntime140

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages