mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
GitBook: [#3559] No subject
This commit is contained in:
parent
1cb8a1dd02
commit
714393c0a0
12 changed files with 145 additions and 98 deletions
|
@ -205,7 +205,7 @@
|
|||
* [SmbExec/ScExec](windows-hardening/ntlm/smbexec.md)
|
||||
* [WinRM](windows-hardening/ntlm/winrm.md)
|
||||
* [WmicExec](windows-hardening/ntlm/wmicexec.md)
|
||||
* [Windows Security Controls](windows-hardening/windows-security-controls/README.md)
|
||||
* [Windows Security Controls](windows-hardening/authentication-credentials-uac-and-efs.md)
|
||||
* [UAC - User Account Control](windows-hardening/windows-security-controls/uac-user-account-control.md)
|
||||
* [Stealing Credentials](windows-hardening/stealing-credentials/README.md)
|
||||
* [Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md)
|
||||
|
|
|
@ -144,7 +144,7 @@ The plugin `banners.Banners` can be used in **vol3 to try to find linux banners*
|
|||
|
||||
## Hashes/Passwords
|
||||
|
||||
Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/windows-security-controls/#lsa-secrets).
|
||||
Extract SAM hashes, [domain cached credentials](../../../windows-hardening/stealing-credentials/credentials-protections.md#cached-credentials) and [lsa secrets](../../../windows-hardening/authentication-credentials-uac-and-efs.md#lsa-secrets).
|
||||
|
||||
{% tabs %}
|
||||
{% tab title="vol3" %}
|
||||
|
|
|
@ -106,7 +106,7 @@ If you are **not root/Administrator** inside the box, you should find a way to *
|
|||
Here you can find a **guide to escalate privileges locally in** [**Linux**](../linux-hardening/privilege-escalation/) **and in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)**.**\
|
||||
You should also check this pages about how does **Windows work**:
|
||||
|
||||
* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/windows-security-controls/)
|
||||
* [**Authentication, Credentials, Token privileges and UAC**](../windows-hardening/authentication-credentials-uac-and-efs.md)
|
||||
* How does [**NTLM works**](../windows-hardening/ntlm/)
|
||||
* How to [**steal credentials**](../windows-hardening/stealing-credentials/) in Windows
|
||||
* Some tricks about [_**Active Directory**_](../windows-hardening/active-directory-methodology/)
|
||||
|
|
|
@ -74,57 +74,6 @@ phone: 23627387495
|
|||
* Lines 10-16 define 2 organizational units: dev and sales
|
||||
* Lines 18-26 create an object of the domain and assign attributes with values
|
||||
|
||||
## Basic Enumeration
|
||||
|
||||
### Manual
|
||||
|
||||
You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3`
|
||||
|
||||
First try to **connect without** credentials:
|
||||
|
||||
```bash
|
||||
>>> import ldap3
|
||||
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
|
||||
>>> connection = ldap3.Connection(server)
|
||||
>>> connection.bind()
|
||||
True
|
||||
>>> server.info
|
||||
```
|
||||
|
||||
If the response is `True` like in the previous example, you can obtain some **interesting data** of the LDAP (like the **naming context** or **domain name**) server from:
|
||||
|
||||
```bash
|
||||
>>> server.info
|
||||
DSA info (from DSE):
|
||||
Supported LDAP versions: 3
|
||||
Naming contexts:
|
||||
dc=DOMAIN,dc=DOMAIN
|
||||
```
|
||||
|
||||
Once you have the naming context you can make some more exciting queries. This simply query should show you all the objects in the directory:
|
||||
|
||||
```bash
|
||||
>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
|
||||
True
|
||||
>> connection.entries
|
||||
```
|
||||
|
||||
Or **dump** the whole ldap:
|
||||
|
||||
```bash
|
||||
>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
|
||||
True
|
||||
>>> connection.entries
|
||||
```
|
||||
|
||||
### Automated
|
||||
|
||||
Using this you will be able to see the **public information** (like the domain name)**:**
|
||||
|
||||
```bash
|
||||
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
|
||||
```
|
||||
|
||||
## Write data
|
||||
|
||||
Note that if you can modify values you could be able to perform really interesting actions. For example, imagine that you **can change the "sshPublicKey" information** of your user or any user. It's highly probable that if this attribute exist, then **ssh is reading the public keys from LDAP**. If you can modify the public key of a user you **will be able to login as that user even if password authentication is not enabled in ssh**.
|
||||
|
@ -178,9 +127,81 @@ ldapdomaindump <IP> [-r <IP>] -u '<domain>\<username>' -p '<password>' [--authty
|
|||
|
||||
### [Brute Force](../generic-methodologies-and-resources/brute-force.md#ldap)
|
||||
|
||||
### Manual
|
||||
## Enumeration
|
||||
|
||||
#### ldapsearch
|
||||
### Automated
|
||||
|
||||
Using this you will be able to see the **public information** (like the domain name)**:**
|
||||
|
||||
```bash
|
||||
nmap -n -sV --script "ldap* and not brute" <IP> #Using anonymous credentials
|
||||
```
|
||||
|
||||
### Python
|
||||
|
||||
<details>
|
||||
|
||||
<summary>See LDAP enumeration with python</summary>
|
||||
|
||||
You can try to **enumerate a LDAP with or without credentials using python**: `pip3 install ldap3`
|
||||
|
||||
First try to **connect without** credentials:
|
||||
|
||||
```bash
|
||||
>>> import ldap3
|
||||
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
|
||||
>>> connection = ldap3.Connection(server)
|
||||
>>> connection.bind()
|
||||
True
|
||||
>>> server.info
|
||||
```
|
||||
|
||||
If the response is `True` like in the previous example, you can obtain some **interesting data** of the LDAP (like the **naming context** or **domain name**) server from:
|
||||
|
||||
```bash
|
||||
>>> server.info
|
||||
DSA info (from DSE):
|
||||
Supported LDAP versions: 3
|
||||
Naming contexts:
|
||||
dc=DOMAIN,dc=DOMAIN
|
||||
```
|
||||
|
||||
Once you have the naming context you can make some more exciting queries. This simply query should show you all the objects in the directory:
|
||||
|
||||
```bash
|
||||
>>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*')
|
||||
True
|
||||
>> connection.entries
|
||||
```
|
||||
|
||||
Or **dump** the whole ldap:
|
||||
|
||||
```bash
|
||||
>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
|
||||
True
|
||||
>>> connection.entries
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
### windapsearch
|
||||
|
||||
[**Windapsearch**](https://github.com/ropnop/windapsearch) **** is a Python script useful to **enumerate users, groups, and computers from a Windows** domain by utilizing LDAP queries.
|
||||
|
||||
```bash
|
||||
# Get computers
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
|
||||
# Get groups
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
|
||||
# Get users
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
|
||||
# Get Domain Admins
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
|
||||
# Get Privileged Users
|
||||
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users
|
||||
```
|
||||
|
||||
### ldapsearch
|
||||
|
||||
Check null credentials or if your credentials are valid:
|
||||
|
||||
|
|
|
@ -51,9 +51,13 @@ With an anonymous null session you can access the IPC$ share and interact with s
|
|||
|
||||
## What is NTLM
|
||||
|
||||
If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very insteresting this page about [**NTLM** where is explained **how this protocol works and how you can take advantage of it**](../windows-hardening/ntlm/).
|
||||
If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very interesting this page about **NTLM** where is explained **how this protocol works and how you can take advantage of it:**
|
||||
|
||||
## **Enumeration**
|
||||
{% content-ref url="../windows-hardening/ntlm/" %}
|
||||
[ntlm](../windows-hardening/ntlm/)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## **Server Enumeration**
|
||||
|
||||
### **Scan** a network searching for hosts:
|
||||
|
||||
|
@ -104,7 +108,9 @@ searchsploit microsoft smb
|
|||
| backupexec, backup | backupexec, backup, arcada |
|
||||
| test, lab, demo | password, test, lab, demo |
|
||||
|
||||
### Obtain information
|
||||
### SMB Environment Information
|
||||
|
||||
### Obtain Information
|
||||
|
||||
```bash
|
||||
#Dump interesting information
|
||||
|
@ -127,16 +133,27 @@ rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbff
|
|||
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
|
||||
```
|
||||
|
||||
### Enumerate Users
|
||||
### Enumerate Users, Groups & Logged On Users
|
||||
|
||||
```bash
|
||||
# This info should alerady being gathered from enum4linux and enum4linux-ng
|
||||
crackmapexec smb 10.10.10.10 --users
|
||||
crackmapexec smb 10.10.10.10 --users [-u <username> -p <password>]
|
||||
crackmapexec smb 10.10.10.10 --groups [-u <username> -p <password>]
|
||||
crackmapexec smb 10.10.10.10 --groups --loggedon-users [-u <username> -p <password>]
|
||||
|
||||
ldapsearch -x -b "DC=DOMAIN_NAME,DC=LOCAL" -s sub "(&(objectclass=user))" -h 10.10.10.10 | grep -i samaccountname: | cut -f 2 -d " "
|
||||
|
||||
rpcclient -U "" -N 10.10.10.10
|
||||
enumdomusers
|
||||
enumdomgroups
|
||||
|
||||
# Impacket - Enumerate local users
|
||||
lookupsid.py -no-pass hostname.local
|
||||
|
||||
# Metasploit - Enumerate local users
|
||||
use auxiliary/scanner/smb/smb_lookupsid
|
||||
set rhosts hostname.local
|
||||
run
|
||||
```
|
||||
|
||||
### **Enumerating LSARPC and SAMR rpcclient**
|
||||
|
@ -155,6 +172,8 @@ enumdomusers
|
|||
|
||||
`smb://friendzone.htb/general/`
|
||||
|
||||
## Shared Folders Enumeration
|
||||
|
||||
### List shared folders
|
||||
|
||||
It is always recommended to look if you can access to anything, if you don't have credentials try using **null** **credentials/guest user**.
|
||||
|
@ -162,9 +181,12 @@ It is always recommended to look if you can access to anything, if you don't hav
|
|||
```bash
|
||||
smbclient --no-pass -L //<IP> # Null user
|
||||
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
|
||||
|
||||
smbmap -H <IP> [-P <PORT>] #Null user
|
||||
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
|
||||
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
|
||||
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] #Recursive list
|
||||
|
||||
crackmapexec smb <IP> -u '' -p '' --shares #Null user
|
||||
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
|
||||
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user
|
||||
|
@ -269,9 +291,20 @@ Commands:
|
|||
|
||||
(_Information from the manpage of smbclient_)
|
||||
|
||||
### Read Registry
|
||||
### Domain Shared Folders Search
|
||||
|
||||
You may be able to **read the registry** using some discovered credentials. Impacket `reg.py` allows you to try:
|
||||
* [**Snaffler**](https://github.com/SnaffCon/Snaffler)****
|
||||
* Or [**CrackMapExec**](https://wiki.porchetta.industries/smb-protocol/spidering-shares) spider.
|
||||
* `-M spider_plus [--share <share_name>]`
|
||||
* `--pattern txt`
|
||||
|
||||
```bash
|
||||
sudo crackmapexec smb 10.10.10.10 -u username -p pass -M spider_plus --share 'Department Shares'
|
||||
```
|
||||
|
||||
## Read Registry
|
||||
|
||||
You may be able to **read the registry** using some discovered credentials. Impacket **`reg.py`** allows you to try:
|
||||
|
||||
```bash
|
||||
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKU -s
|
||||
|
@ -279,27 +312,7 @@ sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a87
|
|||
sudo reg.py domain.local/USERNAME@MACHINE.htb -hashes 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query -keyName HKLM -s
|
||||
```
|
||||
|
||||
### Local users
|
||||
|
||||
Enumerate **local** users with SID brute-forcing:
|
||||
|
||||
With `Impacket`:
|
||||
|
||||
```
|
||||
lookupsid.py -no-pass hostname.local
|
||||
```
|
||||
|
||||
With `Metasploit`:
|
||||
|
||||
```
|
||||
use auxiliary/scanner/smb/smb_lookupsid
|
||||
set rhosts hostname.local
|
||||
run
|
||||
```
|
||||
|
||||
Note: `rpcclient` command `lookupsids` only translates a SID to a username but doesn't allow enumeration via brute-forcing.
|
||||
|
||||
### Post Exploitation
|
||||
## Post Exploitation
|
||||
|
||||
The **default config of** a **Samba** server is usually located in `/etc/samba/smb.conf` and might have some **dangerous configs**:
|
||||
|
||||
|
@ -327,7 +340,7 @@ smbclient --kerberos //ws01win10.domain.com/C$
|
|||
rpcclient -k ws01win10.domain.com
|
||||
```
|
||||
|
||||
## **Execute**
|
||||
## **Execute Commands**
|
||||
|
||||
### **crackmapexec**
|
||||
|
||||
|
|
|
@ -12,6 +12,19 @@
|
|||
|
||||
</details>
|
||||
|
||||
### **What is a RID**
|
||||
|
||||
A [Relative Identifier (RID)](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) is a **unique identifier** (represented in hexadecimal format) utilized by Windows to **track and identify objects**. To explain how this fits in, let's look at the examples below:
|
||||
|
||||
* The [SID](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers) for the NAME\_DOMAIN.LOCAL domain is: `S-1-5-21-1038751438-1834703946-36937684957`.
|
||||
* When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object.
|
||||
* So the domain user `john` with a RID:\[0x457] Hex 0x457 would = decimal `1111`, will have a full user SID of: `S-1-5-21-1038751438-1834703946-36937684957-1111`.
|
||||
* This is unique to the `john` object in the NAME\_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other.
|
||||
|
||||
Definition from [**here**](https://academy.hackthebox.com/module/143/section/1269).
|
||||
|
||||
### **Enumeration with rpcclient**
|
||||
|
||||
**Pat of this section was extracted from book "**_**Network Security Assesment 3rd Edition**_**"**
|
||||
|
||||
You can use the Samba **`rpcclient`** utility to interact with **RPC endpoints via named pipes**. The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon **establishing** a **SMB session** (often requiring credentials).
|
||||
|
|
|
@ -482,7 +482,7 @@ The **security descriptors** are used to **store** the **permissions** an **obje
|
|||
|
||||
### Custom SSP
|
||||
|
||||
[Learn what is a SSP (Security Support Provider) here.](../windows-security-controls/#security-support-provider-interface-sspi)\
|
||||
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\
|
||||
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.\\
|
||||
|
||||
{% content-ref url="custom-ssp.md" %}
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
## Custom SSP
|
||||
|
||||
[Learn what is a SSP (Security Support Provider) here.](../windows-security-controls/#security-support-provider-interface-sspi)\
|
||||
[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs.md#security-support-provider-interface-sspi)\
|
||||
You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
|
||||
|
||||
#### Mimilib
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
</details>
|
||||
|
||||
![](<../../.gitbook/assets/image (9) (1) (2).png>)
|
||||
![](<../.gitbook/assets/image (9) (1) (2).png>)
|
||||
|
||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
||||
Get Access Today:
|
||||
|
@ -148,8 +148,8 @@ This way requires the **victim user** to be **running** a **process** inside the
|
|||
|
||||
****[**Local Administrator Password Solution (LAPS)**](https://www.microsoft.com/en-us/download/details.aspx?id=46899) allows you to **manage the local Administrator password** (which is **randomised**, unique, and **changed regularly**) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. If your user is given enough permissions you might be able to read the passwords of the local admins.
|
||||
|
||||
{% content-ref url="../active-directory-methodology/laps.md" %}
|
||||
[laps.md](../active-directory-methodology/laps.md)
|
||||
{% content-ref url="active-directory-methodology/laps.md" %}
|
||||
[laps.md](active-directory-methodology/laps.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## PS Constrained Language Mode
|
||||
|
@ -212,13 +212,13 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
|
|||
|
||||
[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**. 
|
||||
|
||||
{% content-ref url="uac-user-account-control.md" %}
|
||||
[uac-user-account-control.md](uac-user-account-control.md)
|
||||
{% content-ref url="windows-security-controls/uac-user-account-control.md" %}
|
||||
[uac-user-account-control.md](windows-security-controls/uac-user-account-control.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
|
||||
|
||||
![](<../../.gitbook/assets/image (9) (1) (2).png>)
|
||||
![](<../.gitbook/assets/image (9) (1) (2).png>)
|
||||
|
||||
\
|
||||
Use [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
|
|
@ -44,8 +44,8 @@
|
|||
|
||||
There are different things in Windows that could **prevent you from enumerating the system**, run executables or even **detect your activities**. You should **read** the following **page** and **enumerate** all these **defenses** **mechanisms** before starting the privilege escalation enumeration:
|
||||
|
||||
{% content-ref url="../windows-security-controls/" %}
|
||||
[windows-security-controls](../windows-security-controls/)
|
||||
{% content-ref url="../authentication-credentials-uac-and-efs.md" %}
|
||||
[authentication-credentials-uac-and-efs.md](../authentication-credentials-uac-and-efs.md)
|
||||
{% endcontent-ref %}
|
||||
|
||||
## System Info
|
||||
|
@ -386,7 +386,7 @@ If you **belongs to some privileged group you may be able to escalate privileges
|
|||
|
||||
### Token manipulation
|
||||
|
||||
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../windows-security-controls/#access-tokens).\
|
||||
**Learn more** about what is a **token** in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs.md#access-tokens).\
|
||||
Check the following page to **learn about interesting tokens** and how to abuse them:
|
||||
|
||||
{% content-ref url="privilege-escalation-abusing-tokens/" %}
|
||||
|
|
|
@ -69,7 +69,7 @@ or using _Process Explorer_ from Sysinternals (select process and access"Securit
|
|||
### Local administrator
|
||||
|
||||
When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** (non-administrator) **rights is used**. When this user tries to **execute** anything **as administrator** ("Run as Administrator" for example) the **UAC** will be used to ask for permission.\
|
||||
If you want to [**learn more about the UAC read this page**](../windows-security-controls/#uac)**.**
|
||||
If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs.md#uac)**.**
|
||||
|
||||
### Credentials user impersonation
|
||||
|
||||
|
|
|
@ -121,7 +121,7 @@ Other interesting automated tools to discover this vulnerability are **PowerSplo
|
|||
|
||||
### Example
|
||||
|
||||
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../windows-security-controls/#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
|
||||
In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
|
||||
Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
|
||||
|
||||
## **Creating and compiling Dlls**
|
||||
|
|
Loading…
Reference in a new issue