wsummerhill · January 9, 2023 22:48
diff --git a/Find-DLL-Exports_DLL-Proxying.py b/Find-DLL-Exports_DLL-Proxying.py
 """
 Create DLL exports in C++ format for DLL proxying to legitimate DLL on disk
 Usage: 
    python3 Find-DLL-Exports_DLL-Proxying.py "C:\path\to\original\location\DLL.dll"
 Example: 
    python3 Find-DLL-Exports_DLL-Proxying.py "C:\Windows\System32\wtsapi32.dll"
    
 Output sample -> Put at the top of your C++ code under the imports to DLL proxy traffic to the target DLL provided from the input
 // Export DLL functions
 #pragma once
 #pragma comment(linker,"/export:IsInteractiveUserSession=C:\\windows\\system32\\wtsapi32.IsInteractiveUserSession,@1")
 #pragma comment(linker,"/export:QueryActiveSession=C:\\windows\\system32\\wtsapi32.QueryActiveSession,@2")
 #pragma comment(linker,"/export:QueryUserToken=C:\\windows\\system32\\wtsapi32.QueryUserToken,@3")
 #pragma ...............

 Reference:
 - https://unprotect.it/technique/dll-proxying/
 - https://cocomelonc.github.io/pentest/2021/10/12/dll-hijacking-2.html
 - https://wsummerhill.github.io/redteam/2022/10/02/DLL-sideloading.html
 """
 import pefile
 import sys
 import os.path

 if len(sys.argv) < 2:
    print("ERROR: Please provide DLL file as input argument")
    print(f"Usage: {sys.argv[0]} C:\\path\\to\\DLL-file.dll")
    sys.exit()

 # Read input DLL argument
 inputDll = sys.argv[1]
 dll = pefile.PE(inputDll)

 # Remove extension from DLL name
 dll_basename = inputDll.replace('.dll', '')

 exported_functions = []
 exported_functions.append("// Export DLL functions")
 exported_functions.append("#pragma once")

 #print(dll)
 dll_basename_format = dll_basename.replace("\\", "\\\\")

 for export in dll.DIRECTORY_ENTRY_EXPORT.symbols:
    func = export.name.decode('utf-8')
    exported_functions.append(f'#pragma comment(linker,"/export:{func}={dll_basename_format}.{func},@{export.ordinal}")')

 exported_functions.append("\n")

 for item in exported_functions:
    print(item)
	"""
	Create DLL exports in C++ format for DLL proxying to legitimate DLL on disk
	Usage:
	python3 Find-DLL-Exports_DLL-Proxying.py "C:\path\to\original\location\DLL.dll"
	Example:
	python3 Find-DLL-Exports_DLL-Proxying.py "C:\Windows\System32\wtsapi32.dll"

	Output sample -> Put at the top of your C++ code under the imports to DLL proxy traffic to the target DLL provided from the input
	// Export DLL functions
	#pragma once
	#pragma comment(linker,"/export:IsInteractiveUserSession=C:\\windows\\system32\\wtsapi32.IsInteractiveUserSession,@1")
	#pragma comment(linker,"/export:QueryActiveSession=C:\\windows\\system32\\wtsapi32.QueryActiveSession,@2")
	#pragma comment(linker,"/export:QueryUserToken=C:\\windows\\system32\\wtsapi32.QueryUserToken,@3")
	#pragma ...............

	Reference:
	- https://unprotect.it/technique/dll-proxying/
	- https://cocomelonc.github.io/pentest/2021/10/12/dll-hijacking-2.html
	- https://wsummerhill.github.io/redteam/2022/10/02/DLL-sideloading.html
	"""
	import pefile
	import sys
	import os.path

	if len(sys.argv) < 2:
	print("ERROR: Please provide DLL file as input argument")
	print(f"Usage: {sys.argv[0]} C:\\path\\to\\DLL-file.dll")
	sys.exit()

	# Read input DLL argument
	inputDll = sys.argv[1]
	dll = pefile.PE(inputDll)

	# Remove extension from DLL name
	dll_basename = inputDll.replace('.dll', '')

	exported_functions = []
	exported_functions.append("// Export DLL functions")
	exported_functions.append("#pragma once")

	#print(dll)
	dll_basename_format = dll_basename.replace("\\", "\\\\")

	for export in dll.DIRECTORY_ENTRY_EXPORT.symbols:
	func = export.name.decode('utf-8')
	exported_functions.append(f'#pragma comment(linker,"/export:{func}={dll_basename_format}.{func},@{export.ordinal}")')

	exported_functions.append("\n")

	for item in exported_functions:
	print(item)