DLL Hijacking Vulnerability Scanner

SearchAvailableExe is a comprehensive security research tool designed to identify and analyze DLL hijacking vulnerabilities in Windows executable files. This tool systematically scans signed executables to find potential DLL hijacking opportunities, making it valuable for security researchers, penetration testers, and system administrators.

Features

• Automated Scanning: Recursively scans directories or entire drives for signed executable files
• DLL Dependency Analysis: Analyzes import tables to identify DLL loading patterns
• Vulnerability Testing: Tests executables for actual DLL hijacking vulnerabilities
• Comprehensive Filtering: Advanced filtering options based on various criteria
• Digital signature verification for legitimate executables
• Static and dynamic DLL loading detection
• Write permission analysis for hijacking feasibility
• System DLL identification and filtering
• Comprehensive section scanning for dynamic loading patterns
• GUI/Console application classification

Installation

Prerequisites

• Windows operating system
• Visual Studio 2022
• Administrator privileges (recommended for comprehensive scanning)

Building from Source

1. Clone or download the repository
2. Open SearchAvailableExe.sln in Visual Studio
3. Select your target configuration (Debug/Release, x86/x64)
4. Build the solution (Ctrl+Shift+B)

Usage

# Scan current directory
SearchAvailableExe.exe -i "C:\Program Files"

# Scan with output to file
SearchAvailableExe.exe -i "C:\Windows\System32" -o results.txt

# Scan all drives (requires administrator privileges)
SearchAvailableExe.exe

Command Line Options

Option	Long Form	Description	Default
-h	--help	Display help message and exit	-
-i	--input <path>	Input directory to scan	All drives
-o	--output <path>	Output file for results	Console output
-w	--write	Only include writable directories	Disabled
-c	--count <number>	Maximum DLL count to consider	1
-b	--bit <arch>	Target architecture (32, 64, or 96 for both)	96
-s	--save	Save exploitable files to disk	Disabled
-l	--load <type>	DLL loading method (1=static, 2=dynamic, 3=both)	3
-p	--pass	Skip system DLLs in results	Disabled
-a	--search <mode>	Enable comprehensive section scanning	Disabled
-g	--guiwindow	Only include GUI applications	Disabled

Advanced Examples

# Scan for 64-bit executables with writable directories
SearchAvailableExe.exe -i "C:\Program Files" -b 64 -w -o x64_results.txt

# Find executables with static DLL loading only
SearchAvailableExe.exe -i "C:\Windows" -l 1 -c 2

# Comprehensive scan with all options
SearchAvailableExe.exe -i "C:\" -w -g -p -a 1 -s -o comprehensive_scan.txt

Output Format

The tool generates detailed reports including:

=== DLL Hijacking Vulnerability Scan Results ===
Found 15 exploitable executables:

Exploitable Executable: C:\Program Files\Example\app.exe
Architecture: 64-bit | Writable Directory: Yes | DLL Loading: Static | Subsystem: GUI
Exploitable DLL: example.dll
Additional DLLs required:
  helper.dll
  utility.dll
---------------------------------------------------

Output Fields Explained

• Exploitable Executable: Full path to the vulnerable executable
• Architecture: 32-bit or 64-bit executable
• Writable Directory: Whether the directory has write permissions
• DLL Loading: Static (import table) or Dynamic (LoadLibrary calls)
• Subsystem: GUI (windowed) or Console application
• Exploitable DLL: The DLL that can be hijacked
• Additional DLLs: Other DLLs that may need to be present

Analysis Process

1. File Discovery: Recursively scans directories for .exe files
2. Signature Verification: Validates digital signatures using Windows Crypto API
3. PE Analysis: Parses Portable Executable headers and import tables
4. DLL Enumeration: Identifies imported DLLs and dynamic loading patterns
5. Vulnerability Testing: Creates test environment and attempts DLL hijacking
6. Result Filtering: Applies user-specified filters and criteria

DLL Loading Detection

The tool identifies two types of DLL loading:

Static Loading (Import Table)

• Analyzes PE import table for DLL dependencies
• Checks for DLL files in the same directory as the executable
• Identifies missing DLLs that could be hijacked

Dynamic Loading (Runtime)

• Scans executable sections for LoadLibrary calls
• Searches for DLL name strings in .rdata and .rsrc sections
• Supports comprehensive section scanning for thorough analysis

Troubleshooting

Common Issues

Access Denied Errors

• Run as Administrator for system directory scanning
• Ensure antivirus software isn't blocking the tool

No Results Found

• Verify target directory contains signed executables
• Check filtering criteria (architecture, DLL count, etc.)
• Try scanning with less restrictive filters

Debug info

For troubleshooting, the tool provides:

• Progress indicators during scanning
• Error messages for file access issues
• Detailed filtering information in verbose mode

Disclaimer

This tool is provided "as is" without warranty of any kind. The authors are not responsible for any damage or legal issues that may arise from the use of this software. Use at your own risk and responsibility.

Version History

Version 2.0 (Current)

• Complete rewrite with improved code structure
• Better error handling and user feedback
• Improved command line interface
• Comprehensive filtering options

Version 1.0 (Original)

• Initial release with basic functionality
• Basic DLL hijacking detection