{"id":23989553,"url":"https://github.com/0xda568/iconjector","last_synced_at":"2025-04-12T09:29:53.590Z","repository":{"id":238771276,"uuid":"797494575","full_name":"0xda568/IconJector","owner":"0xda568","description":"Unorthodox and stealthy way to inject a DLL into the explorer using icons","archived":false,"fork":false,"pushed_at":"2025-02-05T07:09:10.000Z","size":584,"stargazers_count":312,"open_issues_count":2,"forks_count":43,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-03T10:11:20.181Z","etag":null,"topics":["cpp","dll","dll-injection","injection","malware-development","offensive-security","win64","windows","windows-10","windows-11"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xda568.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-08T00:27:40.000Z","updated_at":"2025-04-02T20:26:15.000Z","dependencies_parsed_at":"2024-05-08T02:36:48.443Z","dependency_job_id":"00a22fbc-fab8-4ebc-92e8-c1989de1eae0","html_url":"https://github.com/0xda568/IconJector","commit_stats":null,"previous_names":["0xda568/iconjector"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xda568%2FIconJector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xda568%2FIconJector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xda568%2FIconJector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xda568%2FIconJector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xda568","download_url":"https://codeload.github.com/0xda568/IconJector/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248545855,"owners_count":21122234,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cpp","dll","dll-injection","injection","malware-development","offensive-security","win64","windows","windows-10","windows-11"],"created_at":"2025-01-07T17:21:10.495Z","updated_at":"2025-04-12T09:29:53.567Z","avatar_url":"https://github.com/0xda568.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n    \u003cimg src=\"assets/ficon.png\"\u003e\n\u003c/p\u003e\n\n## IconJector\nThis is a Windows Explorer DLL injection technique that uses the change icon dialog on Windows. \n\nIt can trick users into loading a malicious DLL into their explorer process:\n\nhttps://github.com/0xda568/IconJector/assets/61665703/06428402-764c-4279-b762-1d01082552c8\n\nAdditionally, it can be used to to inject a DLL from another process into the explorer:\n\nhttps://github.com/0xda568/IconJector/assets/61665703/bbf53775-ad8d-422b-b186-663ff5074976\n\n## How does it work?\nBeside containing code, DLLs are also used to store resources like icons. In the demonstration you can see that the default icons are stored in shell32.dll:\n\n![image](https://github.com/user-attachments/assets/4cde2e23-1545-42bd-a120-e5f32e4af1e7)\n\n_Actually, in modern Windows versions, they are stored in [shell32.dll.mui](https://superuser.com/questions/1480268/icons-no-longer-in-imageres-dll-in-windows-10-1903-4kb-file), but it is still displayed as shell32.dll_\n\nFor the explorer process to be able to display all of the icons that are stored in the DLL in the dialog, it needs to load the DLL into memory so that it can be parsed.\n\nFurthermore, DLLs in Windows have the ability do define an optional [DllMain](https://learn.microsoft.com/en-us/windows/win32/dlls/dllmain) function, which is called when the DLL is loaded or unloaded using the LoadLibrary and FreeLibrary functions.\n\n```cpp\nBOOL WINAPI DllMain(\n    HINSTANCE hinstDLL,  // handle to DLL module\n    DWORD fdwReason,     // reason for calling function\n    LPVOID lpvReserved )  // reserved\n{\n    // Perform actions based on the reason for calling.\n    switch( fdwReason ) \n    { \n        case DLL_PROCESS_ATTACH:\n         // Initialize once for each new process.\n         // Return FALSE to fail DLL load.\n            break;\n\n        case DLL_THREAD_ATTACH:\n         // Do thread-specific initialization.\n            break;\n\n        case DLL_THREAD_DETACH:\n         // Do thread-specific cleanup.\n            break;\n\n        case DLL_PROCESS_DETACH:\n        \n            if (lpvReserved != nullptr)\n            {\n                break; // do not do cleanup if process termination scenario\n            }\n            \n         // Perform any necessary cleanup.\n            break;\n    }\n    return TRUE;  // Successful DLL_PROCESS_ATTACH.\n}\n```\n\nThis means that if a DLL with a DllMain functions is loaded by the explorer, the code defined in the DllMain function will execute in the explorer's memory.\n\nAnd this is exactly what is being done here. In addition to that, the DLL is being disguised as an icon:\n\n## The icon\nThe \"icon\" is actually a simple DLL file with an .ico extension that opens the calculator app with an icon resource that was added using the [Resource Hacker](\"https://www.angusj.com/resourcehacker/\"). _(The icon can also be added in Visual Studio)_\n\nThere are some anomalies when it comes to the appearance of the icon in the folder view. I have tested this on two different Windows 10 versions (the newest and an older one) and on Windows 11.\n\n### Windows 10\nOn both of the Widnows 10 versions, the icon stored inside the DLL was not displayed when the extension was changed to .ico\n\n![win10 dll](assets/win10_dll.png)\n\nOn the newest Windows 10 version, however, it did work until I tried to open the \"icon\" inside of the photo app. Since then, I have not been able to recreate it.\n\n![new win10 icon](assets/applied_icon.png)\n\n### Windows 11\nOn Windows 11, the disguised DLL was displayed just like a normal icon in the Explorer view. When it is opened in the photo app, however, an error is displayed.\n\n\nhttps://github.com/0xda568/IconJector/assets/61665703/748c1012-1d2c-47dd-915f-860ffc6d1b05\n\n## Inject a DLL programtically\nBeside tricking a user to load the DLL manually, an attacker also has the option to use this technique to inject a DLL file into the explorer process programtically:\n\nFirstly, a folder is created in the temp directory, and the properties of the folder are opened using SHObjectProperties. To retrieve the handle of the window independently of the system language, EnumWindows is used with a callback function that checks for the distinct folder name in every open window. \n\n![callback function](assets/callback1.png) \n\nThrough the properties page, the change icon dialog is invoked, whose handle is also retrieved with EnumWindows. Lastly, the icon path is changed to a DLL (which has a .ico extension in this case), which causes the explorer to load the DLL after the OK button is pressed.\n\n## Why?\nThis is a very stealthy way to inject a DLL into the Explorer process because it doesn't use the usual DLL-injection API. It does produce two short popups, which aren't too disturbing, however. So it can be used as an AV evasion technique by a threat actor to execute code through the legitimate explorer process or to load a UMD rootkit. \n\nAlso, spreading DLLs masked as .ico files may be an interesting attack vector.\n\n## Tools used\nTo get the right window handles, I used Spy++, which is a tool that gets installed with Visual Studio. \n\n![spy++](assets/spy_pp1.png)\n\n## Credits\nMany thanks to Bill G. from Microsoft for the beautiful folder icon!\n\nThank you, random guy on the internet, for the beautiful injection icon!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xda568%2Ficonjector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xda568%2Ficonjector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xda568%2Ficonjector/lists"}