Skip to content

HelloYmf/DLLHijacking-Patcher

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
assets
assets
 
 
deps/TitanEngine
deps/TitanEngine
 
 
include
include
 
 
src
src
 
 
.gitignore
.gitignore
 
 
CMakeLists.txt
CMakeLists.txt
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
README_zh.md
README_zh.md
 
 

Repository files navigation

DLLHijacking-Patcher

A Windows DLL hijacking tool that automatically finds usable CALL sites and redirects them to inject shellcode.

中文文档

GitHub License

demo

Disclaimer: This tool is for security research only. Users assume all legal and related responsibilities arising from the use of this tool. The author assumes no legal responsibility.

Supports x86 and x64. Built on TitanEngine.

Quick Start

Requirements

  • Windows 10/11 (x64)
  • Visual Studio 2017+ with "Desktop development with C++" workload
  • CMake ≥ 3.15

Build

cmake -B build_x64 -A x64
cmake --build build_x64 --config Release

cmake -B build_x86 -A Win32
cmake --build build_x86 --config Release

Output: build_x64\Release\dllhjack_patcher_x64.exe / build_x86\Release\dllhjack_patcher_x86.exe

TitanEngine prebuilt binaries are bundled in deps/. SQLite is fetched automatically on first configure.

Run

Prepare a sample directory containing 1 EXE and the target DLL, then:

dllhjack_patcher_x64.exe --sam D:\samples\test

Options:

Option Description
--sam <dir> Sample directory (required)
--dll <name> Target DLL name (if multiple DLLs present)
--max-points <N> Limit number of call-site points to discover (0 = all)
--validate-timeout <sec> Timeout per validation attempt (default: 5s)
--shellcode <file> binary file to inject

Example:

dllhjack_patcher_x64.exe --sam D:\samples\test --dll test.dll --max-points 1 --shellcode D:\payload.bin

How It Works

  1. Trace — Debugs the target process, traces every DLL instruction, identifies the init phase
  2. Discover — Finds CALL sites after init whose targets fall outside the init region
  3. Calculate — Finds the largest unused (16-byte aligned) region in .text
  4. Validate — For each E8 rel32 CALL: redirects it to the blank region, launches a debug session, confirms both breakpoints fire
  5. Output — On success: saves patched DLL + EXE to outputs/<callerRva>_<foa>_<size>/

The tool also neutralizes .reloc entries targeting the blank region to prevent ASLR from overwriting injected shellcode.

Output

Validated results

Saved to <sam_dir>/outputs/<callerRva>_<blankFoa>_<blankSize>/:

  • *.dll — Patched DLL with CALL redirected to blank region (+ shellcode if provided)
  • *.exe — Original EXE copy

SQLite database

File: {exe}_{dll}_{timestamp}.db

Table Content
dll_instructions All traced instructions with RVA, order, init flags
points Call-site points with blank region info and validation result
exports DLL export table snapshot
analysis_meta Metadata (filenames, timestamp, stats)

Validation results: 1 = YES (success), 0 = TIMEOUT, -1 = NO (crash or non-E8 CALL)

License

MIT

About

A lightweight DLL patching framework using auto-detected post-init call-sites and unused .text regions for low-overhead execution redirection.

Resources

Readme

License

MIT license
Activity

Stars

35 stars

Watchers

1 watching

Forks

3 forks
Report repository

Releases 1

v1.0 Latest
May 27, 2026

Packages

 
 
 

Contributors

Languages