siofra: Exposing dll hijacking vulnerabilities in windows 

A free research tool - available on github!

Siofra, developed by Forrest Williams, Senior Security Researcher at Cybereason, is a tool designed to identify and exploit DLL hijacking vulnerabilities in Windows programs. 

How Siofra works...

It simulates the Windows loader in order to give visibility into all of the dependencies (and corresponding vulnerabilities) of a PE on disk, or alternatively an image file in memory corresponding to an active process. Siofra contains automated methods of combining UAC auto-elevation criteria with the aforementioned functionality in order to scan for UAC bypass vulnerabilities. It easily generates DLLs to exploit these types of vulnerabilities via PE infection with dynamic shellcode creation. 

Get Siofra on GitHub here.

Some of this tool is open source to help security researchers understand the technical details of this project. Forrest specifically provided assembler source code for one of the 64-bit implant shellcodes (for 64-bit PE DLL infection when specifying a "process" payload type).

Details surrounding other technical aspects of the tool and OS details related to the Windows loader/search order, UAC, WinSxS etc. can be found in the RESEARCH PAPER.