Find-DLL-Exports_DLL-Proxying.py

"""
Create DLL exports in C++ format for DLL proxying to legitimate DLL on disk
Usage: 
    python3 Find-DLL-Exports_DLL-Proxying.py "C:\path\to\original\location\DLL.dll"
Example: 
    python3 Find-DLL-Exports_DLL-Proxying.py "C:\Windows\System32\wtsapi32.dll"
    
Output sample -> Put at the top of your C++ code under the imports to DLL proxy traffic to the target DLL provided from the input
// Export DLL functions
#pragma once
#pragma comment(linker,"/export:IsInteractiveUserSession=C:\\windows\\system32\\wtsapi32.IsInteractiveUserSession,@1")
#pragma comment(linker,"/export:QueryActiveSession=C:\\windows\\system32\\wtsapi32.QueryActiveSession,@2")
#pragma comment(linker,"/export:QueryUserToken=C:\\windows\\system32\\wtsapi32.QueryUserToken,@3")
#pragma ...............

Reference:
- https://unprotect.it/technique/dll-proxying/
- https://cocomelonc.github.io/pentest/2021/10/12/dll-hijacking-2.html
- https://wsummerhill.github.io/redteam/2022/10/02/DLL-sideloading.html
"""
import pefile
import sys
import os.path

if len(sys.argv) < 2:
    print("ERROR: Please provide DLL file as input argument")
    print(f"Usage: {sys.argv[0]} C:\\path\\to\\DLL-file.dll")
    sys.exit()

# Read input DLL argument
inputDll = sys.argv[1]
dll = pefile.PE(inputDll)

# Remove extension from DLL name
dll_basename = inputDll.replace('.dll', '')

exported_functions = []
exported_functions.append("// Export DLL functions")
exported_functions.append("#pragma once")

#print(dll)
dll_basename_format = dll_basename.replace("\\", "\\\\")

for export in dll.DIRECTORY_ENTRY_EXPORT.symbols:
    func = export.name.decode('utf-8')
    exported_functions.append(f'#pragma comment(linker,"/export:{func}={dll_basename_format}.{func},@{export.ordinal}")')

exported_functions.append("\n")

for item in exported_functions:
    print(item)