Skip to content

Hack-cessibility When DLL Hijacks Meet Windows Helpers #1534

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Hack-cessibility When DLL Hijacks Meet Windows Helpers #1534

wants to merge 1 commit into from

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Oct 28, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

What the post proves (dated October 28, 2025): Windows Narrator.exe still performs a predictable localization DLL load that can be hijacked for arbitrary code execution and persistence. Using Procmon, the author observed Narrator probing a OneCore TTS localization DLL and confirmed that a planted DLL is loaded and its DllMain(DLL_PROCESS_ATTACH) executes without requiring any exports.

Discovery with Process Monitor (Procmon): Filter on 🔧 Technical Details

Narrator DLL search-order hijack: Abuse Narrator’s localization probe by placing a malicious DLL at %windir%\System32\speech_onecore\engines\tts\msttsloc_onecoreenus.dll. On Narrator start, Windows loads the DLL and executes DllMain(DLL_PROCESS_ATTACH) even without exports, granting immediate code execution.

Silencing the assistive tech: To avoid OPSEC noise, enumerate Narrator threads at attach time and suspend the primary UI/voice thread (OpenThread + SuspendThread). Continue payload execution in your own thread so no speech/highlighting occurs.

Persistence via Accessibility configuration: Set REG_SZ configuration under HKCU/HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility to an AT name (e.g., Narrator). HKCU yields user persistence at logon; HKLM launches the AT at the logon screen as SYSTEM.

🤖 Agent Actions

I explored the repository and found no existing page dedicated to Windows Accessibility/Narrator persistence, but there is an appropriate, existing page for DLL search-order hijacking: src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md. The blog’s technique is fundamentally a deterministic DLL hijack of Narrator’s OneCore TTS localization probe, with persistence and RDP-trigger angles, so I added a concise, highly technical case-study section there.

What I updated

  • File modified: src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
  • Added a new section: “Case Study: Narrator OneCore TTS Localization DLL Hijack (Accessibility/ATs)”
    • Details the OneCore DLL path that Narrator probes:
      • Current: %windir%\System32\speech_onecore\engines\tts\msttsloc_onecoreenus.dll
      • Legacy note: %windir%\System32\speech\engine\tts\msttslocenus.dll
    • Notes that no exports are needed; DllMain(DLL_PROCESS_ATTACH) is sufficient.
    • Procmon discovery filters (Narrator.exe + Load Image/CreateFile).
    • Minimal DllMain example snippet.
    • OPSEC technique to silence Narrator by suspending its main thread (with PoC reference).
    • Persistence and trigger via Accessibility configuration registry:
      • HKCU/HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ configuration="Narrator"
    • RDP-triggered SYSTEM execution:
      • HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer=0 and hotkey CTRL+WIN+ENTER at logon screen.
    • BYOA note: creating a custom AT and pointing configuration to it.
    • Notes/constraints (admin rights to write under System32, migrate/inject upon RDP trigger).
  • Updated the References section at the end of the file with:
    • TrustedSec blog post
    • PoC repository (api0cradle/Narrator-dll)
    • Sysinternals Procmon page

Why this location

  • The technique is a DLL hijack of a predictable Narrator localization DLL load. The DLL hijacking page is the best fit and already hosts similar case studies, so no new page was necessary.
  • The persistence and RDP-trigger details are integral operational steps for this hijack and were included succinctly to keep everything in one place per project guidelines.

No other files were modified or created.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

carlospolop commented Oct 28, 2025

🔗 Additional Context

Original Blog Post: https://trustedsec.com/blog/hack-cessibility-when-dll-hijacks-meet-windows-helpers

Content Categories: Based on the analysis, this content was categorized under "Windows > Persistence > Accessibility Features (Narrator/ATs) and/or Windows > DLL Hijacking (Narrator OneCore TTS localization DLL hijack)".

Repository Maintenance:

  • MD Files Formatting: 906 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop