{"id":14536,"date":"2021-07-15T14:40:05","date_gmt":"2021-07-15T09:10:05","guid":{"rendered":"https:\/\/kalilinuxtutorials.com\/?p=14536"},"modified":"2021-07-15T14:40:05","modified_gmt":"2021-07-15T09:10:05","slug":"wfh","status":"publish","type":"post","link":"https:\/\/kalilinuxtutorials.com\/wfh\/","title":{"rendered":"WFH : Windows Feature Hunter 2021"},"content":{"rendered":"\n

Windows Feature Hunter (WFH)<\/strong> is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common \u201cvulnerabilities\u201d or \u201cfeatures\u201d within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale.<\/p>\n\n\n\n

DLL sideloading utilizes the Windows side-by-side (WinSXS) assembly to load a malicious DLL from the side-by-side (SXS) listing. COM hijacking allows an adversary to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships. WFH will print the potential vulnerabilities and write a CSV file containing the potential vulnerabilities in the target Windows executables.<\/p>\n\n\n\n

Install<\/strong><\/p>\n\n\n\n

pip install -r requirements.txt<\/strong><\/p>\n\n\n\n

Help<\/strong><\/p>\n\n\n\n

PS C:\\Tools\\WFH > python .\\wfh.py -h
usage: wfh.py [-h] -t T [T \u2026] -m {dll,com} [-v] [-timeout TIMEOUT]
Windows Feature Hunter
optional arguments:
-h, –help show this help message and exit
-t T [T \u2026], -targets T [T \u2026]
list of target windows executables
-m {dll,com}, -mode {dll,com}
vulnerabilities to potentially identify
-v, -verbose verbose output from Frida instrumentation
-timeout TIMEOUT timeout value for Frida instrumentation
EXAMPLE USAGE
NOTE: It is recommended to copy target binaries to the same directory as wfh for identifying DLL Sideloading
DLL Sideloading Identification (Single): python wfh.py -t .\\mspaint.exe -m dll
DLL Sideloading Identification (Verbose): python wfh.py -t .\\mspaint.exe -m dll -v
DLL Sideloading Identification (Timeout 30s): python wfh.py -t .\\mspaint.exe -m dll -timeout 30
DLL Sideloading Identification (Wildcard): python wfh.py -t * -m dll
DLL Sideloading Identification (List): python wfh.py -t .\\mspaint.exe .\\charmap.exe -m dll
COM Hijacking Identification (Single): python wfh.py -t “C:\\Program Files\\Internet Explorer\\iexplore.exe” -m com
COM Hijacking Identification (Verbose): python wfh.py -t “C:\\Program Files\\Internet Explorer\\iexplore.exe” -m com -v
COM Hijacking Identification (Timeout 60s): python wfh.py -t “C:\\Program Files\\Internet Explorer\\iexplore.exe” -m com -timeout 60
COM Hijacking Identification (Wildcard): python wfh.py -t * -m com -v
COM Hijacking Identification (List): python wfh.py -t “C:\\Program Files\\Internet Explorer\\iexplore.exe” “C:\\Windows\\System32\\notepad.exe” -m com -v<\/strong><\/p>\n\n\n\n

Usage<\/strong><\/p>\n\n\n\n

DLL Sideloading Identification<\/strong><\/p>\n\n\n\n

First you need to copy the binaries you want to analyze to the same directory as wfh<\/p>\n\n\n\n

PS C:\\Tools\\WFH > copy C:\\Windows\\System32\\mspaint.exe .
PS C:\\Tools\\WFH > copy C:\\Windows\\System32\\charmap.exe .
PS C:\\Tools\\WFH > dir
Directory: C:\\Tools\\WFH
Mode LastWriteTime Length Name
—- ————- —— —-
d—– 5\/14\/2021 2:12 PM .vscode
-a—- 5\/6\/2021 2:39 PM 1928 .gitignore
-a—- 12\/7\/2019 2:09 AM 198656 charmap.exe
-a—- 5\/18\/2021 7:39 AM 6603 loadlibrary.js
-a—- 4\/7\/2021 12:48 PM 988160 mspaint.exe
-a—- 5\/18\/2021 7:53 AM 8705 README.md
-a—- 5\/17\/2021 11:27 AM 5948 registry.js
-a—- 5\/6\/2021 2:41 PM 11 requirements.txt
-a—- 5\/18\/2021 8:35 AM 10623 wfh.py<\/strong><\/p>\n\n\n\n

Now you can run wfh against the binaries to identify dll sideloading opportunities<\/p>\n\n\n\n

PS C:\\Tools\\WFH > python .\\wfh.py -t * -m dll
Running Frida against charmap.exe
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[] Writing raw Frida instrumentation to charmap.exe-raw.log [<\/em>] Writing Potential DLL Sideloading to charmap.exe-sideload.log
Running Frida against mspaint.exe
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE
[-] Potential DllExport Sideloading: GetProcAddress,hModule : C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\\gdiplus.dll, LPCSTR: GdiplusStartup
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[] Writing raw Frida instrumentation to mspaint.exe-raw.log [<\/em>] Writing Potential DLL Sideloading to mspaint.exe-sideload.log
[*] Writing dll results to dll_results.csv
PS C:\\Tools\\WFH > type .\\dll_results.csv
Executable,WinAPI,DLL,EntryPoint \/ WinAPI Args
charmap.exe,LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
charmap.exe,LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
mspaint.exe,LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE
mspaint.exe,GetProcAddress,hModule : C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\\gdiplus.dll, LPCSTR: GdiplusStartup
mspaint.exe,LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
mspaint.exe,LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE<\/strong><\/p>\n\n\n\n

If you prefer more verbose output, you can use “-v” to see every message from Frida instrumenting the Windows API calls. You can also view this output in the raw log file.<\/p>\n\n\n\n

PS C:\\Tools\\WFH > python .\\wfh.py -t * -m dll -v
Running Frida against charmap.exe
{‘type’: ‘send’, ‘payload’: ‘LoadLibraryW,LPCWSTR: MSFTEDIT.DLL’}
{‘type’: ‘send’, ‘payload’: ‘LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE’}
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[] Writing raw Frida instrumentation to charmap.exe-raw.log [<\/em>] Writing Potential DLL Sideloading to charmap.exe-sideload.log
Running Frida against mspaint.exe
{‘type’: ‘send’, ‘payload’: ‘LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE’}
{‘type’: ‘send’, ‘payload’: ‘GetProcAddress,hModule : C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\\gdiplus.dll, LPCSTR: GdiplusStartup’}
{‘type’: ‘send’, ‘payload’: ‘LoadLibraryW,LPCWSTR: MSFTEDIT.DLL’}
{‘type’: ‘send’, ‘payload’: ‘LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE’}
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE
[-] Potential DllExport Sideloading: GetProcAddress,hModule : C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\\gdiplus.dll, LPCSTR: GdiplusStartup
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[] Writing raw Frida instrumentation to mspaint.exe-raw.log [<\/em>] Writing Potential DLL Sideloading to mspaint.exe-sideload.log
[*] Writing dll results to dll_results.csv<\/strong><\/p>\n\n\n\n

COM Hijacking Identification<\/strong><\/p>\n\n\n\n

PS C:\\Tools\\WFH > python .\\wfh.py -t “C:\\Program Files\\Internet Explorer\\iexplore.exe” -m com
Running Frida against C:\\Program Files\\Internet Explorer\\iexplore.exe
[+] Potential COM Hijack: Path : HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\\InProcServer32,lpValueName : null,Type : REG_EXPAND_SZ, Value : %SystemRoot%\\system32\\Windows.Storage.dll
[+] Potential COM Hijack: Path : HKEY_CLASSES_ROOT\\CLSID{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\\InProcServer32,lpValueName : null,Type : REG_SZ, Value : C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\90.0.818.62\\BHO\\ie_to_edge_bho_64.dll
[] Writing raw Frida instrumentation to .\\iexplore.exe-raw.log [<\/em>] Writing Potential COM Hijack to .\\iexplore.exe-comhijack.log
[*] Writing dll results to comhijack_results.csv<\/strong><\/p>\n\n\n\n

Use Cases<\/strong><\/p>\n\n\n\n

Native Windows Signed Binaries<\/strong><\/p>\n\n\n\n

Copy all native Windows signed binaries to wfh directory<\/p>\n\n\n\n

Get-ChildItem c:\\ -File | ForEach-Object { if($_ -match ‘.+?exe$’) {Get-AuthenticodeSignature $_.fullname} } | where {$_.IsOSBinary} | ForEach-Object {Copy-Item $_.path . }<\/strong><\/p>\n\n\n\n

Hunt for DLL sideloading opportunities<\/p>\n\n\n\n

python wfh.py -t * -m dll<\/strong><\/p>\n\n\n\n

Hunt for COM hijacking opportunities<\/p>\n\n\n\n

python wfh.py -t * -m com<\/strong><\/p>\n\n\n\n

\n
Download<\/strong><\/a><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit, to assist in potentially identifying common \u201cvulnerabilities\u201d or \u201cfeatures\u201d within Windows executables. WFH currently has the capability to automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale. DLL sideloading utilizes […]<\/p>\n","protected":false},"author":4,"featured_media":16956,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png","fifu_image_alt":"WFH : Windows Feature Hunter","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[28],"tags":[3670,3723],"class_list":["post-14536","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kali","tag-wfh","tag-windows-feature-hunter"],"yoast_head":"\nWFH : Windows Feature Hunter !!! Kali Linux Tutorials<\/title>\n<meta name=\"description\" content=\"Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/kalilinuxtutorials.com\/wfh\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WFH : Windows Feature Hunter !!! Kali Linux Tutorials\" \/>\n<meta property=\"og:description\" content=\"Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/kalilinuxtutorials.com\/wfh\/\" \/>\n<meta property=\"og:site_name\" content=\"Kali Linux Tutorials\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-15T09:10:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png\" \/>\n<meta name=\"author\" content=\"R K\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png\" \/>\n<meta name=\"twitter:creator\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:site\" content=\"@CyberEdition\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"R K\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/wfh\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/wfh\/\"},\"author\":{\"name\":\"R K\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\"},\"headline\":\"WFH : Windows Feature Hunter 2021\",\"datePublished\":\"2021-07-15T09:10:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/wfh\/\"},\"wordCount\":1041,\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/wfh\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png\",\"keywords\":[\"WFH\",\"Windows Feature Hunter\"],\"articleSection\":[\"Kali Linux\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/wfh\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wfh\/\",\"name\":\"WFH : Windows Feature Hunter !!! Kali Linux Tutorials\",\"isPartOf\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/wfh\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/wfh\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png\",\"datePublished\":\"2021-07-15T09:10:05+00:00\",\"description\":\"Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/kalilinuxtutorials.com\/wfh\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/wfh\/#primaryimage\",\"url\":\"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png\",\"contentUrl\":\"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#website\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"name\":\"Kali Linux Tutorials\",\"description\":\"Kali Linux Tutorials\",\"publisher\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#organization\",\"name\":\"Kali Linux Tutorials\",\"url\":\"https:\/\/kalilinuxtutorials.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"contentUrl\":\"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png\",\"width\":272,\"height\":90,\"caption\":\"Kali Linux Tutorials\"},\"image\":{\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/CyberEdition\",\"https:\/\/www.threads.com\/@cybersecurityedition\",\"https:\/\/www.linkedin.com\/company\/cyberedition\",\"https:\/\/www.instagram.com\/cybersecurityedition\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad\",\"name\":\"R K\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g\",\"caption\":\"R K\"},\"url\":\"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WFH : Windows Feature Hunter !!! Kali Linux Tutorials","description":"Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/kalilinuxtutorials.com\/wfh\/","og_locale":"en_US","og_type":"article","og_title":"WFH : Windows Feature Hunter !!! Kali Linux Tutorials","og_description":"Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit.","og_url":"https:\/\/kalilinuxtutorials.com\/wfh\/","og_site_name":"Kali Linux Tutorials","article_published_time":"2021-07-15T09:10:05+00:00","og_image":[{"url":"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png","type":"","width":"","height":""}],"author":"R K","twitter_card":"summary_large_image","twitter_image":"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png","twitter_creator":"@CyberEdition","twitter_site":"@CyberEdition","twitter_misc":{"Written by":"R K","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/kalilinuxtutorials.com\/wfh\/#article","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/wfh\/"},"author":{"name":"R K","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad"},"headline":"WFH : Windows Feature Hunter 2021","datePublished":"2021-07-15T09:10:05+00:00","mainEntityOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/wfh\/"},"wordCount":1041,"publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/wfh\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png","keywords":["WFH","Windows Feature Hunter"],"articleSection":["Kali Linux"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/kalilinuxtutorials.com\/wfh\/","url":"https:\/\/kalilinuxtutorials.com\/wfh\/","name":"WFH : Windows Feature Hunter !!! Kali Linux Tutorials","isPartOf":{"@id":"https:\/\/kalilinuxtutorials.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/kalilinuxtutorials.com\/wfh\/#primaryimage"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/wfh\/#primaryimage"},"thumbnailUrl":"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png","datePublished":"2021-07-15T09:10:05+00:00","description":"Windows Feature Hunter (WFH) is a proof of concept python script that uses Frida, a dynamic instrumentation toolkit.","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/kalilinuxtutorials.com\/wfh\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/wfh\/#primaryimage","url":"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png","contentUrl":"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png"},{"@type":"WebSite","@id":"https:\/\/kalilinuxtutorials.com\/#website","url":"https:\/\/kalilinuxtutorials.com\/","name":"Kali Linux Tutorials","description":"Kali Linux Tutorials","publisher":{"@id":"https:\/\/kalilinuxtutorials.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/kalilinuxtutorials.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/kalilinuxtutorials.com\/#organization","name":"Kali Linux Tutorials","url":"https:\/\/kalilinuxtutorials.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/","url":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","contentUrl":"https:\/\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/07\/Kali.png","width":272,"height":90,"caption":"Kali Linux Tutorials"},"image":{"@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/CyberEdition","https:\/\/www.threads.com\/@cybersecurityedition","https:\/\/www.linkedin.com\/company\/cyberedition","https:\/\/www.instagram.com\/cybersecurityedition\/"]},{"@type":"Person","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/69444b58b9e267a4cf08fceb34b6f6ad","name":"R K","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/kalilinuxtutorials.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3937c9687f2da11bc0a716404ff91779fe19ca115208dbf66167ad353aca5aa?s=96&d=mm&r=g","caption":"R K"},"url":"https:\/\/kalilinuxtutorials.com\/author\/ranjith\/"}]}},"jetpack_featured_media_url":"https:\/\/1.bp.blogspot.com\/-zfF6tM6xLU8\/YOppZZGVGOI\/AAAAAAAAJ80\/bozMEwh1wvsIoviqbe_cffW6cds0jusHgCLcBGAsYHQ\/s1035\/7_Qdndix2CQKI-C1oV5ASBUY6T8P5E9X2BofAUScOls.png","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":32300,"url":"https:\/\/kalilinuxtutorials.com\/winsos\/","url_meta":{"origin":14536,"position":0},"title":"WinSOS – Harnessing Trusted Binaries For Stealthy DLL Hijacking","author":"Varshini","date":"March 13, 2024","format":false,"excerpt":"WinSOS represents a sophisticated technique that turns the Windows operating system's own features against it. By manipulating executables in the WinSxS folder, a component trusted by Windows, attackers can discreetly execute malicious code. This method, building on DLL Search Order Hijacking, does not require elevated privileges, making it a stealthy\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9ngXdkGmuzp5zC0ZU9-P7fFURVThKGqurC5tVB7QZf4_Nd4GLXx8ML_SI6iSvZn3QjXeKHUnexNsat58aK582ir8FPBVZH-xfyypkjlKXZnPfS5XpFXfQGpBQvkD_lmJd-ZYtzpHn0zz9yknVs5pujI1WWgevBfegLOCZD31q_twF10nZGfhMKX2KG1Qv\/s16000\/Hackers%20Abuse%20Dropbox%20%281%29.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":3199,"url":"https:\/\/kalilinuxtutorials.com\/robber-dll-hijacking\/","url_meta":{"origin":14536,"position":1},"title":"Robber : Tool For Finding Executables Prone To DLL Hijacking","author":"R K","date":"November 13, 2018","format":false,"excerpt":"Robber is a free open source tool developed using Delphi XE2 without any 3rd party dependencies. So What Is DLL Hijacking? Windows has a search path for DLLs in its underlying architecture. If you can figure out what DLLs an executable requests without an absolute path (triggering this search process),\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2018\/04\/button_download.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":36671,"url":"https:\/\/kalilinuxtutorials.com\/cve-2025-21420-proof-of-concept\/","url_meta":{"origin":14536,"position":2},"title":"CVE-2025-21420 Proof-of-Concept : Elevation Of Privilege via Disk Cleanup Tool","author":"Varshini","date":"February 24, 2025","format":false,"excerpt":"CVE-2025-21420 is a recently disclosed vulnerability in the Windows Disk Cleanup Tool (cleanmgr.exe) that allows attackers to escalate privileges to SYSTEM level through DLL sideloading. The vulnerability, patched in February 2025, has a CVSS score of 7.8, indicating a high severity level. Exploit Mechanism The exploit leverages DLL sideloading, a\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/CVE-2025-21420-PoC.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/CVE-2025-21420-PoC.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/CVE-2025-21420-PoC.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/CVE-2025-21420-PoC.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/CVE-2025-21420-PoC.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/kalilinuxtutorials.com\/wp-content\/uploads\/2025\/02\/CVE-2025-21420-PoC.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":10883,"url":"https:\/\/kalilinuxtutorials.com\/evildll\/","url_meta":{"origin":14536,"position":3},"title":"EvilDLL – Malicious DLL (Reverse Shell) Generator For DLL Hijacking","author":"R K","date":"July 8, 2020","format":false,"excerpt":"EvilDLL is a malicious DLL (Reverse Shell) generator for DLL hijacking. Features Reverse TCP Port Forwarding using Ngrok.ioCustom Port Forwarding option (LHOST,LPORT)Example of DLL Hijacking included (Half-Life Launcher file)Tested on Win7 (7601), Windows 10 Requirements Mingw-w64 compiler: apt-get install mingw-w64Ngrok Authtoken (for TCP Tunneling): Sign up at: https:\/\/ngrok.com\/signupYour auth token\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":11138,"url":"https:\/\/kalilinuxtutorials.com\/trustjack-yet-another-poc-for-hijacking-dlls-in-windows\/","url_meta":{"origin":14536,"position":4},"title":"TrustJack : Yet Another PoC For Hijacking DLLs in Windows","author":"R K","date":"August 5, 2020","format":false,"excerpt":"TrustJack is a tool for yet another PoC For hijacking DLLs in windows. To be used with a cmd that does whatever the F you want, for a dll that pops cmd, https:\/\/github.com\/jfmaes\/CMDLL. check the list in wietze's site to check how you should call your dll. will automatically create\u2026","rel":"","context":"In "Kali Linux"","block_context":{"text":"Kali Linux","link":"https:\/\/kalilinuxtutorials.com\/category\/kali\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":30826,"url":"https:\/\/kalilinuxtutorials.com\/latloader\/","url_meta":{"origin":14536,"position":5},"title":"LatLoader – Evading Elastic EDR In Lateral Movement","author":"Varshini","date":"October 13, 2023","format":false,"excerpt":"LatLoader is a PoC module to demonstrate automated lateral movement with the Havoc C2 framework. The main purpose of this project is to help others learn BOF and Havoc module development. This project can also help others understand basic EDR rule evasions, particularly when performing lateral movement. The\u00a0sideload\u00a0subcommand is the\u2026","rel":"","context":"In "Cyber security"","block_context":{"text":"Cyber security","link":"https:\/\/kalilinuxtutorials.com\/category\/cyber-security\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmfAlWQ_O-lIPkLb335gVQYf8yrNUVmuNxcvJUl0XeIbUMDRcZGdgPUBD3INJEvIgDAFnt60oyoPxC8VZfakk2Phs0VIJwawHwQuCDSKQPIlneZyOTkEfjq4_z6qYMxmS4BQcF8pc-WWfOWGYqXO5BTkAVkRptZVeTM-HqLInLRwGZjWaEtg4hhnZpiw\/s16000\/LatLoader.webp?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/14536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/comments?post=14536"}],"version-history":[{"count":0,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/posts\/14536\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media\/16956"}],"wp:attachment":[{"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/media?parent=14536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/categories?post=14536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kalilinuxtutorials.com\/wp-json\/wp\/v2\/tags?post=14536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}