github.com/MojtabaTajik/Robber ↗

About MojtabaTajik/Robber

Robber is a security scanner written in Delphi that identifies Windows executables vulnerable to DLL hijacking attacks. The tool analyzes an executable's import table and the directory structure where Windows searches for DLLs, flagging cases where an attacker could place a malicious DLL in a writable directory earlier in the search chain to intercept legitimate library loads.

The application offers both a graphical interface and command-line tool. The GUI lets users scan directory trees and browse results in an expandable tree view showing which DLLs are hijackable for each executable, their exported methods, and a detailed search path with write permissions for each directory. Results are color-coded by risk level based on complexity of creating a proxy DLL—green for easy targets with few imports, yellow for moderate complexity, and red for executables with many imports or large binaries. Users can filter by architecture, code signing status, severity, and directory writability before exporting findings as JSON or CSV.

Notable features include automatic exclusion of system DLLs to avoid false positives, scanning of both standard and delayed imports, detection of elevation requirements (which amplify the risk since hijacking an elevated process becomes privilege escalation), and visualization of the exact Windows search order with per-directory write permissions. The tool has no external dependencies and builds directly in Delphi XE2 or later.