DLLHijackTest icon indicating copy to clipboard operation
DLLHijackTest copied to clipboard

verified publisher icon slyd0g

Metadata

DLL and PowerShell script to assist with finding DLL hijacks

DLLHijackTest

Get-PotentialDLLHijack.ps1

Blogpost

  • https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0

Usage

  • Use Procmon to obtain a CSV file of potential DLL hijacks
  • Modify outputFile variable within write.cpp
  • Build the project for the appropriate architecture
  • Open powershell.exe and load Get-PotentialDLLHijack.ps1 into memory
    • . .\Get-PotentialDLLHijack.ps1
  • Run Get-PotentialDLLHijack with the appropriate flags
    • Example:
      • Get-PotentialDLLHijack -CSVPath .\Logfile.CSV -MaliciousDLLPath .\DLLHijackTest.dll -ProcessPath "C:\Users\John\AppData\Local\Programs\Microsoft VS Code\Code.exe"
    • -CSVPath takes in a path to a .csv file exported from Procmon
    • -MaliciousDLLPath takes in a path to your compiled hijack DLL
    • -ProcessPath takes in a path to the executable you want to run
    • -ProcessArguments takes in commandline arguments you want to pass to the executeable
  • View the contents of outputFile for found DLL hijacks
    • Run strings.exe on the outputFile to clean up the output paths
  • Party!!!

Metadata

318
Stars
59
Forks
Watchers

Owner

verified publisher icon slyd0g

Metadata

DLL and PowerShell script to assist with finding DLL hijacks

Back