Awesome

DLLHijackTest

Blogpost

• https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0

Usage

• Use Procmon to obtain a CSV file of potential DLL hijacks
• Modify outputFile variable within write.cpp
• Build the project for the appropriate architecture
• Open powershell.exe and load Get-PotentialDLLHijack.ps1 into memory
  • . .\Get-PotentialDLLHijack.ps1
• Run Get-PotentialDLLHijack with the appropriate flags
  • Example:
    • Get-PotentialDLLHijack -CSVPath .\Logfile.CSV -MaliciousDLLPath .\DLLHijackTest.dll -ProcessPath "C:\Users\John\AppData\Local\Programs\Microsoft VS Code\Code.exe"
  • -CSVPath takes in a path to a .csv file exported from Procmon
  • -MaliciousDLLPath takes in a path to your compiled hijack DLL
  • -ProcessPath takes in a path to the executable you want to run
  • -ProcessArguments takes in commandline arguments you want to pass to the executeable
• View the contents of outputFile for found DLL hijacks
  • Run strings.exe on the outputFile to clean up the output paths
• Party!!!