DLLHijackTest icon indicating copy to clipboard operation
DLLHijackTest copied to clipboard

Published 20 hours ago verified publisher icon slyd0g

Metadata

DLL and PowerShell script to assist with finding DLL hijacks

DLLHijackTest

Get-PotentialDLLHijack.ps1

Blogpost

  • https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0

Usage

  • Use Procmon to obtain a CSV file of potential DLL hijacks
  • Modify outputFile variable within write.cpp
  • Build the project for the appropriate architecture
  • Open powershell.exe and load Get-PotentialDLLHijack.ps1 into memory
    • . .\Get-PotentialDLLHijack.ps1
  • Run Get-PotentialDLLHijack with the appropriate flags
    • Example:
      • Get-PotentialDLLHijack -CSVPath .\Logfile.CSV -MaliciousDLLPath .\DLLHijackTest.dll -ProcessPath "C:\Users\John\AppData\Local\Programs\Microsoft VS Code\Code.exe"
    • -CSVPath takes in a path to a .csv file exported from Procmon
    • -MaliciousDLLPath takes in a path to your compiled hijack DLL
    • -ProcessPath takes in a path to the executable you want to run
    • -ProcessArguments takes in commandline arguments you want to pass to the executeable
  • View the contents of outputFile for found DLL hijacks
    • Run strings.exe on the outputFile to clean up the output paths
  • Party!!!

Metadata

318
Stars
59
Forks
Watchers

Owner

verified publisher icon slyd0g

Metadata

DLL and PowerShell script to assist with finding DLL hijacks

Back