- Use Procmon to obtain a CSV file of potential DLL hijacks
- Modify
outputFile
variable withinwrite.cpp
- Build the project for the appropriate architecture
- Open
powershell.exe
and loadGet-PotentialDLLHijack.ps1
into memory. .\Get-PotentialDLLHijack.ps1
- Run
Get-PotentialDLLHijack
with the appropriate flags- Example:
Get-PotentialDLLHijack -CSVPath .\Logfile.CSV -MaliciousDLLPath .\DLLHijackTest.dll -ProcessPath "C:\Users\John\AppData\Local\Programs\Microsoft VS Code\Code.exe"
-CSVPath
takes in a path to a .csv file exported from Procmon-MaliciousDLLPath
takes in a path to your compiled hijack DLL-ProcessPath
takes in a path to the executable you want to run-ProcessArguments
takes in commandline arguments you want to pass to the executeable
- Example:
- View the contents of
outputFile
for found DLL hijacks- Run
strings.exe
on theoutputFile
to clean up the output paths
- Run
- Party!!!