Skip to content
/ DLLHijackTest Public

DLL and PowerShell script to assist with finding DLL hijacks

329 stars 62 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

slyd0g/DLLHijackTest

BranchesTags

Repository files navigation

DLLHijackTest

Get-PotentialDLLHijack.ps1

Blogpost

Usage

  • Use Procmon to obtain a CSV file of potential DLL hijacks
  • Modify outputFile variable within write.cpp
  • Build the project for the appropriate architecture
  • Open powershell.exe and load Get-PotentialDLLHijack.ps1 into memory
    • . .\Get-PotentialDLLHijack.ps1
  • Run Get-PotentialDLLHijack with the appropriate flags
    • Example:
      • Get-PotentialDLLHijack -CSVPath .\Logfile.CSV -MaliciousDLLPath .\DLLHijackTest.dll -ProcessPath "C:\Users\John\AppData\Local\Programs\Microsoft VS Code\Code.exe"
    • -CSVPath takes in a path to a .csv file exported from Procmon
    • -MaliciousDLLPath takes in a path to your compiled hijack DLL
    • -ProcessPath takes in a path to the executable you want to run
    • -ProcessArguments takes in commandline arguments you want to pass to the executeable
  • View the contents of outputFile for found DLL hijacks
    • Run strings.exe on the outputFile to clean up the output paths
  • Party!!!

About

DLL and PowerShell script to assist with finding DLL hijacks

Resources

Readme
Activity

Stars

329 stars

Watchers

5 watching

Forks

62 forks
Report repository

Releases 1

Compiled binary Latest
Oct 1, 2020

Packages

No packages published

Languages