Skip to content

DLL Hijacking

Enumerate non-windows services to see which one we are able to start/stop

Analyze the service executable using procmon and implement a malicious .dll file:

  • Download executable
  • Open procmon
  • Stop and clear capture
  • Push ctrl + L - drop down menu for "Process Name" - enter process name - push add & OK
  • Deselect "show registry activity" & "show network activity"
  • Start capture
  • Look for dll's that are attempted to be executed but do not exist. Put a reverse shell .dll in that directory
  • Start the vulnerable service