Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
PowerSploit/docs/Privesc/Find-ProcessDLLHijack.md

128 lines
2.9 KiB
Markdown
Executable File
Raw Permalink Blame History

# Find-ProcessDLLHijack
## SYNOPSIS
Finds all DLL hijack locations for currently running processes.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Find-ProcessDLLHijack [[-Name] <String[]>] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned]
```
## DESCRIPTION
Enumerates all currently running processes with Get-Process (or accepts an
input process object from Get-Process) and enumerates the loaded modules for each.
All loaded module name exists outside of the process binary base path, as those
are DLL load-order hijack candidates.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Find-ProcessDLLHijack
```
Finds possible hijackable DLL locations for all processes.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-Process VulnProcess | Find-ProcessDLLHijack
```
Finds possible hijackable DLL locations for the 'VulnProcess' processes.
### -------------------------- EXAMPLE 3 --------------------------
```
Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles
```
Finds possible hijackable DLL locations not in C:\Windows\* and
not in C:\Program Files\* or C:\Program Files (x86)\*
### -------------------------- EXAMPLE 4 --------------------------
```
Find-ProcessDLLHijack -ExcludeOwned
```
Finds possible hijackable DLL location for processes not owned by the
current user.
## PARAMETERS
### -Name
The name of a process to enumerate for possible DLL path hijack opportunities.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: ProcessName
Required: False
Position: 1
Default value: $(Get-Process | Select-Object -Expand Name)
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -ExcludeWindows
Exclude paths from C:\Windows\* instead of just C:\Windows\System32\*
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExcludeProgramFiles
Exclude paths from C:\Program Files\* and C:\Program Files (x86)\*
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -ExcludeOwned
Exclude processes the current user owns.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.HijackableDLL.Process
## NOTES
## RELATED LINKS
[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/)
Reference in New Issue View Git Blame Copy Permalink