diff options
| author | Dave Hull <dave.hull@tanium.com> | 2017-09-08 16:33:11 -0500 |
|---|---|---|
| committer | Dave Hull <dave.hull@tanium.com> | 2017-09-08 16:33:11 -0500 |
| commit | 6eb3c6f281f0812a103283d1da80be14bb04f944 (patch) | |
| tree | cfe2e46596ef251274e954c267c5634d62991da2 /docs/Privesc/Find-ProcessDLLHijack.md | |
| parent | bf652bcd261c2c74445c2aa1b4e283c4bf167109 (diff) | |
| parent | 3d0d32d9ee6af70f0dfd5ecfe809a49a65d6822d (diff) | |
| download | PowerSploit-6eb3c6f281f0812a103283d1da80be14bb04f944.tar.gz PowerSploit-6eb3c6f281f0812a103283d1da80be14bb04f944.zip | |
Merge branch 'dev' of github.com:PowerShellMafia/PowerSploit into dev
Diffstat (limited to 'docs/Privesc/Find-ProcessDLLHijack.md')
| -rwxr-xr-x | docs/Privesc/Find-ProcessDLLHijack.md | 127 |
1 files changed, 127 insertions, 0 deletions
diff --git a/docs/Privesc/Find-ProcessDLLHijack.md b/docs/Privesc/Find-ProcessDLLHijack.md new file mode 100755 index 0000000..bbece58 --- /dev/null +++ b/docs/Privesc/Find-ProcessDLLHijack.md @@ -0,0 +1,127 @@ +# Find-ProcessDLLHijack
+
+## SYNOPSIS
+Finds all DLL hijack locations for currently running processes.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Find-ProcessDLLHijack [[-Name] <String[]>] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned]
+```
+
+## DESCRIPTION
+Enumerates all currently running processes with Get-Process (or accepts an
+input process object from Get-Process) and enumerates the loaded modules for each.
+All loaded module name exists outside of the process binary base path, as those
+are DLL load-order hijack candidates.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-ProcessDLLHijack
+```
+
+Finds possible hijackable DLL locations for all processes.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Process VulnProcess | Find-ProcessDLLHijack
+```
+
+Finds possible hijackable DLL locations for the 'VulnProcess' processes.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles
+```
+
+Finds possible hijackable DLL locations not in C:\Windows\* and
+not in C:\Program Files\* or C:\Program Files (x86)\*
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Find-ProcessDLLHijack -ExcludeOwned
+```
+
+Finds possible hijackable DLL location for processes not owned by the
+current user.
+
+## PARAMETERS
+
+### -Name
+The name of a process to enumerate for possible DLL path hijack opportunities.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ProcessName
+
+Required: False
+Position: 1
+Default value: $(Get-Process | Select-Object -Expand Name)
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ExcludeWindows
+Exclude paths from C:\Windows\* instead of just C:\Windows\System32\*
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeProgramFiles
+Exclude paths from C:\Program Files\* and C:\Program Files (x86)\*
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeOwned
+Exclude processes the current user owns.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.HijackableDLL.Process
+
+## NOTES
+
+## RELATED LINKS
+
+[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/)
+
|