From 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 11:53:29 -0500 Subject: Added documentation for PowerUp --- docs/Privesc/Find-ProcessDLLHijack.md | 127 ++++++++++++++++++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100755 docs/Privesc/Find-ProcessDLLHijack.md (limited to 'docs/Privesc/Find-ProcessDLLHijack.md') diff --git a/docs/Privesc/Find-ProcessDLLHijack.md b/docs/Privesc/Find-ProcessDLLHijack.md new file mode 100755 index 0000000..bbece58 --- /dev/null +++ b/docs/Privesc/Find-ProcessDLLHijack.md @@ -0,0 +1,127 @@ +# Find-ProcessDLLHijack + +## SYNOPSIS +Finds all DLL hijack locations for currently running processes. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Find-ProcessDLLHijack [[-Name] ] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned] +``` + +## DESCRIPTION +Enumerates all currently running processes with Get-Process (or accepts an +input process object from Get-Process) and enumerates the loaded modules for each. +All loaded module name exists outside of the process binary base path, as those +are DLL load-order hijack candidates. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-ProcessDLLHijack +``` + +Finds possible hijackable DLL locations for all processes. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Process VulnProcess | Find-ProcessDLLHijack +``` + +Finds possible hijackable DLL locations for the 'VulnProcess' processes. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles +``` + +Finds possible hijackable DLL locations not in C:\Windows\* and +not in C:\Program Files\* or C:\Program Files (x86)\* + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Find-ProcessDLLHijack -ExcludeOwned +``` + +Finds possible hijackable DLL location for processes not owned by the +current user. + +## PARAMETERS + +### -Name +The name of a process to enumerate for possible DLL path hijack opportunities. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ProcessName + +Required: False +Position: 1 +Default value: $(Get-Process | Select-Object -Expand Name) +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ExcludeWindows +Exclude paths from C:\Windows\* instead of just C:\Windows\System32\* + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeProgramFiles +Exclude paths from C:\Program Files\* and C:\Program Files (x86)\* + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeOwned +Exclude processes the current user owns. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL.Process + +## NOTES + +## RELATED LINKS + +[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/) + -- cgit v1.2.3