DLL-Search-Order-Hijacking-PoC

Small Proof-of-Concept on the search order hijacking method as referenced from https://attack.mitre.org/techniques/T1574/001/ on the explorer.exe binary that imports functions from dwmapi.dll.

Error Codes

Application could not be started 0xc0000005 which is thrown by ntdll.dll that a specific memory location cannot be accessed. Check for incorrect spelling of exports which results in a successful build but throws an exception when trying to export the function.

Notes

Platforms tested: Windows 7 SP1 x64 build.

win7.h contains exports for dwmapi.dll on windows 7 and framework.h contains exports for the windows 10 but PoC does not yet fully work.

TODO:

Spawn shell from windows 10 target without crashing the system