DLLHSC is an application designed to automate the scan of a provided executable image, generate leads - that can later be manually assessed - and report potential paths of taking advantage of the DLL search order with the ultimate goal to load a payload DLL in the address space of the provided image via search order hijacking.
The tool implements 3 modes of operation: Lightweight Mode (-l), List Modules Mode (-lm) and Run-Time Mode (-rt). To demonstrate these modes the legitimate Microsoft utility OleView.exe (MD5: D1E6767900C85535F300E08D76AAC9AB) was scanned.
-l parses the import table of the provided executable, applies filters and attempts to weaponize imported modules by placing a payload DLL in the application's current directory.
-lm launches the provided executable and prints the modules it loads that do not belong in the KnownDLLs list neither are WinSxS dependencies. This mode is aimed to give an idea of DLLs that may be used as a payload and it only exists to generate leads for the analyst.
-rt prints the modules the provided executable image loads in its address space when launched as a process. This is achieved by hooking the LoadLibrary and LoadLibraryEx APIs via Microsoft Detours.
You can find the source code of DLLHSC as well as compiled binaries for x86 and x64 architecture on our GitHub page.