Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications. An extremely simple HOWTO:

1. Download the DLLHijackAuditKit v2 and extract it into a local directory on the system you would like to test.

2. Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.

3. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name "Logfile.CSV".

4. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.

5. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.

Thanks again to everyone who provided feedback (positive or negative) on the original tool, especially Rob Fuller, who let me forkbomb his system in the process of testing the new kit.

-HD