Skip to content

Changes

Page history
Create dll hijacking authored by Glass, Devon C. (S&T-Student)'s avatar Glass, Devon C. (S&T-Student)
Show whitespace changes
Inline Side-by-side
dll-hijacking.md 0 → 100644
View page @ b35090bf
## What is DLL Hijacking?
DLL (Dynamic Link Library) files are a Windows exclusive way of increasing compatibility between applications and shrinking application size. The DLL often include functions that are needed to interact with various Windows API and saves development time by making the functions reusable and modular. However, the modularity of the DLL files comes with a downside; they are easy to fake. When a program is loaded Windows will search for the DLL file in a specific order (Starting with the directory the program is located in). Windows will use the first DLL file it finds with a matching name, which means if an adversary can get a DLL file in that directory, it will be used over even the system DLLs (located in C:\Windows\System32). This method of code execution by faking DLLs is known as DLL Hijacking. The Major benefit of this is since the application is only being used to load malicious code it won't trigger traditional antivirus. The DLL could still trigger antivirus, depending on the content. However since the placement of the DLL doesn't necessarily need to be in the same directory as the application it's a much more stealthy approach to malware.
![DLL_1-472x378](uploads/6a36f349ca1322c3fa7a6384d941be99/DLL_1-472x378.png)
#### Note!
Microsoft has released several updates to combat DLL Hijacking, most notable SafeDLLSearchMode (enabled by default on most Windows installs). This changes the order in which Windows searches for DLL files which makes it's impossible to overwrite system DLL files and limits the amount of applications of this method.
Cases in which it's possible to still DLL Hijack are:
* The Application loads a DLL that isn't available on the system (This will sometimes crash the program but often the DLL isn't an essential one)
* The Application is in a directory that isn't permissions protected (This is many Window app installers install into C:\Program Files or C:\Program Files (x86))
## Walk-through
#### Sources:
https://hacknpentest.com/windows-privilege-escalation-dll-hijacking/