DLL Hijack Tecnique
In this article you will find the basics of DLL hijacking process, and some prepared material for quicker execution.
DLL Hijacking also known as DLL Search Order Hijacking is a technique that leverages the issue of improper DLL loading by the application.
At first, let’s understand the mechanism of DLL loading by any application.
DLL means Dynamic Link Library which is a library file that contains the code and data that can be accessed and used dynamically by more than one application at the same time. DLL was introduced by Microsoft for implementing the concept of shared library which promotes code reuse and efficient memory usage.
Below, we can see application 1 and application 2 tries to load the required functions to run the application from the system.dll.
Some information about the DLL Search Order
In order to import any functionality from the DLL, the application needs to define the path from the dll can be successfully loaded. If this path is not defined, the default search order will be used. Before this happens, the following checks are being executed:
- If a DLL with same module name is already loaded in memory, the system uses the previously loaded DLL.
- If the DLL is on the list of known DLLs for the version of Windows on which application is running, the system uses its copy of the known DLL.
The Default search order is the following:
- The directory, where the application is being launched
- The system directory. (C:\Windows\System32\)
- The 16-bit System Directory. (C:\Windows\System\)
- The Windows directory. (C:\Windows\)
- The current directory.
- The directories that are listed in the PATH environment variable.
If the application uses the Default search order, and the attacker places a malicious dll file, with custom code, the application will load the malicious code, and starting the execution.
I created some prepared DLLs, when I exported the functions from the original ones, and linked the to original.dll.
When you are testing an application, and you noticed that one of these DLLs are being loaded from a not-secure path, you should just simply place the following files:
- original.dll (can be found in the zip archives)
- loaded dll (also can be found in the zip archives)
- malicious.dll (should be written by yourself, but I attached a simply c++ code HERE as well)