DLL Hijacking
DLL files are used by Windows applications to promote modularization of code, code reuse, efficient memory usage and reduce disk space.
DLL hijacking is used to load malicious code for the purposes of defense evasion, persistence and privilege escalation.
There are four main types of DLL hijacking:
- Search order hijacking
- Relative path DLL hijacking
- Phantom DLL hijacking
- DLL redirection
Search Order Hijacking
The idea is to trick the OS into running malicious code under a legitimate process.
For example, an .exe
loads a .dll
by name and relies on Windows to find its location.
Knowing that the OS searches a predefined list of locations for the DLL(i.e loaded directory, system directory, 16-bit directory, PATH, etc.), the attacker can take advantage of this information.
If the attacker can write a malicious .dll
before PATH is reached, then their payload can be loaded first.
If for some reason the .exe
file was launched with administrative privileges, then it’s game over. :D
Relative Path DLL Hijacking
This attack requires the attacker to write two files, a legitimate executable file and a malicious DLL. These files need to be written to a folder where the attacker has adequate write permissions.
It’s called relative path because the relative path is one of the places where the OS searches first when a .dll
is ambiguous.
Phantom DLL Hijacking
Windows services reference a lot of DLLs that do not even exist. By writing a malicious file like IKEEXT(Windows service for IP key exchange that is ran during startup), the attacker can bypass inspection.
DLL Redirection
This attack changes the location at which the OS searches for the DLL file. For example, the Windows registry is modified to change its search order, resulting in a different DLL file being loaded.