Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is dll hijacking?

Tags:

windows

dll

Simple question: What is dll hijacking?

I read a lot about which applications are vulnerable, but not a lot of depth as to why.

Answers appreciated.

like image 769
The Pixel Developer Avatar asked Sep 02 '10 02:09

The Pixel Developer


People also ask

What is DLL hijacking attack?

DLL hijacking is a cyberattack method that injects an infected file within the search parameters of an application. A user then attempts to load a file from that directory and instead loads the infected DLL file. This infected file takes action when the application is loaded.

What is a DLL in malware?

Dynamic link library (DLL) injection is a method of forcing a running. process to load a DLL into its address space. Malware authors use DLL injection to hide their code while it executes on a system.

Can a DLL be hacked?

This technique is also known as DLL search order hijacking. To launch a DLL hijack, a cybercriminal just needs to deposit a payload DLL into the directory of a targeted application. There are multiple attack vectors that could facilitate such a deposit, including social engineering, phishing, and supply chain attacks.

What is DLL and why it is used?

A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Each program can use the functionality that is contained in this DLL to implement an Open dialog box.


1 Answers

The basics are simple. Windows has a search path for DLLs, much the same way it has a $PATH for finding executables. If you can figure out what DLLs an app requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it'll be found before the real version is, and Windows will happilly feed your attack code to the application.

So, let's pretend your system's DLL search path looks something like this:

a) .     <--current working directory of the application, highest priority, first check b) \windows c) \windows\system32 d) \windows\syswow64   <-- lowest priority, last check 

and some application Foo.exe requests "bar.dll", which happens to live in the syswow64 (d) subdir. This gives you the opportunity to place your malicious version in a), b), or c) and it will be loaded into the app automatically whenever the app requests bar.dll. And now your foo is well and trully bar'd.

As stated before, even an absolute full path can't protect against this, if you can replace the DLL with your own version.

And of course, this isn't really limited to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.

like image 103
Marc B Avatar answered Sep 21 '22 11:09

Marc B