DLL Hijacking

What is DLL Hijacking?

Dynamic Link Libraries (DLLs) are essential components in Windows applications, allowing code reuse and modular design. When an application needs to use a DLL, the Windows loader searches for the DLL in a specific order, often starting with the application's directory, then system directories, and finally the global system path.

DLL hijacking occurs when an attacker places a malicious DLL with the same name as a legitimate DLL in a location that the application searches before the trusted location. When the application loads the DLL, it inadvertently executes malicious code, leading to arbitrary code execution or privilege escalation.

How Does DLL Hijacking Work?

The core concept hinges on the application's DLL search order and insecure loading practices:

1. Insecure Search Path: If an application loads DLLs using relative paths or relies on the default search order without specifying full paths, it becomes vulnerable.

2. Placement of Malicious DLL: An attacker places a malicious DLL with a matching name in a directory that the application searches before the legitimate DLL. Common locations include the application's directory, current working directory, or temporary folders.

3. Loading the Malicious DLL: When the application loads the DLL (explicitly or implicitly), it loads the malicious version, executing attacker-controlled code.

Example Scenario:

• An application called MyApp.exe loads helper.dll without specifying a full path.

• An attacker places a malicious helper.dll in the same directory as MyApp.exe.

• When MyApp.exe runs, it loads the malicious DLL, executing malicious code with the application's privileges.

Real-World Examples of DLL Hijacking

1. Windows Media Player

In some cases, Windows Media Player has been vulnerable to DLL hijacking by placing malicious DLLs in directories it searches. Attackers exploited the search order to execute malicious code in the context of the user.

2. Avast Antivirus

Researchers found that certain versions of Avast were susceptible to DLL hijacking due to insecure DLL loading that could be exploited to escalate privileges.

3. Custom Enterprise Software

Many custom business applications fail to specify explicit DLL paths, making them vulnerable to DLL hijacking attacks, especially when running with elevated privileges.

Attack Techniques

Attackers employ various techniques to exploit DLL hijacking:

• Placing Malicious DLLs in Search Path: The simplest method involves copying malicious DLLs into directories searched early by the application.

• Using Scheduled Tasks or Services: If an application runs as a service or scheduled task, attackers can place malicious DLLs in accessible directories.

• DLL Search Order Hijacking: Manipulating the DLL search order via environment variables, current working directory, or application manifest files.

• DLL Preloading Attacks: Abusing the fact that Windows searches certain directories before others to preload malicious DLLs.

Prevention and Mitigation Strategies

Protecting applications from DLL hijacking requires a combination of secure coding practices, system configurations, and operational controls:

1. Always Specify Full Paths for DLLs

• Use absolute paths when loading DLLs with LoadLibrary() or similar functions.

2. Use SetDefaultDllDirectories() and AddDllDirectory()

• These APIs allow specifying safe directories and controlling DLL search behavior on Windows 8 and later.

3. Implement Code Signing

• Sign DLLs to ensure integrity, and verify signatures before loading.

4. Avoid Using Relative Paths or Search-Order Loading

• Explicitly load DLLs from known directories rather than relying on the default search order.

5. Use Application Manifests

• Declare DLL dependencies explicitly to control loading behavior.

6. Monitor and Detect DLL Hijacking Attempts

• Use security tools and monitoring solutions to detect suspicious DLL placements or loading behaviors.

7. Least Privilege Principle

• Run applications with minimal privileges to contain potential damage if hijacked.

PoC for DLL Hijacking

Scenario

• You have a desktop application called VulnerableApp.exe.

• It loads helper.dll without specifying a full path.

• An attacker places a malicious helper.dll in a directory that the application searches before its legitimate directory.

Step 1: Create a Malicious DLL

You need to craft a malicious DLL that executes code when loaded. Here's an example in C++:

Compile this into helper.dll.

Step 2: Place Malicious DLL in Search Path

Attack Steps:

1. Identify the Search Order

   The application searches for helper.dll in:

   • The current working directory

   • The application's directory

   • System directories

2. Place Malicious DLL

   • Copy helper.dll into the current working directory or a directory the app searches first:

Step 3: Run the Application

• Launch VulnerableApp.exe.

• When it loads helper.dll, it loads your malicious version.

Expected Result:

• The MessageBox from the malicious DLL appears, confirming the hijacking.

Step 4: Observations and Mitigation

• The malicious DLL executed because the application did not specify an explicit full path.

• To prevent such exploits, modify the application to load DLLs securely (see mitigation strategies above).