search

DLL Hijacking

hashtag
Overview

Dynamic Link Libraries are like executables but they aren't directly executable. They are shared libraries that contain functions, classes, resources, variables etc and they often run with executables.

When a Windows applications or services start up they look for their DLLs to run with.However if the DLL they're looking for doesn't exist or is missing AND the path to it is writable then we can get malicious with it.

hashtag
Escalation via DLL Hijacking

hashtag
Simulation Steps:

  • Spin up Procmon

  • Add filter of "Result is NAME NOT FOUND then Include"

  • Add filter of "Path ends with .dll then Include"

  • This will show all of the NAME NOT FOUND for DLLs

  • We can exploit this if the location of the DLL isn't writable

  • C:\Program Files is usually writable

  • Start service and see if it's looking for a DLL to a writable path

  • After ones been found can put a fake DLL there make it call to a malicious executable and pop a shell

In this case we can compile a malicious dll payload from a c program and make the dll add the user we're using the the local admin group or pop a shell

cmd.exe /k net localgroup administrators Bob /add  
x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll

Save to the writable location and restart service

PreviousStartup ApplicationsNextService Permissions

Last updated