DLL Hijacking (Learning resources)
#1
DLL Hijacking (Learning resources)

This isn't a tutorial but rather just a dump of learning resources and quick info about it. Just dumping my thoughts as I'm learning. I'll make a full thread about this once I get the hang of it more.

github/MojtabaTajik Wrote:What is DLL hijacking ?!

Windows has a search path for DLLs in its underlying architecture. If you can figure out what DLLs an executable requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it'll be found before the real version is, and Windows will happilly feed your attack code to the application.
So, let's pretend Windows's DLL search path looks something like this:

A) . <-- current working directory of the executable, highest priority, first check
B) \Windows
C) \Windows\system32
D) \Windows\syswow64 <-- lowest priority, last check

and some executable "Foo.exe" requests "bar.dll", which happens to live in the syswow64 (D) subdir. This gives you the opportunity to place your malicious version in A), B) or C) and it will be loaded into executable.

As stated before, even an absolute full path can't protect against this, if you can replace the DLL with your own version.

Microsoft Windows protect system pathes like System32 using Windows File Protection mechanism but the best way to protect executable from DLL hijacking in entrprise solutions is :
  • Use absolute path instead of relative path
  • If you have personal sign, sign your DLL files and check the sign in your application before load DLL into memory. otherwise check the hash of DLL file with original DLL hash)
And of course, this isn't really limited to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.
A good tool to discover missing DLLs you can load: https://processhacker.sourceforge.io/

Learning resources/Links for learning about DLL Hijacking
Also recommending this thread about windows privilege escalation. The talks covers some basics too: https://greysec.net/showthread.php?tid=7079

Tools for discovering possible DLL exploits
Further reading / Credits: https://silentbreaksecurity.com/adaptive-dll-hijacking/
Reply
#2
Those are some great resources, thanks for this!

Also heres a concise but through article I came across on the subject - https://itm4n.github.io/windows-dll-hija...clarified/
Reply
#3
(07-15-2020, 06:48 PM)Insider Wrote:
DLL Hijacking (Learning resources)

This isn't a tutorial but rather just a dump of learning resources and quick info about it. Just dumping my thoughts as I'm learning. I'll make a full thread about this once I get the hang of it more.

github/MojtabaTajik Wrote:What is DLL hijacking ?!

Windows has a search path for DLLs in its underlying architecture. If you can figure out what DLLs an executable requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it'll be found before the real version is, and Windows will happilly feed your attack code to the application.
So, let's pretend Windows's DLL search path looks something like this:

A) . <-- current working directory of the executable, highest priority, first check
B) \Windows
C) \Windows\system32
D) \Windows\syswow64 <-- lowest priority, last check

and some executable "Foo.exe" requests "bar.dll", which happens to live in the syswow64 (D) subdir. This gives you the opportunity to place your malicious version in A), B) or C) and it will be loaded into executable.

As stated before, even an absolute full path can't protect against this, if you can replace the DLL with your own version.

Microsoft Windows protect system pathes like System32 using Windows File Protection mechanism but the best way to protect executable from DLL hijacking in entrprise solutions is :
  • Use absolute path instead of relative path
  • If you have personal sign, sign your DLL files and check the sign in your application before load DLL into memory. otherwise check the hash of DLL file with original DLL hash)
And of course, this isn't really limited to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.
A good tool to discover missing DLLs you can load: https://processhacker.sourceforge.io/

Learning resources/Links for learning about DLL Hijacking
Also recommending this thread about windows privilege escalation. The talks covers some basics too: https://greysec.net/showthread.php?tid=7079

Tools for discovering possible DLL exploits
Further reading / Credits: https://silentbreaksecurity.com/adaptive-dll-hijacking/


Thanks for the resources.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Is learning Games Hacking useful? Bass_R33v3s 8 2,464 06-16-2020, 12:58 AM
Last Post: Bass_R33v3s
  [Links] Resources - Wargames and Hacking Challenges Insider 16 24,549 04-28-2020, 02:21 PM
Last Post: Insider
  Looking for Fuzzing resources lezno 1 2,889 02-13-2019, 03:21 PM
Last Post: enmafia2
  Awesome hacking resources Bot.buster 1 7,197 10-29-2017, 07:20 PM
Last Post: Vector