DLL or Dynamic Link Library is a file format that contains multiple codes and procedures for windows application so that multiple programs can use the information at the same time. The advantage of such an arrangement is that it can save memory. Also, a user can change the code of multiple applications at once without changing each and every application.
What is DLL Hijacking?
In Windows applications, typically when an application is loading, it searches for DLL’s that are not present or not implemented securely (Full path of the DLL is not specified). If this is present, then it is possible to do a kind of privilege escalation called as DLL Hijacking
When can a DLL Hijacking occur?
With the latest version of Windows, the paths C:\Program Files and C:\Windows are usually do not have write permissions. So this can be executed, if the application in question is installed outside the default directories or is used by network sharing.
When an exe is loaded, the program looks for the DLL’s in a particular order as shown below:
- The directory in which the application is installed
- The current working directory
- Directories in the system PATH environment variable
- Directories in the user PATH environment variable
As it is evident from above while loading, the application first looks for the missing DLL’s in the directory in which the application is installed, and then it goes to the system directories. If the application is installed outside the system directories, then it may be possible to place the malicious file and gain privilege.
POC on Windows System
The key point here would be to find out which DLL’s the application is looking for. This can be done by searching for NAME NOT FOUND in Procmon
Steps to Reproduce:
- Start Procmon.exe and set the filter
- Start the application and look for NAME NOT FOUND in Procmon. It is observed in Procmon that the application is looking for a dll “WINMM.dll” but it is not found.
- Create a dll with the below code
WinExec("calc", 0); // boring payload
// exit(0); // ;)
BOOL WINAPI DllMain (
- Name this DLL as WINMM.dll and place it in the path where the application is installed.
- Close the application and restart it. A calculator will be executed.
- The hash of the DLL has to be encrypted with a private key
- In the application, the public key, "encrypted hash" and salt must be embedded
- Upon application start, decrypt the "encrypted hash" with your public key.
- Generate the Hash again at runtime with the same salt, and compare with the hash decrypted using the public key.
Authored By - Paramita Das
TCS Cyber Security Practice