Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DLL Hijacking in Wild

5b61748fa09ac24e9dd2cbef044422a1?s=47 Purab Parihar
September 03, 2021

DLL Hijacking in Wild

Talk at GrabCon 2021


Purab Parihar

September 03, 2021


  1. Echo ‘Whoami’ Purab Parihar 18 y/o Security Researcher, Red Team

    Enthusiast, Gamer • Certified Red Team Professional (CRTP) • Certified Ethical Hacker (CEH ) • Elearn’s Junior Penetration Tester (eJPT) Let’s Connect! LinkedIn : linkedin.com/in/purabparihar/ Twitter : @purab_parihar Instagram: @purabparihar
  2. Agenda for Today What is DLLs & Types How Windows

    Searches DLLs What is DLL Hijacking Why DLL Hijacking is Harmful? How to Hunt DLL Hijacking Analysing Malicious DLLs
  3. What is DLLs & Types? Dynamic Link Library (DLL) is

    Microsoft's implementation of the shared library concept. A DLL file contains code and data that can be used by multiple programs at the same time, hence it promotes code reuse and modularization. This brief tutorial provides an overview of Windows DLL along with its usage. Basically DLL file contains functions, variables, resources and classes which are used by executable for it’s functioning. For Example : KERNEL32.DLL – Contains functions for Memory management and other processes USER32.DLL – Contains user interface functions To use these functions, the application have to import library files. The two ways an application imports functions from modules are Load-Time Dynamic Linking and Run-Time Dynamic Linking Load-Time Dynamic Linking : This linking is statically linking application to a “.lib” or “.a” file which contains code for automatically executing runtime links from “.dll” files on the initial stage of program startup. Run-Time Dynamic Linking : We use LoadLibrary() or LoadLibraryEx() function to load DLLs with the fix path or DLL name If DLL is not found in current directory by using above methods, then executable uses DLL Search Order to locate DLLs in the system. We’ll see about DLL Search Order in next few slides!
  4. IMPOSTORS AMONG CREWMATES There is always 1 Impostor among us

  5. Who & What Imposters do? Step 3 When user executes

    the program, Malicious DLL is loaded by executable Step 1 Imposters are crackers, who cracks DLL hijacking vulnerable applications! Step 4 Malicious DLL contains reverse shell or any type of arbitrary code execution which is triggered with elevated privileges Step 2 Victim Downloads the cracked software which has malicious DLLs Step 5 Attacker gets access to victim’s pc on his C2 server
  6. How Windows Searches DLLs Executable uses Windows DLL Search Order

    to find DLLs requested by an application. The Search Order is followed like this as per Microsoft Documentation if SafeDllSearchMode is disabled: 1. The Directory from application loaded 2. The Current Directory 3. The System Directory. Windows uses GetSystemDirectory function to get path of this directory 4. The 16-bit system directory . No function for this but it somehow searches it 5. The Windows Directory. Windows uses GetWindowsDirectory function to get path of this directory 6. The Directories listed in PATH Environment Variables.
  7. What is DLL Hijacking?

  8. What is DLL Hijacking? DLL Hijacking is process of injecting

    malicious code into an application by exploiting missing DLLs and tricking Windows Search Order. Now if a application requires any DLL for its functionality but the DLL is doesn’t exist or not implemented in secure way, There could be a good chance of DLL Hijacking Here, An attacker can himself or trick user to replace the malicious DLL from original DLL to the missing DLL Path then whenever the application will executed then functions from malicious DLL will be executed and code execution will be achieved.
  9. Why DLL Hijacking is Harmful? Privilege Escalation Code Execution Attacker

    can execute arbitrary code in order to perform malicious actions or persistence could also can be achieved to use as backdoor Attacker can escalate privileges from normal user to highly privileges (Administrator)
  10. How to Hunt DLL Hijacking • To hunt a DLL

    Hijacking Vulnerability on any application, You’ll need Process Monitor (ProcMon) with you • ProcMon is Sys Internal Tool in Windows used for monitoring processes. You can call it Task Manager 2.0 • For demonstrating this attack, we’ll use vulnerable version of kavremover.exe (support.kaspersky.com/downloads/utils/kavremover.exe) • Let’s see how to hunt this
  11. Step 1: Filtering Processes Start Process Monitor as Administrator and

    run kavremover.exe and then Click on Filter -> Filter
  12. Step 1: Filtering Processes Let’s apply some filter’s for accurate

  13. Step 1: Filtering Processes We can see that some of

    the DLLs are shown as “NAME NOT FOUND”
  14. Step 2: Creating Malicious DLL To create a malicious dll,

    We can use Metasploit or you can write your own code for performing malicious actions Now place this malicious DLL on the missing location (In our case, We have dll missing on Desktop so we have place this Malicious DLL on Desktop)
  15. Step 3: Executing Kav Remover Now Start listener on metasploit

    for reverse shell Now execute the kavremover.exe program and wait for reverse shell to metasploit
  16. Manual RCE If can code your own DLL for your

    own desired actions. Here is the example code from Hacktricks (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation/dll-hijacking#your-own). To compile this, run PowerShell as Administrator and run this command : g++.exe dll.c -lws2_32 -o srrstr.dll –shared. This code will run calculator and throw out of ipconfig to C:\users\username\ipconfig.txt as PoC. #include <windows.h> BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){ switch(dwReason){ case DLL_PROCESS_ATTACH: system("ipconfig > C:\\users\\username\\ipconfig.txt"); WinExec("calc.exe", 0); break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } return TRUE; }
  17. Analysing Malicious DLLs Analysing Malicious files has a broad category

    but we are not going to cover in deep for now. If we load our DLL in IDA and Click on View -> Open Subview -> Strings, We can have some idea about what DLL contains We can see “whoami > C:\\users\\india\\whoami.txt” is operation being performed on system and “calc.exe” can maybe trigger as shown in next line.
  18. Analysing Malicious DLLs Let’s see our reverse shell malicious DLL

    in Process Explorer and see what we can find A unknown process is been created on running kavremover which is using cmd.exe and properties of the process shows that this process has remote connection to on port 4444 which is our attacker machine!!
  19. Analysing Malicious DLLs Let’s see our reverse shell malicious DLL

    in TCP View to confirm the pervious remote connection TCP View shows the connection to attacker machine!
  20. CREDITS: This presentation template was created by Slidesgo, including icons

    by Flaticon, infographics & images by Freepik Thanks! Do you have any queries? Twitter : @purab_parihar LinkedIn: linkedin.com/in/purabparihar Instagram: @purabparihar