Exploiting DLLs A Guide To DLL Hijacking
Exploiting DLLs A Guide To DLL Hijacking
Exploiting DLLs A Guide To DLL Hijacking
Version 1.0
Whitepaper
By
Grishma Sinha
Contact: [email protected]
Exploiting DLLs | Grishma Sinha
Contents
Exploiting DLLs ............................................................................................ Error! Bookmark not defined.
Abstract........................................................................................................................................................ 2
Introduction ................................................................................................................................................ 3
What are DLLs ............................................................................................................................................. 3
Why are DLLs used..................................................................................................................................... 4
How do DLLs work ..................................................................................................................................... 4
DLL Search Order ................................................................................................................................... 5
DLL Hijacking .............................................................................................................................................. 5
How to Exploit ............................................................................................................................................ 7
Tools Used ............................................................................................................................................... 7
Practical Demonstration of DLL Search Order Hijacking................................................................. 7
Remediation ............................................................................................................................................. 11
Conclusion ................................................................................................................................................ 12
References ................................................................................................................................................ 13
1
Exploiting DLLs | Grishma Sinha
Abstract
As per the recent statistics available Windows still remains the most used operating system for
digital devices. Almost 77% of the computers today run Windows operating system. With its
GUI based implementation and ease of compatibility with most of the available software,
Windows is the straightforward choice for various individual users and organizations.
Even though the popularity of Windows has always been a motivating factor for its usage, the
extent of security provided by the operating system has always been a point of debate among
the security researchers. With the constant surge in popularity of Windows, the development
of exploits and malwares have also been the highest in the domain of Windows.
This research paper discusses Dynamic-link Libraries (DLLs); which is a shared object that can
be shared by multiple executable files for a specific function and the ways through which the
DLLs can be exploited by the attackers to perform unauthorized tasks. The paper provides a
step by step guide to exploit a vulnerable DLL using tools like Powersploit and Process Monitor.
Further the ways using which this vulnerability can be mitigated has been discussed. The key
2
Exploiting DLLs | Grishma Sinha
points that developers should keep in mind and the best practices that should be followed
during the development of desktop applications have been illustrated.
Introduction
Dynamic-link Libraries (DLLs) were implemented by Microsoft to cater to the requirements of
shared objects among executable files. They are a common set of code aimed to achieve a
specific function that can be utilized by multiple programs. They help to reduce redundancy in
code and save memory utilization there by ensuring concise and smooth functioning of
programs. DLLs can be invoked by the programs on startup of when there is a dependency on a
DLL program. However, the way Windows load DLLs can be exploited to make the programs
invoke malicious DLL files, the attack is more commonly known as DLL hijacking, DLL
preloading, binary planting etc.
DLL Hijacking was first discovered by Greorgi Guninski in 2000. However the vulnerability
gained popularity in 2010 when hundreds of programs were found to be vulnerable to the
attack. The main reason for this vulnerability to occur is the location from where the DLL is
invoked by the program. DLL Hijacking can occur in situation where the path from where the
DLL is called by the application is user writable or if no path has been specified.
3
Exploiting DLLs | Grishma Sinha
There are ways through which the DLLs are linked with the executable. Implicit linking and explicit
linking. A DLL is linked implicitly when the operating system loads both the DLL and the executable
that uses it at the same time. The functions defined in the DLL are then called on by the executable
the way the functions of a static library are called. In Explicit linking however the DLL is loaded when
the executable demands it. Implicit linking is the preferred and most used linking technique
4
Exploiting DLLs | Grishma Sinha
however explicit linking could be essential in some situations, for example when the name of the
DLL to be linked is not predefined.
If DLL file of the same name is loaded in the memory, the system generally links that DLL
irrespective of the location.
The system has a list of known DLLs present under the registery key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.
If the DLL to be loaded is present in the known list, the system loads the DLL from its list of
known DLLs.
When SafeDllSearchMode Enabled
o Directory from which application is loaded
o System directory
o 16-bit system directory
o Windows directory
o Current directory
o Directory listed in PATH environment variable
When SafeDllSearchMode Disabled. (Disabled by default in Windows XP)
o Directory from which application is loaded
o Current directory
o System directory
o 16-bit system directory
o Windows directory
o Directory listed in PATH environment variable
DLL Hijacking
DLL Hijacking is an attack scenario wherein the attacker tricks the loader to load a malicious DLL
instead of the actual legitimate DLL. This attack technique various misconfigurations that are left
5
Exploiting DLLs | Grishma Sinha
behind by the developers while specifying the DLL invocation routine in the executable. Some of
the techniques are mentioned below:
The DLL is invoked from a location that is user writable, for example temp folder.
o If the DLL to be utilized by the application is present in a directory that is writable
by user, then it would be possible for the user to replace that DLL with a malicious
DLL file. Once replace the malicious DLL will get linked to the application and will
execute whenever the application is run.
o Prerequisites
Attacker should have write permissions on the DLL file.
Path from where the DLLs are to be loaded are not explicitly defined in the application
executable.
o Windows have a specific order in which the dlls that are to be used by the application
is searched for if the path from where the dll has to be loaded is not hardcoded. So,
for DLLs that don’t have a hardcoded path, if an attacker can manage to place a
malicious DLL in the initial directories of the search order then instead of the actual
DLL the loader will load the malicious DLL thereby compromising the application.
This technique is commonly known as DLL search order hijacking.
o Prerequisites
6
Exploiting DLLs | Grishma Sinha
How to Exploit
We will try to exploit the DLL search order hijacking in the DVTA application which can be
downloaded here (https://github.com/secvulture/dvta). We will be using Powersploit. This tool is
open source, compatible with windows and can be downloaded from the official website. Various
other tools can also be utilized to perform the same tasks.
Tools Used
Powersploit
Metasploit
Process Explorer (Optional)
7
Exploiting DLLs | Grishma Sinha
Open powersploit with admin privileges and run the following command, replace DVTA with
the name of the application for which dlls has to be searched.
Powersploit will display the list of all DLLs that don’t have a hardcoded path for DVTA.
The same can be done using Process Explorer. We need to set up a filter to show the dlls that
don’t have a hardcoded path used by the application we aim to exploit.
8
Exploiting DLLs | Grishma Sinha
Find-PathDLLHijack
9
Exploiting DLLs | Grishma Sinha
We can also use metasploit to create the same. Just run the following command:
10
Exploiting DLLs | Grishma Sinha
Now that everything is in place we will run the exe and the calculator will popup which was
not the intended action of the application.
Remediation
1. Hard code paths
Hardcoding the paths from where the DLLs are loaded is the most basic and robust
preventions mechanism that can be employed by the application developers. Leaving the
decision to choose the DLL
11
Exploiting DLLs | Grishma Sinha
2. Enable SafeDllSearchMode
In case the path of DLLs are not hardcoded, SafeDllSearchMode ensures that search followed
by the operating system prioritizes the DLL order to minimized risk. This mode is on by
default on recent Windows operating systems. In Windows XP and below it is disabled by
default however can be enabled by making proper registry entries.
3. Directories where DLLs are stored should not be world writable
The developers should ensure that the DLLs are not called from a directory that can be
controlled by other users, for example temp, downloads etc. Furthermore, users should not
install applications in directories that can be accessed by other users.
Conclusion
Widely Present
DLLs are a widely used components of various applications that run on windows.
Vulnerabilities like DLL Hijacking although identified long age are still widely present and
are frequently acknowledge via CVEs pertaining to 2019.
Difficult to exploit in real world
An ideal scenario where it is practically possible to exploit the vulnerability is quite rare. A
successful exploitation would require the attacker to first confirm the presence of the
vulnerable program in the system of the victim. Furthermore, the attacker has to implant
the malicious DLL file in the appropriate location. This whole process is fairly complex if
the attacker is present remotely.
High Impact on successful exploitation
Although difficult to exploit remotely there are various situations where DLL Hijacking can
be performed by leveraging other vulnerabilities in the system.
o Leveraging a vulnerable service
Presence of a vulnerable service that provides read write access to the attacker.
Presence of RCE in a web app or a vulnerable or misconfigured service like smb
running on the system can aid in this process.
o Privilege Escalation
DLL Hijacking become most useful when the aim is to escalate privileges. The main
thing to look for in this case is for a process that has been initiated by the
administrator and that process is loading DLLs for a location on which a low
privileges user has read write access.
Easy Remediation
12
Exploiting DLLs | Grishma Sinha
The remediation process for patching DLL Hijacking is fairly straight forward. The
developers should ensure that they leave no DLLs undefined.
Beware of Misconfigs
The system owner should also ensure that malware detection applications are present in
the system. Even after due diligence has been maintained on the part of the developer,
still if some attacker manages to replace the valid DLL with a malicious one a backdoor is
opened granting the attacker a permanent access. Therefore it is necessary to keep all the
software and programs up-to-date, install the security fixes and patches and to take
periodic backups and backups of backup.
References
https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-
sideloading.pdf
https://attack.mitre.org/techniques/T1574/002/
https://support.microsoft.com/en-in/help/815065/what-is-a-dll
https://en.wikipedia.org/wiki/Dynamic-link_library
13