What is DLL Hijacking?

Dynamic Link Lists (DLLs) are shared libraries used by Microsoft Windows to provide core functions to all applications. DLLs provide efficiency benefits in several ways. Firstly, software developers can call the built-in DLL functions instead of having to build native functionality into their apps, alleviating software development efforts.

Secondly, DLLS reduce the burden on memory and system resources because one DLL loaded into memory can be shared by separate programs. Comparatively, Linux and Unix-based systems have a similar system that uses .so (Shared Object) files. Ultimately, the role of DLLs in Windows architecture is to provide a flexible and efficient way to share code and functionality between programs.

DLLs are portable executable (PE) files and have the same properties as .exe files and DLLs can be written in a variety of programming languages such as C, C++, Python, Rust, C#, .NET, and Visual Basic. To use DLLs, applications first import them into an application, then call their functions using object-oriented or functional style programming.

That brings us to...

How Do DLL Hijacking Attacks Work? 

There are several well-known cyberattack tactics and techniques that exploit how DLLs operate in the Windows operating system. These attacks can be broadly classified into two main tactics: impact the integrity of an existing trusted Windows DLL with malicious code and exploit the search order that Windows follows when loading a requested DLL.

If a process with system privileges loads a malicious DLL, the attacker can gain full control over the system. However, even if a malicious DLL is only executed with user-level privileges it can still potentially communicate with an attacker-controlled remote command and control (C2) server, execute arbitrary code, access sensitive data, and even exfiltrate data stored in an application's protected memory.

With this in mind, let's look at how DLL hijacking attacks work:

Type #1: DLL Code Injection

DLL Code Injection is a technique where an attacker injects malicious code into a legitimate DLL file. To make this attack covert, a threat actor can first reverse engineer a legitimate Windows DLL with a decompiler such as Ghidra, and then modify the existing code by adding malicious functionality to common functions.  Finally, the attacker can recompile the DLL and copy it into the same location as the legitimate DLL, overwriting it. 

Whenever that hijacked DLL is loaded and an infected function is called, the attacker's malware will be executed to perform anything it has been programmed to do. One saving grace for potential victims is that administrative permissions are typically required on the target system to overwrite a legitimate Windows system DLL. However, these admin privileges can be potentially be gained by anyone with physical access to the target system using a Windows install USB or other privilege escalation attacks. While DLL Code Injection requires high-level privileges to exploit, it also gives the attacker Windows system privileges and virtually unlimited powers.

To prevent this type of attack, it's important to prevent all system's from booting to USB and using a BIOS admin security password to protect the system's boot sequence and also ensure that users are only granted administrative permissions if they absolutely require them, following the IT security principle of least privilege (POLP). Other than locking down USB-based privilege escalation attacks and using the POLP when allocating user accounts, it is also critical to keep the Windows OS fully updated to ensure that all available security patches have been applied; closing any known privilege escalation vulnerabilities in the Windows OS. 

Finally, continuous monitoring of the Windows file integrity can help identify changes to system DLLs by periodically checking their hash signature. Many advanced security products such as Extended Detection and Response (EDR) and Extended Detection and Response (XDR) solutions will effectively monitor the OS for such changes.

Type #2: DLL Search Order Hijacking

This technique has several names including DLL Search Order Hijacking, DLL Side-Loading, and DLL Spoofing. To successfully execute this attack, an attacker places a malicious DLL in a location higher up in the Windows operating system DLL search hierarchy than the built-in Windows DLL. 

Built-in Windows DLLs are typically stored in the %SystemRoot%\System32 directory on a 64-bit version of Windows and in the %SystemRoot%\SysWOW64 directory on a 32-bit version of Windows. The Windows DLL search order starts by checking the executed program's current working directory, followed by directories listed in the PATH environment variable, and finally Windows system directories such as %SystemRoot%\System32. By copying their malicious DLL file into the same directory as the program or into another directory on the system PATH, the attacker can get their rouge DLL loaded instead of the safe one.

Defensive strategies for preventing DLL Search Order Hijacking attacks include: implementing proper access controls according to the POLP, as well as only using trusted software from reliable developers that use Fully-Qualified Paths to prevent search order hijacking.  Other mitigation measures include installing and frequently updating anti-malware security products such as anti-virus, EDR, and XDR that can identify malicious DLL files as they enter the system and prevent them from executing.

Conclusion

DLL hijacking attacks are a powerful group of attacks that take advantage of the fact that Windows-shared libraries are trusted and used by many applications. DLL hijacking can potentially bestow unbridled power to an attacker to connect to C2 servers, execute arbitrary code, and steal sensitive information from disk or RAM.

IT Security best practices such as the POLP can help mitigate the potential for DLL attacks to compromise a system. While anti-virus products can sometimes identify malicious DLLs as they enter a system and prevent them from executing, advanced cybersecurity products that go beyond simply scanning files for malware can continuously monitor the Windows OS for indicators of DLL compromise and prevent rouge DLLs from executing.

Need more information on how to protect you and your organization from DLL hijacking? Contact your friendly neighbourhood ethical hackers to learn more.