Dll Hijacking

DLL Hijacking Basics

This article tells the basics of DLL. This article talked about the two types of DLL, DLL search order.

DLL Hijacking BasicsMedium

Common Techniques

Several methods are employed for DLL hijacking, each with its effectiveness depending on the application's DLL loading strategy:

• DLL Replacement: Swapping a genuine DLL with a malicious one, optionally using DLL Proxying to preserve the original DLL's functionality.

• DLL Search Order Hijacking: Placing the malicious DLL in a search path ahead of the legitimate one, exploiting the application's search pattern.

• Phantom DLL Hijacking: Creating a malicious DLL for an application to load, thinking it's a non-existent required DLL.

• DLL Redirection: Modifying search parameters like %PATH% or .exe.manifest / .exe.local files to direct the application to the malicious DLL.

• WinSxS DLL Replacement: Substituting the legitimate DLL with a malicious counterpart in the WinSxS directory, a method often associated with DLL side-loading.

• Relative Path DLL Hijacking: Placing the malicious DLL in a user-controlled directory with the copied application, resembling Binary Proxy Execution techniques.

---

To do Practical DLL hijacking you should try the HTB: Hathor lab https://app.hackthebox.com/machines/459

0xdf writeup about HTB : Hathor

https://0xdf.gitlab.io/2022/11/19/htb-hathor.html#execution-via-dll-overwrite

Ippsec also have a specific video about the DLL hijacking

More fun about DLL hijacking

https://unit42.paloaltonetworks.com/dll-hijacking-techniques/#post-132679-_rmd8mn2zwmx1unit42.paloaltonetworks.com

Having fun with KeePass2: DLL Hijacking and hooking APIsSkr1x

Dll HijackingHackTricks

DLL Side-loading & Hijacking | DLL Abuse Techniques Overview | Google Cloud BlogGoogle Cloud