Malware analysis

DLL load order hijacking

Srinivas
March 26, 2020 by
Srinivas

DLL load order hijacking is a popular technique used to force a legitimate program to load a malicious DLL file in Windows by abusing Windows’ DLL load order feature. In this article, we will discuss how DLL load order hijacking works and how it can be used by malware authors when writing malware programs.

What is a DLL?

A dynamic-link library (DLL) is a library that contains reusable code. Other programs can invoke code available in the DLLs without rewriting it.

According to Microsoft: “A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box-related functions. Therefore, each program can use the functionality that is contained in this DLL to implement an Open dialog box. This helps promote code reuse and efficient memory usage.”

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

What is DLL load order?

DLL load order is how Dynamic Link Library (DLL) files are searched for in Windows operating systems when they are required to be loaded. It should be noted that it is applicable only when the fully qualified path name of the DLL is not specified. 

When a fully qualified path name is not specified, Windows attempts to locate the DLL by searching a predefined set of folders in a specific order. This is shown below. 

  1. The directory from which the application loaded
  2. The system directory
  3. The 16-bit system directory
  4. The Windows directory
  5. The current directory
  6. The directories that are listed in the PATH environment variable

What is DLL load order hijacking?

Let us assume that an application is designed to load a DLL from the current directory, as shown in the following excerpt.

LoadLibrary("myfile.dll");

As we can observe, a fully qualified name is not specified when loading the DLL file. A search for this DLL file will be triggered to find this DLL. 

As mentioned earlier, Windows attempts to locate the DLL by searching a predefined set of folders in a specific order shown in the previous section. In this case, we assume that the original DLL file is available in the current directory. But, as per the search order, other directories will be searched before searching the current directory. 

If an attacker can place a malicious DLL file in one of the following locations, the malicious DLL will be loaded by the application instead of the original one:

  1. The directory from which the application loaded
  2. The system directory
  3. The 16-bit system directory
  4. The Windows directory

However, this can break the original application’s functionality. To avoid this situation, the malicious DLL can be written in a way that it loads the original DLL in turn. 

How can DLL load order hijacking be used by malware? 

DLL load order hijacking is one of the popular techniques used by malware authors to achieve persistence with relative ease. This technique can also be used to achieve privilege escalation if the target vulnerable program is run at a higher privilege level. 

How to find if a program is vulnerable to DLL load order hijacking

It is possible to identify if a given program is vulnerable DLL load order hijacking using a tool named Process Monitor. The Process Monitor tool can be downloaded here

The following steps describe how to use Process Monitor to identify DLL load operations in a given application.

  1. Launch Process Monitor and apply some filters to filter the output on the main window. We can apply a filter by navigating to the Filter window and choosing the desired options as shown in the figure below.

As we can see in the preceding image, we are examining a binary called dvta.exe. We would want to explore all the application events where the result is NAME NOT FOUND. This is to spot if any DLL is searched for and not found.

  1. Now launch the target application and observe the Process Monitor window.
  2. As shown in the preceding figure, all the events that have the result NAME NOT FOUND are shown here. If any paths that look suspicious (such as a call to the current directory to load a DLL) are found in the output, the application can be potentially vulnerable to DLL load order hijacking.

    Conclusion

    In this article, we discussed what DLL load order hijacking is and how it can be exploited by malicious actors. We also discussed how these vulnerabilities can be identified by using a tool like Process Monitor.

     

    Sources

    Srinivas
    Srinivas

    Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com