Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
DLL hell
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Use by malware=== Windows searches several locations for ambiguous DLLs, i.e. ones not fully qualified. [[Malware]]s can exploit this behavior in several ways collectively known as ''DLL search order hijacking''. One method is ''DLL preloading'' or a ''binary planting attack''. It places DLL files with the same name in a location that is searched earlier, such as the current working directory. When the vulnerable program tries to load the DLL, the malicious version is executed, possibly at high privilege levels if the program runs at that level.<ref name="mitre-attack">{{Cite web |last=Holston |first=Ami |last2=Liang |first2=Marina |last3=Kanthak |first3=Stefan |last4=Smith |first4=Travis |last5=Alexander |first5=Will |date=30 September 2024 |title=Hijack Execution Flow: DLL Search Order Hijacking, Sub-technique T1574.001 - Enterprise |url=https://attack.mitre.org/versions/v16/techniques/T1574/001/ |access-date=2024-12-07 |website=ATT&CK |series=Version 1.3 |publisher=MITRE |id=T1574.001}}</ref> Another method is ''relative path DLL hijacking'', which moves the vulnerable program to a location together with the malicious DLL. The DLL is loaded because the application's directory is searched early. According to [[CrowdStrike]], this method is the most common.<ref name="crowdsource">{{Cite web |author=Falcon OverWatch Team |date=December 30, 2022 |title=4 Ways Adversaries Hijack DLLs |url=https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/ |access-date=2024-12-07 |website=CrowdStrike |language=en-US}}</ref> ''DLL sideloading'' delivers both the legitimate program and malicious library. It may avoid detection because the execution seems as running a reputable program.<ref name="checkpoint-research">{{Cite web |date=2024-09-25 |title=10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More |url=https://research.checkpoint.com/2024/10-years-of-dll-hijacking-and-what-we-can-do-to-prevent-10-more/ |access-date=2024-12-07 |website=Check Point Research |language=en-US}}</ref> Other methods include ''phantom DLL hijacking'', where a malicious DLL file is created against references to a non-existent library, and changing registry values to abuse ''DLL redirection'', which changes the DLL search order.<ref name="mitre-attack" /> DLL hijacking was used by state-sponsored groups including [[Lazarus Group]] and [[Tropic Trooper]].<ref name="checkpoint-research" />
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
DLL hell
(section)
Add topic
