Windows Privilege Escalation with DLL Hijacking
Contains the details of the topic Privilege Escalation/Windows/Various/DLL Injection.
Last updated
Was this helpful?
Contains the details of the topic Privilege Escalation/Windows/Various/DLL Injection.
Last updated
Was this helpful?
Similar to but with DLLs (Dynamic Link Libraries).
We can:
Overwrite a DLL
Hijack the DLL search order
Exploit a missing DLL
The default DLL search order used by the system depends on whether Safe DLL Search Mode is activated. By default it is enabled.
With this mode enabled, applications search for necessary DLL files in the following sequence:
The directory from which the application is loaded.
The system directory.
The 16-bit system directory.
The Windows directory.
The current directory.
The directories that are listed in the PATH environment variable.
However, if 'Safe DLL Search Mode' is deactivated, the search order changes to:
The directory from which the application is loaded.
The current directory.
The system directory.
The 16-bit system directory.
The Windows directory
The directories that are listed in the PATH environment variable
View service DLLs. See the permissions of those DLLs, whether they are editable and therefore overwritable, or whether they are missing.
Each DLL can have an optional entry point function called DllMain, which is executed when processes or threads attach the DLL. This function usually contains four cases called DLL_PROCESS_ATTACH, DLL_THREAD_ATTACH, DLL_THREAD_DETACH, DLL_PROCESS_DETACH.
(it also shows DLLs used for each process)