DLL Hijacking

Hello, Cybersecurity enthusiasts!

Have you heard about DLL hijacking? This is a decades-old hacking technique that allows malicious actors to execute arbitrary code by exploiting the way Windows searches for DLL files.

While Microsoft has taken steps over the years to restrict DLL hijacking, new research shows that it is still possible with the right techniques.

In this article, I will cover what DLL hijacking is, why it still poses a threat, and what you can do to protect yourself from attacks.

Let’s move on!

What is DLL Hijacking?

Dynamic link libraries (DLLs) are shared libraries in Windows that contain code and resources that can be utilized by multiple programs. When a program needs to load a DLL file, it follows a standard search order to locate it.

DLL hijacking takes advantage of this search order by placing a malicious DLL file in one of the folders that Windows checks. When the application attempts to load the legitimate DLL, it will load the malicious one instead and execute its code.

For example, let’s say Program A normally loads DLL B located in Program A’s folder. An attacker drops a malicious DLL B into the Windows System directory, which Windows checks earlier in the search order.

When Program A is executed, it will load DLL B from the System folder instead of its own folder.

DLL Hijacking / proxying

A Brief History of DLL Hijacking

DLL hijacking attacks have been possible since the early days of Windows. In 1997, attackers utilized hijacked DLLs to run payloads when victims opened Word documents. It became even more prevalent in the 2000s as malware authors adopted it.

Microsoft began implementing protections like Safe DLL Search Mode over a decade ago. However, researchers have continued to find ways around them. In 2016, researchers highlighted hijacking risks in Windows hotpatching.

In 2021, security analyst Abdul-Aziz Hariri demonstrated hijacking User32.dll, a core Windows component.

So even though DLL hijacking is an old technique, it can still be manipulated in new ways to bypass security measures. That makes it a valuable tool for modern cybercriminals.

DLL proxying

Why DLL Hijacking is Still a Threat

There are a few reasons why DLL hijacking remains an effective attack vector:

  • The search order cannot be completely locked down: Windows relies heavily on DLLs, so the operating system has to maintain some flexibility in locating them. Overly rigid restrictions would break functionality.
  • New Windows features can introduce risks: With each OS update, there are opportunities to find undiscovered flaws in how new components use DLLs. Recent examples include hotpatching and User32.
  • Third-party apps don’t always follow best practices: Developers don’t always secure their DLL usage properly, especially for legacy software. This creates openings for bypassing protections.
  • It enables privilege escalation: If attackers can hijack a DLL that runs with higher system privileges, they can execute code with those privileges.

Even with security improvements, DLL hijacking offers creative hackers a proven way to achieve their goals. It is unlikely to be fully eliminated anytime soon.

windows lateral movement dll hijacking

The workflow for the event IDs for the WMI wbemcomn.dll hijack

Real-World Examples of Recent DLL Hijacking

To understand how DLL hijacking is still relevant today, let’s look at two examples from 2022 security researchers:

Hijacking Explorer.exe

In May 2022, researcher Abdelkhalek Ahmed showed how Windows Explorer could be exploited using a DLL hijacking tactic. By placing a malicious DLL in the user’s Recent Files folder, Explorer.exe would load it when displaying recent items.

This allowed privilege escalation to run arbitrary code as SYSTEM.

Microsoft classified it as having “important” severity and advised mitigations like restricting write access to the Recent folder. While not the most practical attack vector, it demonstrates that fresh hijacking methods are still being discovered.

Hijacking Codecs Used by Media Players

At the DEF CON hacking conference in August 2022, researcher James Forshaw revealed a new way to hijack Windows media functions. Codecs (programs used for encoding/decoding media) rely on DLLs that can be manipulated.

By forcing media players like Windows Media Player to load malicious codec DLLs, an attacker can trigger secret malware installations. Forshaw created exploits for both locally stored media and streaming platforms.

This highlights that something as common as media software can be leveraged for DLL hijacking, as codecs often have weak DLL protections. Updating affected apps is the best solution.

How to Protect Against DLL Hijacking Attacks

There are several methods for preventing DLL hijacking; the easiest is probably to ask the author of the software to hard-code calls to the different DLL files.

Microsoft has also created a knowledge base article on the subject where they explain how to prevent this by adding a single registry key: https://support.microsoft.com/kb/2264107

This can, however, break other applications, so be careful. It is possible to change behavior individually for each application as well. It’s all explained in the KB. The registry key name is CWDlllegallnDllSearch.

By changing the values in that key, you will be able to disable DLL loading from the folder where the application is executed.

While perfect prevention of DLL hijacking is unlikely, there are other steps individuals and enterprises can take to minimize their risk:

  • Keep all software up-to-date: Patching fixes many hijacking vulnerabilities by addressing risky DLL usage. Enable auto-updates where possible.
  • Use endpoint and antivirus tools: Solutions like Microsoft Defender can detect anomalous DLL activity and block exploits.
  • Limit user privileges: If standard users have reduced file system rights, it restricts their ability to place hijacked DLLs in key folders.
  • Block unwanted programs: Use firewalls to prevent unknown executables from running. Block media codecs if they are not required.
  • Monitor critical folders: Keep read-only permissions on folders like Windows/System32. Get alerts if anything changes.
  • Practice safe browsing: Don’t download random media files or executables, as they may contain hijacked DLLs.

With strong prevention measures, the risk of DLL hijacking can be substantially reduced. But because it is unlikely to ever be obsolete, continued vigilance is warranted.

The Future of DLL Hijacking Exploits

Looking ahead, DLL hijacking is unlikely to fade away completely. The shared library architecture of Windows is deeply ingrained, so the underlying risks cannot be fully eliminated without drastic changes.

While security researchers will continue uncovering creative new hijacking methods, enterprises can stay resilient by:

  • Deploying advanced endpoint detection and response (EDR) tools that use behavioral analysis to identify anomalies that are indicative of exploits.
  • Adopting zero-trust architectures that verify all users and devices before granting access to apps and data, limiting lateral movement.
  • Implementing least privilege access policies to restrict what users can do across networks.
  • Building secure software supply chains to prevent the insertion of backdoors at the development stage.
  • Maintaining comprehensive and tested incident response plans to contain the impacts of any breaches.

With patience and persistence, threat actors will likely devise fresh ways to manipulate DLLs for years to come. But organizations can render these attacks largely ineffective through multilayered security and robust post-breach responses.

Companies can keep ahead of new dangers if they recognize risks like hijacking and take action to reduce them.

I hope this post helped you learn more about DLL hijacking!

Other Topics:

Similar Posts