Service DLL Hijacking

DLLs form an integral part of applications/services as the contain common codes used by various applications thereby reducing the necessity to include these codes repeatedly in all applications/services that need it.

One of the ways to get to execute malicious code on a system when you can't find a binary that has enough permissions is to replace the DLLs used by the application.

Another method is to replace the search order for the DLL. All applications have safe search mode enabled, which makes DLL hijacking difficult. The order of search is,

1. Directory from which the application is loaded

2. System directory

3. 16-bit system directory

4. Windows directory

5. Current directory

6. Directories listed in the PATH environment variable

When safe search mode is disabled the current directory moves to second position. Sometimes there are also missing DLLs, which happen to be optional for the working of the application, that can be placed to execute the malicious code.

We start by listing the services that are running using the command.

The check the binary permission for the listed services using icacls.

We first need to list all the DLLs used by a certain application/service. This can be found using the Process Monitor binary. When you start the Procmon binary be sure to filter the services to list only the ones that pertain to a specific application/service.

Once it is filtered, the service has to be restarted so that it will try to load the DLLs.

You may notice a "Name not found" error against some of the DLLs and you will also notice that the service/applicaiton is trying to access it in various locations.

Once you have a malicious DLL created, you can try to place it one of the locations and restart the service to load the DLL and execute the malicious code.