The MITRE Corporation is a non-profit federally funded research and development center (FFRDC) of the United States government. As part of its efforts to improve the state of cybersecurity, it has developed and published the MITRE ATT&CK matrix, which describes different means by which attackers can achieve different stages of their objectives.
One stage in the attack life cycle is evading solutions that the defender has in place to detect or protect against an intrusion. One method for accomplishing this on Windows systems is DLL search order hijacking.
What is DLL search order hijacking?
Windows executables often implement good object-oriented programming (OOP). Each standalone application may have its own individual functionality built in, but common functionality is encoded in libraries called DLLs.
When an object wants to access this shared functionality, it loads the appropriate DLL into its memory space. However, these executables may not always be aware of the exact location of the DLL on the file system.
To deal with this, Windows has implemented a search order of different directories where these DLLs can be found. The search order depends on whether or not the app originated from the Windows store. DLLs for Windows Store apps are searched for:
- Based on the application’s package dependency graph
- In the directory of the calling progress
- In the directory of the calling module if an alternative search path is requested
- The System directory (Windows/system32)
DLLs for desktop applications not from the Windows Store are searched for in directories in the following order (if SafeDLLSearch is enabled):
- Directory from which the application loaded
- The System directory (retrieved using GetSystemDirectory)
- The 16-bit System directory
- The Windows directory (retrieved using GetWindowsDirectory)
- The current directory
- This is searched second if SafeDLLSearch is disabled by the user
- Directories listed in the system path
DLL search (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/NX3dDekmcfQ/