DLL Load Order Hijacking - Security Boulevard

DLL Load Order Hijacking

Introduction

DLL load order hijacking is a popular technique used to force a legitimate program to load a malicious DLL file in Windows by abusing Windows’ DLL load order feature. In this article, we will discuss how DLL load order hijacking works and how it can be used by malware authors when writing malware programs.

What is a DLL?

A dynamic-link library (DLL) is a library which contains reusable code. Other programs can invoke code available in the DLLs without rewriting it.

According to Microsoft: “A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Therefore, each program can use the functionality that is contained in this DLL to implement an Open dialog box. This helps promote code reuse and efficient memory usage”. 

What is DLL load order?

DLL load order is how Dynamic Link Library (DLL) files are searched for in Windows operating systems when they are required to be loaded. It should be noted that it is applicable only when the fully qualified path name of the DLL is not specified. 

When a fully qualified path name is not specified, Windows attempts to locate the DLL by searching a predefined set of folders in a specific order. This is shown below. 

  1. The directory from which the application loaded
  2. The system directory
  3. The 16-bit system directory
  4. The Windows directory
  5. The current directory
  6. The directories that are listed in the PATH environment variable

What is DLL load order hijacking?

Let us assume that an application is designed to load a DLL from the current directory, as shown in the following excerpt.

LoadLibrary(“myfile.dll”);

As we can observe, a (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Srinivas. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ZzZeloidLQc/