Managed WAF Start at $99

DLL Hijacking and How It Is Done?

Posted DateNovember 10, 2016
Posted Time 2   min Read

Windows application comprises various folders and files. These files include executables, DLL and various other formats. A DLL is loaded dynamically and the code of the DLL is only executed by an executable. Many applications nowadays do not verify the integrity and the authenticity of the DLL due to which it becomes quite common for attackers to replace the existing DLL with a DLL crafted with malicious code. This vulnerability is known as DLL hijacking.

The vulnerability arises from the fact that unlike executable files, a malicious DLL is generally not detected by antivirus applications.

Here is the scenario to replicate this issue in a vulnerable application.

First, we need a malicious DLL. Just for demonstration, we are simply using a malicious DLL that shows a popup when the application is vulnerable.

In our case, we are using a vulnerable application named Mezzmo version which is vulnerable to DLL hijacking. We need to identify the vulnerable DLL. One simple way to do that is to try every DLL in the application folder one by one. We tried replacing the file “avcodec-57.dll” with our malicious DLL with the same name

As an attacker, we can do this by creating an executable using WinRAR that extracts the file into the mezzmo directory and replaces the old one. We can create a silent one as shown in the screenshot below.

DLL Hijacking

When the mezzmo.exe is executed the DLL also executes as shown in the below screenshot.

DLL Hijacking Prevention

Even after showing us the error the program executes just fine.

DLL Hijacking Detection

In order to actually exploit this issue one can construct a DLL using a Metasploit that will provide us a reverse shell.

web application security banner

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.