Recently engaged within the network, the need to achieve the back door to avoid killing, chiefs recommended dll hijacking, the DLL hijacking, capable lot of things, such as soft kill some software vendors that implement whitelist, you do some operations are not sensitive intercept, without prompting. There leave the back door, put right, and so on. This article describes how to detect dll hijacking, and examples demonstrate.
DLL hijacking
What dll files are?
DLL (Dynamic Link Library) file is dynamic link library files, also known as "application to develop", is a software file types. In Windows, many applications are not a complete executable file, which is divided into a number of relatively independent dynamic link library, DLL file that is placed in the system. When we execute a particular program, the corresponding DLL file will be called. An application can use a plurality of DLL files, a DLL file may also be used in different applications, such a DLL files are called shared DLL file.
If you attempt to load a DLL when the DLL does not specify an absolute path in the process, then Windows will try to locate the DLL search order these specific directories nowadays, as long as the hacker malicious DLL can be placed in the directory where the DLL in preference to normal, we can priority cheat the system load a malicious DLL, to achieve "hijack"
dll using the principle of
Before windows xp sp2
Windows directory and find the corresponding DLL in order:
1. process corresponding to the application directory;
2. The current directory (Current Directory);
3. System Directory (available through the GetSystemDirectory);
4.16 directory system;
5. Windows directory (available through GetWindowsDirectory);
6. PATH environment variable each directory;
For example: For a file system, such as doc document open will be the application office opened, and a dll file when the office is running will load the system, if we replace the system dll file with malicious dll, is the DLL and doc documents together, running time will find the DLL in the current directory, so that priority DLL in the system directory is executed.
After windows xp sp2
Windows directory and find the corresponding order of the DLL (SafeDllSearchMode is turned on by default):
Default registry is: HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Session Manager \ SafeDllSearchMode, its key value to 1
1. process corresponding to the application directory (understood as the installation directory such as C: ProgramFilesuTorrent)
2. The system directory (i.e.,% windir% system32);
3.16 system directory (i.e.,% windir% system);
4. Windows directory (i.e.,% windir%);
The current directory (the directory where a file is run, such as C: DocumentsandSettingsAdministratorDesktoptest);
6. PATH environment variable each directory;
windows 7 or later
The use of the system is not SafeDllSearchMode KnownDLLs, then the DLL file all of this will be prohibited under the call from the directory where the EXE itself, and can only be called from the system directory ie SYSTEM32 directory, its registry location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
Then the final Windows203 more and more win7 operating system through the "DLL search path order catalog" and "KnownDLLs registry key" mechanism to determine the application DLL to be called the path, after which the application will be loaded DLL own memory space, performing the corresponding function feature.
dll vulnerability checks
123