0×0 1. DLL hijacking vulnerability description 1.1 vulnerability profile If the process tries to load a DLL without specifying the DLL's absolute path, then Windows will try to go to the specified directory to find the DLL; if the attacker is able to control which of a certain directory, and put a malicious DLL file to this directory, the malicious DLL will process the load, resulting in code execution. This is the so-called DLL hijacking. Before Windows XP SP2, Windows find DLL directory and the corresponding order is as follows: 1. Process corresponding to the application program directory; 2. the Current directory the Current Directory; 3. the System directory by GetSystemDirectory acquisition; and 4. 1 6-bit system directory; 5. The Windows directory by the GetWindowsDirectory to obtain; and 6. The PATH environment variable of each directory; Under Windows, almost every kind of file types will be associated with a corresponding processing program, when we in Explorer to open a specific type of file, associated with the handler will be executed, which will create a new process, the process default to the Current Directory, the current directory is to be opened file's directory. In Windows Search for the DLL in the directories, the attacker most easy to control of course is the Current Directory. The attacker can put a malicious DLL file and the target file such as a WORD document packaged together, if the victims of the decompression operation, the malicious DLL and the target file will be located in the same directory, the attacker can be very convenient to implement a DLL hijacking. Since the early Windows find DLL files order is not reasonable, it is conceivable DLL hijacking vulnerability accompanied by a Windows existence for quite a long time. However, in quite a long time in the DLL hijacking vulnerability and not subject to everyone's attention, until the 2 0 1 0 years, 8 month, Microsoft released a security Advisory 2 2 6 9 6 3 7, and simultaneously published online a large number of the Affected Software name DLL hijacking vulnerability only began to enter everyone's vision. 1.2 vulnerability is classified DLL hijacking vulnerability translated into English is called DLL Hijacking Vulnerability, the CWE will be classified as Untrusted Search Path Vulnerability in. If you want to go to the CVE database search DLL hijacking vulnerability case, the search for these two keywords can be. 1.3 mitigation measures Starting with Windows XP SP2, the SafeDllSearchMode default will be turned on. SafeDllSearchMode open or not mainly affect the Current Directory of the current directory in the search order in the position. Open SafeDllSearchMode after the DLL search order is as follows: 1. Process corresponding to the application program directory; 2. the System directory by GetSystemDirectory acquisition; and 3. 1 6-bit system directory; 4. The Windows directory by the GetWindowsDirectory to obtain; and 5. The current directory; 6. The PATH environment variable of each directory; Enable SafeDllSearchMode then you can prevent the majority of DLL hijacking, such as a system DLL hijacking. However, if the process tries to load the DLL does not exist, then the process will still try to go to the current directory to load this DLL, this is the SafeDllSearchMode can't guard against. However Microsoft introduced SetDllDirectory this API, to this API, passing an empty string will be the current directory from the DLL search order excluded. BOOL WINAPI SetDllDirectory( In_opt LPCTSTR lpPathName ); If the lpPathName parameter is an empty string (""), the call removes the current directory from the default DLL search order. 1.4 vulnerability check Using Sysinternals tools in the package Process Monitor ProcMon can be very easy to detect the DLL hijacking vulnerability, you'll need to set several filter parameters. 1. ProcessName target process name; 2. Path file path, can be set to begins with the current directory path; 3. Result as a result, set up as NAME NOT FOUND; and 0×0 2. DLL hijacking exploit scene 2.1 for the application installation directory to the DLL hijacking Regardless of the SafeDllSearchMode is turned on, in to find the DLL when the application itself where the directory is the first to be search. So if we can put a malicious DLL file to the program installation directory, you can use DLL hijacking vulnerability to execute code. This use of scenarios is relatively high, because most of the programs installed by default to%ProgramFiles% or %ProgramFiles(x86)%respectively. Both directories require administrator permissions can perform the write operation, that is to say in the conduct DLL hijacking before, the requirements already have code execution privileges. Based on this reason, software vendors typically will not deal with such problems. This scene and more are some of the malicious code The use of commonly used software DLL hijacking may be in some degree a substitute since the start of the function, at the same time, the use of the white plus black also can escape from security software detection. In addition, some plug-in or hack the program will use this way DLL hijacking, for example, QQ some of the significant IP plug-in is through the hijacking msimg32.dll to achieve the function. 2.2 for the file associated with the DLL hijacking Under Windows, we usually use a variety of files such as MP3, DOC documents, PDF documents, MKV video, etc. has an associated default processing software. When in Explorer, open a specific type of file, operating systemwill automatically create a process to deal with this document, the process corresponding to the program is the file type associated with the default handler, the process's current directory is to open the file directory. For example, if Adobe Acrobat DC Association. PDF file type, then open the PDF file it will automatically create an Acrobat. exe process, the process's current directory, the Current Directory is the PDF file directory. If the process tries to load a non-existent DLL, according to the default DLL search order, the process will eventually search to the PDF file in the same directory, which is the current directory, if the directory happens to exist with a same name as the DLL, then this DLL will process the load. This is called a file Association type of DLL hijacking. With respect to the application installation directory to the DLL hijacking, for the file associated with the DLL hijacking use condition is very simple, just put a malicious DLL on the line. Due to the implementation of this DLL hijack is not required other prerequisites, many manufacturers pay attention to and recognize the use of scenarios of the DLL hijacking vulnerability. Many popular software may still exist with this DLL hijack vulnerability: the author is in 2 0 1 5 year to 1 2 months to the Adobe report Adobe Acrobat DC 15.009.20077 in the presence of a DLL hijacking Vulnerability, CVE-2 0 1 6-0 9 4 7, and the vulnerability by the Acrobat. exe processes load does not exist updaternotifications. dll caused. In addition, go to the CVE vulnerability database search DLL Hijacking or Untrusted Search Path can also be found in many cases. 2.3 for the installer DLL hijacking In many applications the installation package of the program there is also a DLL hijacking vulnerability, this scene and for the application installation directory to the DLL hijacking is similar, would have been nothing special, but combined with below mentioned browser to automatically download vulnerabilities, its use condition has become relatively simple. Here to Notepad++the latest installation package npp. 6. 9. Installer. exe as an example to explain. Start ProcMon and set the better the filter, you can see the npp. 6. 9. Installer. exe run after attempting to load many DLLS, these are the first load when no load is successful.