SlideShare a Scribd company logo

DLL Hijacking

Download as PPT, PDF
Rashid feroz
Rashid feroz

This document discusses DLL hijacking, which involves tricking applications into loading a malicious DLL instead of the intended one. It describes DLLs and their search order, how to find vulnerable applications, and techniques like using msfvenom to generate a payload DLL to open a reverse shell. While some protection schemes exist like SafeDllSearchMode, none are fully effective. DLL hijacking helps attackers escalate privileges stealthily without creating new processes and by abusing trust in signed applications.

Technology
1 of 12
DLL Hijacking - Rashid Feroz
About me? • A college grad • Love to break into things • Python lover
DLL? • Dynamic Link Library • Similar to exe files • Code sharing between applications. • Loaded at runtime only
Types of Dll
Dll Search order • The directory from which the application is loaded • The current directory • The system directory, usually C:WindowsSystem32 • The 16-bit system directory • The Windows directory • The directories that are listed in the PATH environment variable
Working
Finding vulnerable apps? • Find the search order for Dlls. • Generally custom dlls are searched for. • Target an unavailable dll. • Target an available dll where you can place your dll to load first. • Rename malicious dll and place it in the search directory.
SafeDllSearchMode = On • The directory from which the application loaded • The 16-bit system directory • The Windows directory • The current directory • The directories that are listed in the PATH environment variable.
DllHIjacking to meterpreter • Custom code a dll to open a reverse shell back – bypasses AV  • Msfvenom can already generate payloads with extension as dll. • Holy-grail in post exploitation phase.
Protection schemes? • SafeDllSearchMode – On • Hardcode the dll path in the program. • Create the application with Manifest file included. • Sadly None of them are effective. 
How this helps an Attacker? • No new processes are created. • AV’s as well as users trust signed and commonly used applications. • Can be used for privilege escalation.
Thanks  rashid.2008feroz@gmail.com fb.com/rashid.feroz1

Recommended

Db2 for z os trends
Db2 for z os trendsDb2 for z os trends
Db2 for z os trends
Cuneyt Goksu
 
Advanced Database System
Advanced Database SystemAdvanced Database System
Advanced Database System
sushmita rathour
 
DLL Injection
DLL InjectionDLL Injection
DLL InjectionNeeraj Godkhindi (OSCP)
 
Oracle SQL Basics
Oracle SQL BasicsOracle SQL Basics
Oracle SQL Basics
Dhananjay Goel
 
System Programing Unit 1
System Programing Unit 1System Programing Unit 1
System Programing Unit 1Manoj Patil
 
Skillwise-IMS DB
Skillwise-IMS DBSkillwise-IMS DB
Skillwise-IMS DB
Skillwise Group
 
Introducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISHIntroducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISHKirill Kertsenbaum
 
Advanced Database Lecture Notes
Advanced Database Lecture NotesAdvanced Database Lecture Notes
Advanced Database Lecture NotesJasour Obeidat
 

Recommended

Db2 for z os trends
Db2 for z os trendsDb2 for z os trends
Db2 for z os trends
Cuneyt Goksu
 
Advanced Database System
Advanced Database SystemAdvanced Database System
Advanced Database System
sushmita rathour
 
DLL Injection
DLL InjectionDLL Injection
DLL InjectionNeeraj Godkhindi (OSCP)
 
Oracle SQL Basics
Oracle SQL BasicsOracle SQL Basics
Oracle SQL Basics
Dhananjay Goel
 
System Programing Unit 1
System Programing Unit 1System Programing Unit 1
System Programing Unit 1Manoj Patil
 
Skillwise-IMS DB
Skillwise-IMS DBSkillwise-IMS DB
Skillwise-IMS DB
Skillwise Group
 
Introducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISHIntroducing New Kaspersky Endpoint Security for Business - ENGLISH
Introducing New Kaspersky Endpoint Security for Business - ENGLISHKirill Kertsenbaum
 
Advanced Database Lecture Notes
Advanced Database Lecture NotesAdvanced Database Lecture Notes
Advanced Database Lecture NotesJasour Obeidat
 
Presentation Oracle Undo & Redo Structures
Presentation Oracle Undo & Redo StructuresPresentation Oracle Undo & Redo Structures
Presentation Oracle Undo & Redo Structures
John Boyle
 
Power point presentation on access specifier in OOPs
Power point presentation on access specifier in OOPsPower point presentation on access specifier in OOPs
Power point presentation on access specifier in OOPs
AdrizaBera
 
Active Directory component
Active Directory componentActive Directory component
Active Directory component
kuldeep singh shishodia
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
Adbms 17 object query language
Adbms 17 object query languageAdbms 17 object query language
Adbms 17 object query language
Vaibhav Khanna
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
nullowaspmumbai
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
Thomas Roccia
 
Batch operating system
Batch operating system Batch operating system
Batch operating system
Dilouar Hossain
 
Lecture 07 - Basic SQL
Lecture 07 - Basic SQLLecture 07 - Basic SQL
Lecture 07 - Basic SQL
University of Massachusetts Amherst
 
Assembler
AssemblerAssembler
AssemblerMohd Arif
 
Les08 (manipulating data)
Les08 (manipulating data)Les08 (manipulating data)
Les08 (manipulating data)
Achmad Solichin
 
Anomalies in database
Anomalies in databaseAnomalies in database
Anomalies in databasebaabtra.com - No. 1 supplier of quality freshers
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.
САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.
САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.
Айбек Қуандықұлы
 
Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)
Bilal Arshad
 
The oracle database architecture
The oracle database architectureThe oracle database architecture
The oracle database architecture
Akash Pramanik
 
Oracle Forms: Master Detail form
Oracle Forms: Master Detail formOracle Forms: Master Detail form
Oracle Forms: Master Detail form
Sekhar Byna
 
What is keylogger
What is keyloggerWhat is keylogger
What is keylogger
hilarypark97
 
Linking in MS-Dos System
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos System
Satyamevjayte Haxor
 
Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3
Asher Martin
 
M.5 3 11 13 24(PP)
M.5 3 11 13 24(PP)M.5 3 11 13 24(PP)
M.5 3 11 13 24(PP)
Mark'k Stk
 

More Related Content

What's hot

Presentation Oracle Undo & Redo Structures
Presentation Oracle Undo & Redo StructuresPresentation Oracle Undo & Redo Structures
Presentation Oracle Undo & Redo Structures
John Boyle
 
Power point presentation on access specifier in OOPs
Power point presentation on access specifier in OOPsPower point presentation on access specifier in OOPs
Power point presentation on access specifier in OOPs
AdrizaBera
 
Active Directory component
Active Directory componentActive Directory component
Active Directory component
kuldeep singh shishodia
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
Alexander Polce Leary
 
Adbms 17 object query language
Adbms 17 object query languageAdbms 17 object query language
Adbms 17 object query language
Vaibhav Khanna
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
nullowaspmumbai
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
Thomas Roccia
 
Batch operating system
Batch operating system Batch operating system
Batch operating system
Dilouar Hossain
 
Les08 (manipulating data)
Les08 (manipulating data)Les08 (manipulating data)
Les08 (manipulating data)
Achmad Solichin
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
CODE BLUE
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
Bernardo Damele A. G.
 
САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.
САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.
САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.
Айбек Қуандықұлы
 
Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)
Bilal Arshad
 
The oracle database architecture
The oracle database architectureThe oracle database architecture
The oracle database architecture
Akash Pramanik
 
Oracle Forms: Master Detail form
Oracle Forms: Master Detail formOracle Forms: Master Detail form
Oracle Forms: Master Detail form
Sekhar Byna
 
What is keylogger
What is keyloggerWhat is keylogger
What is keylogger
hilarypark97
 
Linking in MS-Dos System
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos System
Satyamevjayte Haxor
 

What's hot (20)

Presentation Oracle Undo & Redo Structures
Presentation Oracle Undo & Redo StructuresPresentation Oracle Undo & Redo Structures
Presentation Oracle Undo & Redo Structures
 
Power point presentation on access specifier in OOPs
Power point presentation on access specifier in OOPsPower point presentation on access specifier in OOPs
Power point presentation on access specifier in OOPs
 
Active Directory component
Active Directory componentActive Directory component
Active Directory component
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
Adbms 17 object query language
Adbms 17 object query languageAdbms 17 object query language
Adbms 17 object query language
 
NTFS Forensics
NTFS Forensics NTFS Forensics
NTFS Forensics
 
Sandbox Evasion Cheat Sheet
Sandbox Evasion Cheat SheetSandbox Evasion Cheat Sheet
Sandbox Evasion Cheat Sheet
 
Batch operating system
Batch operating system Batch operating system
Batch operating system
 
Lecture 07 - Basic SQL
Lecture 07 - Basic SQLLecture 07 - Basic SQL
Lecture 07 - Basic SQL
 
Assembler
AssemblerAssembler
Assembler
 
Les08 (manipulating data)
Les08 (manipulating data)Les08 (manipulating data)
Les08 (manipulating data)
 
Anomalies in database
Anomalies in databaseAnomalies in database
Anomalies in database
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)
 
САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.
САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.
САБЫРЛЫЛЫҚ ПЕН ҰСТАМДЫЛЫҚ.
 
Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)
 
The oracle database architecture
The oracle database architectureThe oracle database architecture
The oracle database architecture
 
Oracle Forms: Master Detail form
Oracle Forms: Master Detail formOracle Forms: Master Detail form
Oracle Forms: Master Detail form
 
What is keylogger
What is keyloggerWhat is keylogger
What is keylogger
 
Linking in MS-Dos System
Linking in MS-Dos SystemLinking in MS-Dos System
Linking in MS-Dos System
 

Viewers also liked

Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3
Asher Martin
 
M.5 3 11 13 24(PP)
M.5 3 11 13 24(PP)M.5 3 11 13 24(PP)
M.5 3 11 13 24(PP)
Mark'k Stk
 
2 minty finty-mbpfw - přednáška
2 minty finty-mbpfw - přednáška2 minty finty-mbpfw - přednáška
2 minty finty-mbpfw - přednáškafashiontechcz
 
โครงงานคอมพิวเตอร์ (1)
โครงงานคอมพิวเตอร์ (1)โครงงานคอมพิวเตอร์ (1)
โครงงานคอมพิวเตอร์ (1)
Mark'k Stk
 
โครงงาน
โครงงานโครงงาน
โครงงาน
Mark'k Stk
 
Strong Networks for Children - a project presentation
Strong Networks for Children - a project presentationStrong Networks for Children - a project presentation
Strong Networks for Children - a project presentation
elenaherlea
 
Image processing and alignment with RNiftyReg and mmand
Image processing and alignment with RNiftyReg and mmandImage processing and alignment with RNiftyReg and mmand
Image processing and alignment with RNiftyReg and mmand
Jonathan Clayden
 
Profitbomber pdf
Profitbomber pdfProfitbomber pdf
Profitbomber pdf
profitbomber
 
Why Asia is the Emerging as the World's EdTech Laboratory
Why Asia is the Emerging as the World's EdTech LaboratoryWhy Asia is the Emerging as the World's EdTech Laboratory
Why Asia is the Emerging as the World's EdTech Laboratory
Todd Maurer
 
Tips for Your Business in 2016
Tips for Your Business in 2016Tips for Your Business in 2016
Tips for Your Business in 2016
Irv Holmes
 
Ggge2123 esei
Ggge2123 eseiGgge2123 esei
Ggge2123 esei
amyza79
 
IASC Operational Guidance on Responsibilities of Sector Cluster Leads and OCH...
IASC Operational Guidance on Responsibilities of Sector Cluster Leads and OCH...IASC Operational Guidance on Responsibilities of Sector Cluster Leads and OCH...
IASC Operational Guidance on Responsibilities of Sector Cluster Leads and OCH...Brendan McDonald
 
Praluent abstract.
Praluent abstract.Praluent abstract.
Praluent abstract.
Kemper May
 
Ejercicio 4-maquete-utilizando-css-externo.
Ejercicio 4-maquete-utilizando-css-externo.Ejercicio 4-maquete-utilizando-css-externo.
Ejercicio 4-maquete-utilizando-css-externo.
carlos_yurema
 

Viewers also liked (20)

Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3Cape Cod Web Technology Meetup - 3
Cape Cod Web Technology Meetup - 3
 
M.5 3 11 13 24(PP)
M.5 3 11 13 24(PP)M.5 3 11 13 24(PP)
M.5 3 11 13 24(PP)
 
2 minty finty-mbpfw - přednáška
2 minty finty-mbpfw - přednáška2 minty finty-mbpfw - přednáška
2 minty finty-mbpfw - přednáška
 
โครงงานคอมพิวเตอร์ (1)
โครงงานคอมพิวเตอร์ (1)โครงงานคอมพิวเตอร์ (1)
โครงงานคอมพิวเตอร์ (1)
 
โครงงาน
โครงงานโครงงาน
โครงงาน
 
Mani Resume
Mani ResumeMani Resume
Mani Resume
 
2015-sdms-annual-report
2015-sdms-annual-report2015-sdms-annual-report
2015-sdms-annual-report
 
Strong Networks for Children - a project presentation
Strong Networks for Children - a project presentationStrong Networks for Children - a project presentation
Strong Networks for Children - a project presentation
 
Image processing and alignment with RNiftyReg and mmand
Image processing and alignment with RNiftyReg and mmandImage processing and alignment with RNiftyReg and mmand
Image processing and alignment with RNiftyReg and mmand
 
telecom engineer
telecom engineertelecom engineer
telecom engineer
 
Mani Resume
Mani ResumeMani Resume
Mani Resume
 
Profitbomber pdf
Profitbomber pdfProfitbomber pdf
Profitbomber pdf
 
Why Asia is the Emerging as the World's EdTech Laboratory
Why Asia is the Emerging as the World's EdTech LaboratoryWhy Asia is the Emerging as the World's EdTech Laboratory
Why Asia is the Emerging as the World's EdTech Laboratory
 
Tips for Your Business in 2016
Tips for Your Business in 2016Tips for Your Business in 2016
Tips for Your Business in 2016
 
RESUME UPDATED 2015
RESUME UPDATED 2015RESUME UPDATED 2015
RESUME UPDATED 2015
 
Ggge2123 esei
Ggge2123 eseiGgge2123 esei
Ggge2123 esei
 
IASC Operational Guidance on Responsibilities of Sector Cluster Leads and OCH...
IASC Operational Guidance on Responsibilities of Sector Cluster Leads and OCH...IASC Operational Guidance on Responsibilities of Sector Cluster Leads and OCH...
IASC Operational Guidance on Responsibilities of Sector Cluster Leads and OCH...
 
Praluent abstract.
Praluent abstract.Praluent abstract.
Praluent abstract.
 
2015-sdms-foundation-annual-report
2015-sdms-foundation-annual-report2015-sdms-foundation-annual-report
2015-sdms-foundation-annual-report
 
Ejercicio 4-maquete-utilizando-css-externo.
Ejercicio 4-maquete-utilizando-css-externo.Ejercicio 4-maquete-utilizando-css-externo.
Ejercicio 4-maquete-utilizando-css-externo.
 

Similar to DLL Hijacking

Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsNatraj G
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attack
Cysinfo Cyber Security Community
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
securityxploded
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
Sam Bowne
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
Sam Bowne
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
Sam Bowne
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
Sam Bowne
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
Sam Bowne
 
20180324 leveraging unix tools
20180324 leveraging unix tools20180324 leveraging unix tools
20180324 leveraging unix tools
David Horvath
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne
 
File paths and programming
File paths and programmingFile paths and programming
File paths and programming
SarahBeth Benes
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijacking
antitree
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)
Sam Bowne
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
TylerDerdun
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1
Pavan Illa
 

Similar to DLL Hijacking (20)

Concepts of Malicious Windows Programs
Concepts of Malicious Windows ProgramsConcepts of Malicious Windows Programs
Concepts of Malicious Windows Programs
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attack
 
DLL Preloading Attack
DLL Preloading AttackDLL Preloading Attack
DLL Preloading Attack
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
20180324 leveraging unix tools
20180324 leveraging unix tools20180324 leveraging unix tools
20180324 leveraging unix tools
 
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
CNIT 152: 12 Investigating Windows Systems (Part 2 of 3)
 
File paths and programming
File paths and programmingFile paths and programming
File paths and programming
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
Dll hijacking
Dll hijackingDll hijacking
Dll hijacking
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Ch0 1
Ch0 1Ch0 1
Ch0 1
 
2nd unit part 1
2nd unit part 12nd unit part 1
2nd unit part 1
 

Recently uploaded

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
Globus
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 

Recently uploaded (20)

Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 

DLL Hijacking

  • 2. About me? • A college grad • Love to break into things • Python lover
  • 3. DLL? • Dynamic Link Library • Similar to exe files • Code sharing between applications. • Loaded at runtime only
  • 5. Dll Search order • The directory from which the application is loaded • The current directory • The system directory, usually C:WindowsSystem32 • The 16-bit system directory • The Windows directory • The directories that are listed in the PATH environment variable
  • 7. Finding vulnerable apps? • Find the search order for Dlls. • Generally custom dlls are searched for. • Target an unavailable dll. • Target an available dll where you can place your dll to load first. • Rename malicious dll and place it in the search directory.
  • 8. SafeDllSearchMode = On • The directory from which the application loaded • The 16-bit system directory • The Windows directory • The current directory • The directories that are listed in the PATH environment variable.
  • 9. DllHIjacking to meterpreter • Custom code a dll to open a reverse shell back – bypasses AV  • Msfvenom can already generate payloads with extension as dll. • Holy-grail in post exploitation phase.
  • 10. Protection schemes? • SafeDllSearchMode – On • Hardcode the dll path in the program. • Create the application with Manifest file included. • Sadly None of them are effective. 
  • 11. How this helps an Attacker? • No new processes are created. • AV’s as well as users trust signed and commonly used applications. • Can be used for privilege escalation.