Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
DLL hell
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Use by malware=== Windows searches several locations for ambiguous DLLs, i.e. ones not fully qualified. [[Malware]]s can exploit this behavior in several ways collectively known as ''DLL search order hijacking''. One method is ''DLL preloading'' or a ''binary planting attack''. It places DLL files with the same name in a location that is searched earlier, such as the current working directory. When the vulnerable program tries to load the DLL, the malicious version is executed, possibly at high privilege levels if the program runs at that level.<ref name="mitre-attack">{{Cite web |last=Holston |first=Ami |last2=Liang |first2=Marina |last3=Kanthak |first3=Stefan |last4=Smith |first4=Travis |last5=Alexander |first5=Will |date=30 September 2024 |title=Hijack Execution Flow: DLL Search Order Hijacking, Sub-technique T1574.001 - Enterprise |url=https://attack.mitre.org/versions/v16/techniques/T1574/001/ |access-date=2024-12-07 |website=ATT&CK |series=Version 1.3 |publisher=MITRE |id=T1574.001}}</ref> Another method is ''relative path DLL hijacking'', which moves the vulnerable program to a location together with the malicious DLL. The DLL is loaded because the application's directory is searched early. According to [[CrowdStrike]], this method is the most common.<ref name="crowdsource">{{Cite web |author=Falcon OverWatch Team |date=December 30, 2022 |title=4 Ways Adversaries Hijack DLLs |url=https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/ |access-date=2024-12-07 |website=CrowdStrike |language=en-US}}</ref> ''DLL sideloading'' delivers both the legitimate program and malicious library. It may avoid detection because the execution seems as running a reputable program.<ref name="checkpoint-research">{{Cite web |date=2024-09-25 |title=10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More |url=https://research.checkpoint.com/2024/10-years-of-dll-hijacking-and-what-we-can-do-to-prevent-10-more/ |access-date=2024-12-07 |website=Check Point Research |language=en-US}}</ref> Other methods include ''phantom DLL hijacking'', where a malicious DLL file is created against references to a non-existent library, and changing registry values to abuse ''DLL redirection'', which changes the DLL search order.<ref name="mitre-attack" /> DLL hijacking was used by state-sponsored groups including [[Lazarus Group]] and [[Tropic Trooper]].<ref name="checkpoint-research" />
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)