top of page
Search

DLL Hijacking and Injection: In-Depth Technical Guide with Real-World Examples

  • Writer: Akshay Jain
    Akshay Jain
  • 17 hours ago
  • 3 min read

Dynamic Link Libraries (DLLs) are integral to Windows operations, enabling modular code and shared functionalities. However, their design also presents opportunities for exploitation. Two prevalent attack vectors are DLL hijacking and DLL injection. This guide delves into these techniques, their workflows, and real-world instances.


Understanding DLL Hijacking

DLL hijacking exploits the way Windows searches for DLLs. When an application doesn't specify the full path to a DLL, Windows searches directories in a specific order. Attackers can place a malicious DLL in a directory that precedes the legitimate one in the search order, leading the application to load the malicious DLL.


Attack Workflow:

  1. Identify Vulnerable Application: Find an application that loads DLLs without specifying full paths.

  2. Create Malicious DLL: Develop a DLL with the same name as the legitimate one, containing malicious code.

  3. Place DLL in Target Directory: Position the malicious DLL in a directory that the application searches before the legitimate DLL's location.

  4. Execute Application: When the application runs, it loads the malicious DLL, executing the attacker's code.


Understanding DLL Injection

DLL injection involves inserting a DLL into a running process's address space. This technique allows attackers to execute arbitrary code within the context of another process, often to manipulate its behavior or gain elevated privileges.


Attack Workflow:

  1. Open Target Process: Use functions like OpenProcess to obtain a handle to the target process.

  2. Allocate Memory: Allocate space within the target process using VirtualAllocEx.

  3. Write DLL Path: Write the path of the malicious DLL into the allocated memory with WriteProcessMemory.

  4. Create Remote Thread: Invoke CreateRemoteThread to execute LoadLibrary, loading the malicious DLL into the process.


Real-World Example: Maze Ransomware

The Maze ransomware utilized DLL injection to embed its code into legitimate processes. By doing so, it evaded detection and executed its payload, encrypting user data and demanding ransom payments. 


DLL Hijacking
DLL Hijacking

Other DLL-Based Attacks

DLL Side-Loading

This technique involves placing a malicious DLL alongside a legitimate executable. The application, trusting the DLL due to its proximity and naming, loads it, allowing the attacker to execute code.​


Process Hollowing

In process hollowing, an attacker starts a legitimate process in a suspended state, replaces its memory with malicious code, and then resumes it. This method allows malware to run under the guise of a legitimate process.


Detection Strategy for DLL Hijacking

DLL Hijacking usually involves:

  • Loading of non-standard or suspicious DLLs.

  • DLLs loaded from unusual directories (e.g., user-writable paths like %TEMP%, Downloads, or AppData).

  • Applications loading unsigned DLLs or DLLs not normally associated with them.


Detection Logic (Sigma-like Pseudocode)

title: Suspicious DLL Load from User-Writable Directory
logsource:
  category: image-load
  product: windows
detection:
  selection:
    ImageLoaded|endswith:
      - '.dll'
    ImageLoaded|contains:
      - '\Users\'
      - '\AppData\'
      - '\Temp\'
      - '\Downloads\'
  condition: selection
fields:
  - Image
  - ImageLoaded
  - User
  - ProcessId
  - SignatureStatus
level: medium
description: Detects potential DLL hijacking based on a DLL being loaded from a user-writable directory.

Detection Strategy for DLL Injection

DLL Injection often involves:

  • Use of suspicious Windows API calls (WriteProcessMemory, CreateRemoteThread, VirtualAllocEx, LoadLibraryA/W).

  • Unusual parent-child process relationships.

  • Loading of unsigned DLLs into privileged processes.


Detection Logic (Sysmon + Windows API Monitoring)

title: DLL Injection via Remote Thread Creation
logsource:
  category: process-access
  product: windows
detection:
  selection:
    CallTrace|contains:
      - 'CreateRemoteThread'
      - 'VirtualAllocEx'
      - 'WriteProcessMemory'
  condition: selection
fields:
  - SourceProcess
  - TargetProcess
  - CallTrace
  - User
level: high
description: Detects possible DLL injection through remote thread creation and memory allocation.

Mitigation Strategies

  • Specify Full Paths: Always use absolute paths when loading DLLs to prevent unintended loading.

  • Implement Code Signing: Ensure all DLLs are signed and verify their signatures before loading.

  • Restrict Directory Permissions: Limit write permissions on directories where DLLs are loaded from.

  • Use Security Tools: Employ tools like Microsoft's EMET or third-party solutions to monitor and prevent DLL injection attempts.


DLL hijacking and injection are potent techniques in an attacker's arsenal, exploiting the flexibility of DLL loading in Windows. By understanding these methods and implementing robust security practices, organizations can mitigate the risks associated with these attacks.​

bottom of page