DLL hijacking definition
DLL hijacking refers to a technique used by attackers to exploit the way applications load Dynamic Link Libraries (DLLs). It is also known as DLL preloading and DLL side-loading.
See also: sideloading
How does DLL hijacking work
- 1.Application dependency. Since many applications depend on external DLL files to provide additional functionality, upon launch apps search for the required DLL files in specific locations, following a specific order.
- 2.Vulnerability exploitation. Sometimes, attackers can exploit vulnerabilities in apps that do not securely load DLLs. So they place a malicious DLL with the same name as the expected DLL in a location where the application searches.
- 3.Malicious DLL execution. When the application is launched and attempts to load the DLL, it mistakenly loads the malicious DLL instead of the legitimate one.
- 4.Consequences. DLL hijacking can lead to various security risks. For example, attackers can execute malicious code, escalate privileges, or steal sensitive information.
DLL hijacking prevention
- Apply security patches. Keep all software up to date with the latest security patches to address known DLL hijacking vulnerabilities.
- Secure DLL loading. Applications should use secure loading techniques, such as specifying the full path or using secure library loading functions.
- DLL signature verification. Verify the digital signatures of DLL files to ensure their authenticity.
