What is DLL Hijacking? The Dangerous Windows Exploit

A simple DLL file was the catalyst to the most devastating cyberattack against the United States by nation-state hackers.

This almost cinematic breach demonstrates the formidable potency of DLL hijacking and its ability to dismantle entire organizations with a single infected file.

What is DLL Hijacking?

DLL hijacking is a method of injecting malicious code into an application by exploiting the way some Windows applications search and load Dynamic Link Libraries (DLL).

Only Microsoft operating systems are susceptible to DLL hijacks.

By replacing a required DLL file with an infected version and placing it within the search parameters of an application, the infected file will be called upon when the application loads, activating its malicious operations.

For a DLL hijack to be successful, a victim needs to load an infected DLL file from the same directory as the targeted application.

If applications that are automatically loaded upon startup are compromised with a tainted DLL file, cybercriminals will be granted access to the infected computer whenever it loads.

DLL hijacking is not an innovative cyberattack method. It has been in circulation among cybercriminals since Windows 2000 launched.

What are DLL Files?

DLL files, or Dynamic Link Library files, contain the resources an application needs to run successfully. These could include images and a library of executable functions.

DLL files cannot be opened by end-users, they can only be opened by their associated application, which usually happens when the application starts up.

Windows systems require DLL files to understand how to use their resources, the host computer memory, and hard drive space most efficiently.

DLL files usually end with a .dll extension, but some could end in .drv, .drov and even .exe.

A single DLL file could run multiple programs, so multiple programs could potentially be comprised in a DLL hijacking attack.

How Does DLL Hijacking Work?

For a DLL hijacking attack to be successful, a Windows application needs to be tricked into loading an infected DLL file instead of the legitimate DLL.

By exploiting the publicized DLL search order of Microsoft applications, this trickery is relatively simple to execute.

The standard DLL search order of Microsoft applications depends upon whether safe DLL search is enabled.

When safe DLL search mode is enabled, applications search for required DLL files in the following order:

  1. The directory from which the application is loaded.
  2. The system directory.
  3. The 16-bit system directory.
  4. The Windows directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable.

When safe DLL search mode is disabled, the search order is as follows:

  1. The directory from which the application is loaded.
  2. The current directory.
  3. The system directory.
  4. The 16-bit directory.
  5. The Windows directory
  6. The directory listed in the PATH environment variable.

The difference between the two search modes is the order in which the user's current directory is searched, it's slightly elevated in the hierarchy when safe search is disabled.

When safe search is disabled, the user's current directory is slightly elevated in the search order.

Windows applications will default to any one of the above DLL search protocols if an application does not specify the full path of associated DLL files.

This is the exploit that makes DLL hacking possible.

For example, if a Windows application requires a DLL file located in the system directory C:\Windows\System32 but there are no instructions in its code to search in this explicit location, the application will work through a DLL search order to locate the file.

Regardless of whether or not safe search is enabled, the directory from which the application is launched is the first location that is searched.

If a cybercriminal deposits an infected DLL file in this location, the application will open it instead of the original because its location was searched first, before the system directory.

This technique is also known as DLL search order hijacking.

To launch a DLL hijack, a cybercriminal just needs to deposit a payload DLL into the directory of a targeted application.

There are multiple attack vectors that could facilitate such a deposit, including social engineering, phishing, and supply chain attacks.

To prevent detection, infected DLL files mimic a digital signature by the targeted application. Such a signature verifies that a file is authentic, which could permit the transfer of malicious DLL files to vendor partners in a supply chain attack.

The malicious DLL file that caused the U.S government data breach was digitally signed by the government's trusted third-party vendor, SolarWinds

Solarwinds compromised .dll file displaying SolarWinds digital signature.
Solarwinds compromised .dll file displaying SolarWinds digital signature. Source: Fireeye.com.

How to Identify a DLL Hijacking Attack

You can identify if a DLL hijacking attack is taking place using Process Explorer (Procmon) by Windows.

Process Monitor displays all of the file systems being loaded in real-time. By applying the right filters, you could identify if any foreign DLL files are being loaded instead of the originals.

Step 1: Install and load Process Explorer by Windows.

Step 2: Search for the application suspected of being targeted in a DLL hijacking attack.

Search for the potentially vulnerable application suspected of being hijacked in Process Explorer.
Search for the potentially vulnerable application suspected of being hijacked in Process Explorer. Source: medium.com

Script 3: Apply a filter to display only DLL files

To apply a filter in Process Explorer, press ctrl + L. Set the filter to only display active files with a path that ends with .dll.

Click Add.

Click Apply.

Process Monitor filter displaying only active DLL files.
Process Monitor filter displaying only active DLL files. Source: medium.com

Step 4: Apply a filter for directory: name not found

Because DLL hijacking primarily occurs when a foreign DLL file is loaded instead of the authentic version in the system directory, you should apply a filter that displays DLL files that have been loaded outside of the system directly.

Process Monitor flags these files as FILE NOT FOUND.

To apply the filter, press Ctrl + L and set the following conditions:


Click Add.

Click Apply.

Process Monitor filter displaying results with NAME NOT FOUND.
Process Monitor filter displaying results with NAME NOT FOUND. Source: medium.com

The resulting list represents all of the DLL files that the specified application is loading outside of the system directory.

The malicious Windows DLL file will be located in the same directory as the target application. To query this possibility apply an additional filter to only display DLL files in the Application's directory.

Press Ctrl + L and set the following conditions:

Path is [path address]

Process Monitor filter for only displaying files in a given path.

Click Add.

Click Apply.

How to Prevent DLL Hijacking

The first line of defense needs to be established by software developers. Developers need to follow secure coding practices and specify the exact location of all associated DLL files to prevent Windows from defaulting to its DLL search path protocol.

Adherence to secure coding practices can never be guaranteed, so organizations should implement the following additional defenses:

Keep antivirus software up-to-date

Profoundly sophisticated supply chain attack tactics could avoid detection by antivirus software, but there are many instances where malicious DLL injection attempts are detected and blocked.

It is important to keep antivirus software updated to keep its detection methods astute.

DLLSPY is an effective DLL hijacking defense software that can even detect privilege escalation vulnerabilities. This software is available on GitHub.

Educate staff about phishing and social engineering warning signs

DLL hijacking is only possible if a malicious DLL file is introduced into an ecosystem. By mitigating the possibility of such an injection, an organization could prevent DLL hijacks.

Most loaded DLL and malware injections occur because staff members unknowingly introduce them into an ecosystem.  To avoid this, staff should learn to identify the warning signs of social engineering and phishing attacks and implement best security practices.

Some best practices include:

  • Establishing an accessible Information Security Policy.
  • Enforcing multi-factor authentication.
  • Referring suspicious emails to key staff members before engaging with them.

Strengthen your security posture

By continuously monitoring your attack surface, you can instantly identify any vulnerabilities within your ecosystems placing your organization at a heightened risk of DLL hijack attacks.

BreachSight by Upguard empowers organizations to strengthen their security posture by identifying all risks and tracking remediation efforts.

CLICK HERE for a FREE trial of BreachSight today!

Implement a vendor risk management solution

Unfortunately, not all vendors follow best cybersecurity practices, which is the reason behind the growing prevalence of supply chain attacks.

Innovative developments in vendor risk management technology, such as Vendor Risk by UpGuard, now allow organizations to continuously monitor the security posture of their entire vendor network.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?