Everything Is Just Dandy!

All About DLL Hijacking – My Favorite Persistence Method

IppSec
IppSec
2022 03 20
https://www.youtube.com/watch?v=3eROsG_WNpE
00:00 – Intro
00:25 – Why DLL Hijack is my favorite persistence, talk about a few others
02:03 – Going over the source code to our sample applications to talk about DLL Hijacking
03:20 – Compiling our executable and dll then transfering it to our windows box
04:50 – Using Process Monitor to show standard DLL Hijacking (when a DLL Does not exist)
06:10 – Showing the order windows tries to load the DLL (Directory of binary then PATH)
07:20 – Talking about a somewhat common mistake when people make edits to the PATH (ex: Java/Python/etc)
09:00 – Placing the DLL test.exe is looking for and achieving code execution
11:25 – Showing if we can write in c:\Windows, we can hijack most dll’s explorer.exe loads from system32.
14:00 – Messing up using Process Monitor for a bit, sorry should have prepped a bit more
15:30 – Showing why explorer is unique, then putting CSCAPI.DLL into c:\Windows\… This would get ran anytime a user logs into the system
17:55 – DLL Hijacking OneDrive for user level persistence
19:30 – Wrapping up, talking about some videos where I talk more about creating DLL’s which can help with this