What is DLL search order and how it enables red team trade-craft?
Learn what is DLL search order and how to abuse it for red team trade-craft.
In simple terms, DLL search order is the order in which the operating system looks for a Dynamic Linked Library (DLL) within the system. A developer can control the specific location from which any given DLL is loaded by specifying a full path. But if they don't use that method, then the system searches for the DLL at load time.
The search order for packaged and unpackaged Windows applications is different. The same can be found here (Microsoft documentation).
The standard DLL search order used by the system for unpackaged apps depends upon whether or not DLL safe search is enabled. If DLL safe search is enabled, the system moves the user’s current folder later in the hierarchy.
Red Team Notes
DLL safe search can be disabled or bypassed by following ways:
- setting HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode to 0.
- calling the SetDllDirectory Windows API.
- it can also be bypassed by calling SearchPath function to retrieve a path to a DLL for a subsequent LoadLibrary call as long as safe process search mode is not enabled. When safe process search mode is not enabled, the SearchPath function uses a different search order than LoadLibrary and is likely to first search the user's current directory for the specified DLL.Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
So how can red teamers abuse it? As per this article, if an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory. This is sometimes called a DLL preloading attack or a binary planting attack. If the system does not find a legitimate copy of the DLL before it searches the compromised directory, it loads the malicious DLL. If the application is running with administrator privileges, the attacker may succeed in local privilege elevation.
For blue teams and developers, this documentation from Microsoft provides guidelines on safeguarding applications from DLL search order hijacking attacks.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.