DLL hijacking is an attack that makes applications load malicious dynamic link libraries instead of the intended -- clean and legit -- library on a Windows system.
Programs that don't specify paths to libraries are vulnerable to DLL hijacking as Windows uses a priority based search order in this case to load libraries.
If attackers manage to place malicious libraries in a location with a high priority, then it will be loaded by the application.
Users cannot really do anything about this as it is not clear if paths are set properly or not in applications that they run on the system. It is up to programmers to make sure paths are set properly in the programs before they are released to the public.
As an end user, you can use a program like Dll Hijack Detect to scan the computer system for potential hijacks.
The program identifies all DLLs loaded by running processes on the system. It inspects all library locations where malicious files could be placed and checks in addition if a loaded library appears multiple times in the search order, determines which library is currently loaded and warns you if hijacks are possible.
Not every find indicates that something is wrong. The examples above for example are clean even though libraries have been found in multiple locations on the system.
The program supports a flag to ignore signed DLLs which reduces the output significantly.
DLL Hijack Detect is a command line tool.
All that is left to do is go through the report one by one to determine whether DLLs are hijacked on your system.
Tip: Append > c:\output.txt to the command to save the information to the file output.txt on your system. It may be easier to go through a text file than the command line window.
Note: You may need to install the Visual C++ Redistributable Packages for Visual Studio 2013 to run the program.
Additional information about the program are available on the Sans website.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.