https://wikileaks.org/ciav7p1/cms/index.html
Is that a list of the Various softwares you mentioned BC_Programmer if so what is the general basis behind a DLL Hijack?
I see some of the tools a lot of people use in that DLL Hijack including Skype, Notepad++, ect..
You make software load "your" DLL, instead of the one intended. Then you can run code within the security context of that program. You do this by putting it on the Library Search path Geek mentioned, but "before" the actual DLL would be found in the order.
For example, let's say we have GAME.EXE running, and it want's to load LIBRARY.DLL.
So Windows now has to find it. First it looks in the directory where the executable is, then it looks in the Windows System directory (C:\Windows\System32) then it looks the Windows Directory, then it looks in the current directory, and then it looks at all the folders specified in the PATH environment variable.
SourceIt's worth noting that this order directly contradicts what the order is stated to be in Geek-9pm's link. The Library Search order is different if a "SafeDLLSearchMode" is enabled. This has been enabled by default since Windows XP SP2 and causes the Current Directory to be searched after the Windows System directories. This makes everything in the posted page unusable; it relies on the current directory being searched before the standard system directories, which hasn't been the case for over a decade- it wasn't even relevant when it was written, not t hat it is my place to question such heavyweight researchers like 'Max "RIVAL"'
DLL hijacking now requires a program to be specifically programmed to load from insecure locations (eg hard-coded or soft-coded paths) or to have insecure extensibility features that allow such things to happen. Skype isn't vulnerable, but it's Installer is; it doesn't rely on the Windows Search Order and specifically looks in the current directory for msi.dll, which means placing a malicious msi.dll in that folder will allow malicious code to execute.
Otherwise, though, it requires administrator privileges to place the malicious DLL in a folder to have it be found first, which means it's seldom an infection vector but rather a payload action (eg something you do after you've taken control of a system).
realistically it is somewhat overstated; it's just gathered information that for the most part was already freely available on the Internet, mostly a set of tips and tricks it looks like for how to do their Job.
