Detecting ‘Slow Dll Hijacking’ Vulnerability using DllHijackAuditor

‘Dll Hijack’ vulnerability is one of the recently highlighted critical security issue affecting most of the popular Windows applications. Every day researchers are discovering more and more applications which are vulnerable to various forms of ‘Dll Hijacking’ and at the same time attackers have started exploiting these vulnerable applications.

.
In that event, we had developed a special tool called DllHijackAuditor to make it easy for researchers and developers to discover all the vulnerable Dlls in the application which are prone to ‘Dll Hijacking’. We have also published a video demonstration showing how easy it is to use DllHijackAuditor to uncover such issues.

.
There are mainly two types of vulnerable Dlls here, ones which are discovered at the launch time of the application and others which are discovered at later point in the application, termed as ‘Slow Hijack’ Dlls. Most of the  vulnerable applications reported so far falls into the first category, but almost no applications have been reported for second scenario.

.

About ‘Slow Dll Hijacking’ Vulnerability

‘Slow Dll Hijacking’ refers to a special case where in Application loads the vulnerable Dll at later point of time (rather than at the start) during its execution based on certain operations. Discovery of such Dlls is not easy and require complete testing of all features in the application. One may debate that such Slow vulnerable Dlls are not so important from practical attack point of view, but the possibilities cannot be ruled out and it varies from application to application. History has often shown us that often attackers are more innovative/creative than their counter parts.

.

.

From a Developer or Organization perspective, it is important to close all such holes leading to Dll Hijacking which may be either slow or faster as they may explode at any point of time.

.

Detecting ‘Slow Dll Hijacking’ using DllHijackAuditor

DllHijackAuditor is specially designed to discover and audit the application for ‘Slow Dll Hijack’ vulnerability. In these cases all areas of the application needs to be tested thoroughly so as to make sure that loading of Dll at any stage should not be susceptible to ‘Dll Hijacking’.  To address this scenario, DllHijackAuditor comes with settings which allows user to perform complete testing as long as they want.

When you launch DllHijackAuditor, you will see a small checkbox stating ‘Do not terminate application…” which you need to ‘Select’ so that application will not get terminated after predefined ‘wait timeout’. This will allow you to perform complete testing while DllHijackAuditor waits in the background and displays any of the discovered vulnerable Dlls.

During next phase of exploitation testing, you have to select that check box again and repeat same sequence of operations which will trigger the application to load the same Dll. This will ensure if the particular Dll is really exploitable to ‘Dll Hijacking’ issue like in normal cases.

.

Video Demonstration

Here is the short video demonstration which shows how one can use DllHijackAuditor to uncover ‘Slow Dll Hijack’ Vulnerability present at various corners of the Application.

.

.

In the above Video, we have used WireShark to demonstrate the discovery of ‘Slow Dll Hijack’ vulnerability. In the first part of the video, it shows normal ‘Dll Hijack’ issue with ‘airpcap.dll’ discovered at the launch time of WireShark.

In the second part it demonstrates discovery of Dlls vulnerable to ‘Slow Dll Hijacking’.  Here we select the application as usual and then set ‘Do not terminate application…’ so that we will get ample time for our testing. Next when the application is launched, we will see the usual vulnerable Dll (airpcap.dll) as in the first phase and then we  perform certain operations like ‘opening interfaces’ in WireShark, which causes the loading of more Dlls. During this operation, DllHijackAuditor detects one more vulnerable Dll (tcapi.dll) showcasing the ‘Slow Dll Hijacking’ issue.

Though we have found only one such Dll here,  it is possible to find many such vulnerable points in any application which may not be visible at the start, but vulnerable at later point of time.

This is just small illustration how DllHijackAuditor can help in uncovering such ‘Slow Dll Hijack’ vulnerabilities in the application in addition to normal ones at the launch time, thus making sure that application is completely clean from any vulnerable points which may explode at later point of time.

.

So if you have already washed your hands thinking that you are done with cleaning your application from Dll Hijacking, Think again there may be more of them hidden beneath the ice just waiting for summer to come !

.

.

Similar posts
  • SecurityXploded Mentorship Programme ... I am writing this blog to share my SecurityXploded Student Mentorship Programme experience with the future students of this programme. My mentorship programme started last year in August when I was in 2nd year of MS at IIIT-Allahabad. I knew about SecurityXploded community since I used to follow their blogs, training programmes and security tools [...]
  • Code Injection and API Hooking Techni... Hooking covers a range of techniques used for many purposes like debugging, monitoring, intercepting messages, extending functionality etc. Hooking is also used by a lot of rootkits to camouflage themselves on the system. Rootkits use various hooking techniques when they have to hide a process, hide a network port, redirect file writes to some different [...]
  • Announcement – SecurityXploded ... From the past two years we are working actively on couple of projects to support the security community. As you all may already know that we have successfully completed our reversing and malware analysis training programme and we are very glad that it was very helpful for everyone. In my opinion the success of any [...]
  • Advanced Malware Analysis Training Se... Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 2) Dissecting the HeartBeat  RAT Functionalities   This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting various Communications Of HeartBeat [...]
  • Advanced Malware Analysis Training Se...   Here is the quick update on this month’s Local Security meet (SX/Null/G4H/owasp) and our advanced malware training session on (Part 1) Reversing & Decrypting Communications of HeartBeat RAT This is part of our FREE ‘Advanced Malware Analysis Training’ series started from Dec 2012.       In this extended session, I explained “Decrypting The [...]

Leave a Reply

Our Company

Follow us on Facebook


Join Mailing List

Get direct access to our expert trainers or mingle with like minded security folks in our mailing list