Dlls in windows based systems are files which can be used by multiple executable files to share a specific function, this is also an attack vector which we will be exploring today. Upon startup, a program calls a DLL file that it needs, turns out we can exploit the way this is done to have a program include a malicious DLL file, which is called DLL hijacking. It has been known over the years that many programs have resulted vulnerable to this attack and the requirement to exploit it is that the path from which the DLLs are take from be user writeable or there be no path specified.
Operating systems usualy have static links and dynamic links, the later is the one we are discussing and has the advantage of being processes at run time. The location from where the DLL is loaded is specific to the executable itself and is invoked when the executable is run. The operating system identifies the functions and their corresponding DLL files that are requiered by the executable. Once the file is identified, it is loaded and the loader looks at the exports which has the addresses that can be used by other functions. Then the loader creates a table in the executable that binds said addresses and functions.
Implicit linking is when the OS loads both the DLL file and the executable at the same time and explicit linking is when the DLL is loaded when the executable demands it. Some techniques that are used for DLL hijacking are:
When the path is user writeable
Path is not explicitly defined in executable