are built-in windows programs vulnerable?
Key Takeaways
The video discusses DLL hijacking vulnerabilities in built-in Windows programs, demonstrating techniques using dism.exe and other tools, and highlighting the importance of cybersecurity and defensive measures.
Full Transcript
so recently I received this email with this big loud subject line all caps siren Emoji dll hijacking vulnerability in dism.exe it says I recently discovered this vulnerability which allowed me to gain unauthorized remote access to a fully patched and updated Windows 11 machine they go on to explain how they put this together and they made some cool tooling a little python script to be able to streamline it and they communicated this to their antivirus which at the time didn't detect this but now hey that got that cleaned up patched and now they can trigger on that behavior but I do want to caution us on a couple different things here I don't know whether you consider dll hijacking a vulnerability but it might not be strictly unauthorized remote access let me give you a super quick crash course on DL hijacking really it boils down to tricking a real program aexe file on Windows into loading an arbitary library or file or module like a dll dynamic link Library so that program now runs arbitrary code codee that you supply one that you might use for a penetration test or some offensive cyber security work the thing is this typically requires some setup we need to make changes to the victim or Target computer so it's not always used for initial access but more often used for trade graph for post exploitation to wreak further Havoc once you've already compromised a Target or persistence or privilege escalation taking a low privilege user level account to an administrator level account the way that dll hijacking or dll sideloading as some might call it how that really works is well a couple different techniques maybe there's a missing library that could be put in place maybe you're getting in the middle of the usual search order that Windows uses to look for different dlls to load or you could replace a dll maybe you modify the paths or use any other tricks taking advantage of the natural dll search order that Windows uses is usually the most common and that's what we'll see here in this example with dism by by default Windows will look for other dll files in the directory that that program.exe is loaded from then it will look in the system folder C Windows system 32 if it doesn't find any DLS there it'll look in the 16-bit system directory and then the windows directory and eventually the current directory if it doesn't get anything there it starts to look through your path environment variables all the locations where you say normally programs run out of these locations so in this video I want to do a couple different things number number one we'll showcase how we can do that dll hijacking with dism.exe first I want to show you that hey that is in the natural native installed built-in by default Windows system folder in system 32 you can even look on your own computer you'll find dism.exe it is a Microsoft sign binary and it's totally legitimate take a look at the details here it is from Microsoft windows installed everywhere for the second part of this video I want to showcase some resources that you can use to find this problem in other programs or learn a little bit more about dll hijacking now to play with this I am going to open up the Windows command promp or the windows terminal with an admin level permissions dism is an interesting one that does require admin privileges so I hit control shift enter as I searched for it on my computer start menu now I could run dm.exe and there's nothing fancy here it just gives us the usual help information and usage Tex for other arguments Flags switches and parameters you could provide to the program dism is typically used as a deployment image servicing and management utility on the Windows command line but for our case we don't really care what it does because we'll use this dlll hijacking technique to end up rerouting or changing the code flow and it'll actually execute our own code for a penetration test or whatever else we'd like to do you can also double check with the wear command usually on cmd.exe uh in Powershell you'll need to usually include the exe suffix for finding the absolute path or location of a program and command on your command line but there it is let's actually make a directory for us to work with in our temporary directory that we create let's go ahead and copy that c Windows system32 dism.exe into this directory now we have our own copy and one manual tool you can use to look for these dll hijacking opportunities is simply the CIS internal Suite from Microsoft you can use the utility here process monitor to see what dlls are tried to be loading as the program starts up I've got the CIS internal Suite downloaded and we can see process Monitor and action granted there's not a whole lot to really uncover here because if we were to run dism.exe noting I want it from the current location I am in Powershell so I'll need to use the forward slash here to say our current location but that'll actually tell us it gives us an error an error occurred while locating the dism binaries dism is attempting to locate dism core. DL if we see that in CIS internals we can fire up process Monitor and I'll set a filter here for our process name being dism.exe and the lines that contain a path matching dll if I try and run this we can keep that capturing and I'll run dism.exe once again running from our local copy in the temp directory that we just created of course dism errors just as we saw but in process monitor we can see all of the different dll files that it tried to load all the ones you can see with the result of success it was able to find in the given path looks like one down here though name not found for version.dll was actually trying to run and look for it in our current directory so perhaps there's another dll hijacking opportunity there scrolling down to the very bottom here looks like it's looking for dism core. dll name not found and path not found even when it's trying to look for in a subdirectory so this is a perfect example of dll hijacking DL side loading whatever you want to call it but this dism.exe being a totally legitimate real natural Microsoft signed program and always installed and accessible in C Windows system 32 this could be a worthwhile trick for penetration testing so we'll create our own custom dll and run our own arbitrary code in just a second but for all you penetration testers watching let me tell you about something cool please let me take a second to tell you about the sponsor of today's video Plex track you know how tedious pentest reporting can be hours of copying and pasting organizing data from multiple sources formatting findings it's exhausting and the worst part every minute spent reporting is a minute you're not hacking there is a better way meet Plex track with Plex track you can analyze your Tax Service aggregate all pentest and vulnerability scan data in one place use context based scoring to prioritize risk leverage artificial intelligence to/ reporting time lean on collaborative Google doc like features for faster quality insurance reviews and use out of the-box Integrations with ticketing systems like jira to send high impact findings for remediation so what does this all mean for you well you can cut pentest reporting Time by 75% collaborate seamlessly with teams and stakeholders see your findings actually get addressed fast and show measurable risk reduction Charles Snyder director of cyber security at Cai said Plex track is foundational for our ongoing security and risk management Plex track isn't just another tool it's the difference between drowning in reports and actually having time to hack use my link below to learn more and book your own personalized demo spend less time reporting and more time hacking huge thanks to Plex track for sponsoring this video all right now since we know that dism in our current directory will try to load and run a dism core. dll in our current directory next we just have to create that dll so I will open up a text editor and I'll be using Sublime Text just to put together some simple C code to create a dll that just does a simple message box for now let me save this in that directory as a simple hello.c and we can start with our usual include statement to make sure we're including the windows header file from there we'll add the usual boilerplate dll startup function should be bo API entry dll Main and inside our parentheses just some of that code we put together a h module variable and type there there's usually a dword with the UL reason for call I think and then I I believe it is at the end an LP void LP reserved uh is kind of what we usually see that argument so a lot of nonsense there but with that boilerplate you typically see a switch statement for the reason for call and then inside a block there you'll have different cases for whatever you might end up deciding to check against usually you have dll processore attach through there alongside the process detach and then you do the very same for different threads good enough uh now in that case we don't need to do anything with the others really the one that we're most interested in is when a process attaches or ends up loading our dll but let's put some break statements in there appropriately so we don't fall through our switch case statement and then we'll use the win32 API function to Simply pop a message box I think that first argument is like the window handle I might be wrong there but null we'll make it uh whatever it should be then the title we can just say hello or whatever we can make it cool hacker friendly let's say pwned and pwned as the text of the button the box there for our button we'll actually use the constant MB message box okay and just an MB icon information yep yep yep okay and then at the very end of that function will just return true to say we are done with that program I think that's good just a little message box for pwned now I want to open up the uh developer tools because I do have Visual Studio installed uh let's go open up the developer command prompt and I should be able to then once I change directory into the folder that I am in run that CL command to compile this with C unless I got something wrong I think it's just /ld and then the hello. C file uh oh I did forget a semicolon classic C that's on my message box line yeah okay try that again fingers crossed there we go oh uh I believe message box needs to be included with what is it user lib at the end there user 32. Li I think okay cool now in our directory if I we do have hello. DL so just for testing we should be able to see us invoking this with run dl32 right uh hello. dll and then does it need an argument it might it might need to specify like the ordinal one or the export one there we go hey pwned now the real magic happens once we go back back to our original Powershell session so I closed out of the developer prompt but if I were to move our hello. dll to dism core. dll obviously now when trying to run our dism.exe it will oh that needs to be compiled with uh 64 bits so x64 native tools command prompt uh and now let's try to compile that hop into that directory clld on our hello.c and include user 32. lib okay better all right hop back to Powershell let's move the hello dll to dim core. dll and let's try to run dim again hey pwn and then dim will die right an error occurred while loading dism the dim tool may be corrupt try reinstalling but no we had our dll hijacking take place quick check what if we were to uh change dim core dll to that version.dll that we saw previously will that do the very same H guess not actually it doesn't output anything or error maybe that's uh probably going to take some other exported functions that it might need if it uses any of those now to really set off some fireworks let's try to get a reverse shell connection so over in my C Linux virtual machine I'll actually take a look at my current IP address just locally in my local area network but with that we can start to listen with net hatat on quad 999 Port 999 quad9 right now back over on Windows I'm just going to paste in some quick and easy reverse Shell Code that we could track down online uh and we'll change the IP address to what we saw 192168 111.1 179 on Port quad9 and with that we could compile this I believe with just the TAC L WS2 32 to include the windsock library and the functions that are used there this will open command prompt and should give us a quick little demo they compiled this with GCC but I think we can do it just as easily with cl let's try to compile once again now let's put these side by side try to move our hello DL to dim core once again run this and H oh I think the uh version.dll is still getting in the way then with our hello dll now copied to dimc core. trying to run this with the reverse shell payload gets us a reverse shell excellent okay and then we have code execution on that host but remember you had to make changes to the Target you're using an already compromised dism.exe program and then creating your own dim core. DL so this is usually used more for persistence or post exploitation now some of the resources that I wanted to show you so you could learn a little bit more more about these dll hijacking opportunities this is an awesome resource online at hijack lbs. net where it is sort of like lull bins or living offthe land binaries or scripts it's just a catalog and Archive of all the opportunities with known dlls on a Windows system that could be used and Abus for dll hijacking at the very top here we could search for DM and there are a couple entries for dism core. dll noting it works exactly with dism.exe and others that we've seen clicking into the entry here you can see all the other information uh and a lot of folks that have shared some good detail here including a little detection rule sample Sigma rule to find processes that load this dll located in a folder that's not one of the expected locations like system 32 there's a good little FAQ frequently asked questions here and these are all things that are worth noting but again I just want to acknowledge this has been around for a little bit I think this was last updated over 2 years ago and big shout out to V for all his incredible research uh and this sweet resource hijack lbs. net there's a lot of really cool stuff to look through I would suggest taking a look if you haven't heard of it before and some other neat things I wanted to put on your radar these are slides from a previous presentation that I had done with Huntress my day job uh this was a virtual event hacket we did put on in 2022 so while we had this section on dll hijacking we covered some automated tooling like you saw us open up process monitor with sis just a bit ago but some things try to streamline that process and find or look for dll hijacking opportunities to note though there are a lot of handful of real world case studies with dll hijacking in legitimate software we included a couple samples here this was I think itarian itarian rmm yep you'll see that in LOL rmm just as well for other sweet resources Cisco any connect had this vulnerability some time ago that was a DL hijacking opportunity and it's fun you can see no work arounds available until you update or get the latest version of the software obviously in that core binary that's what's going to be a problem they discussed this and I note for the privileged escalation opportunities often times these run as a service which means it'll have anti Authority system level privileges so above admin the Nuance really varies I think in this scenario the attacker would need to have valid credentials to be able to exploit this but you know that subjective and differs from program to program application to software whatever binary scenario even got to see this with ap10 one of the advanced persistent threats I think a China based threat actor they had done this with a whole lot of managed service providers and there were some cool little Graphics put together by another report I think this is linked for PWC that showcased this some time ago right old article but you can see D hijacking could very well be prolific in a whole lot of different programs and that is the gist of what I wanted to Showcase in this video and again big shout out and thank you to the individual that had emailed me I think this is still a very good story because he could communicate with the antivirus provider and they added a couple new detections to be able to see oh dism.exe running out of a rogue or non-standard directory unlike system 32 or any natural Windows paths and then that dll loading when it shouldn't but this is one opportunity out of many for some of those dll hijacking tricks and if you are a penetration tester goodness I hope this is something you can add to your bag of tricks and hey if you're a pentester just as well I know that reporting can be a little bit annoying so please do give some love to our sponsors Plex track link in the video description thank you so much for watching hope you enjoyed this video and I'll see you in the next one
Original Description
https://jh.live/plextrac || Save time and effort on pentest reports with PlexTrac's premiere reporting & collaborative platform: https://jh.live/plextrac 😎
Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter
🏆Attend ContinuumCon, the practical online cybersecurity conference that never ends! Livestream begins June 20th, 2025: https://jh.live/continuumcon
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get DFIR and SOC Analyst Training with CyberDefenders: https://jh.live/cyberdefense
Master Binary Files and Protocols with Gynvael Coldwind: https://jh.live/hackarcana (code MBF-JH-10 gives 10% off!)
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: AI Security
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
eCPPTv3 Review
Medium · Cybersecurity
Next-Gen Endpoint Protection Software: Securing Remote Employees Against Modern Cyber Threats
Medium · Cybersecurity
Understanding NAT (Network Address Translation): How Multiple Devices Share a Single Public IP…
Medium · Cybersecurity
Why the EC-Council 312-41 Practice Test Is Essential for Certification Success
Dev.to AI
🎓
Tutor Explanation
DeepCamp AI