Triaging a DLL planting vulnerability
随机文章正常情况下,Windows 的 DLL 加载顺序如下:
- The directory from which the application loaded.
- The system directory. Use the GetSystemDirectory function to get the path of this directory.
- The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
- The Windows directory. Use the GetWindowsDirectory function to get the path of this directory. function to get the path of this directory.
- The current directory.
- The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
然而,一旦破坏这样的顺序,就有可能恶意插入已经修改过的 DLL
这种做法称为 DLL planting (aka binary planting/hijacking/preloading) 翻译一下就叫 DLL 劫持吧~