Triaging a DLL planting vulnerability

随机文章
原文链接:blogs.technet.microsoft.com

正常情况下,Windows 的 DLL 加载顺序如下:

  1. The directory from which the application loaded.
  2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory. function to get the path of this directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

然而,一旦破坏这样的顺序,就有可能恶意插入已经修改过的 DLL

这种做法称为 DLL planting (aka binary planting/hijacking/preloading) 翻译一下就叫 DLL 劫持吧~