DLL代表动态链接库,是在(Dynamic Link Libraries)Windows或任何其他操作系统上运行的应用程序的外部部分。大多数应用程序本身并不完整,并将代码存储在不同的文件中。如果需要代码,则将相关文件加载到内存中并使用。这减少了应用程序文件的大小,同时优化了RAM的使用。本文解释了什么是DLL 劫持(DLL Hijacking)以及如何检测和防止它。
什么是 DLL文件(Files)或动态链接库(Dynamic Link Libraries)
DLL文件是动态链接库(Dynamic Link Libraries),从名称可以看出,是不同应用程序的扩展。我们使用的任何应用程序可能会或可能不会使用某些代码。这些代码存储在不同的文件中,只有在需要相关代码时才会调用或加载到RAM中。(RAM)因此,它可以防止应用程序文件变得太大,并防止应用程序占用资源。
DLL文件的路径由Windows操作系统设置。路径是使用全局环境变量(Global Environmental Variables)设置的。默认情况下,如果应用程序请求DLL文件,操作系统会查看存储应用程序的同一文件夹。如果在那里找不到,它将转到由全局变量设置的其他文件夹。路径有优先级,它有助于Windows确定要查找DLL(DLLs)的文件夹。这就是DLL劫持的用武之地。
什么是 DLL 劫持
由于DLL(DLLs)是扩展,并且对于在您的计算机上使用几乎所有应用程序都是必需的,因此它们存在于计算机上的不同文件夹中,如所解释的那样。如果将原始DLL文件替换为包含恶意代码的虚假DLL文件,则称为DLL 劫持(DLL Hijacking)。
如前所述,操作系统在何处查找DLL文件具有优先级。首先(First),它查看与应用程序文件夹相同的文件夹,然后根据操作系统的环境变量设置的优先级进行搜索。因此,如果 good.dll 文件位于SysWOW64文件夹中,并且有人将 bad.dll 放置在比(SysWOW64)SysWOW64文件夹具有更高优先级的文件夹中,则操作系统将使用 bad.dll 文件,因为它与DLL同名应用程序要求的。一旦进入RAM,它就可以执行文件中包含的恶意代码,并可能危及您的计算机或网络。
如何检测 DLL 劫持
检测和防止DLL劫持的最简单方法是使用第三方工具。市场上有一些很好的免费工具可以帮助检测和阻止DLL黑客攻击。
一个这样的程序是DLL Hijack Auditor,但它只支持 32 位应用程序。您可以将它安装在您的计算机上并扫描您的所有 Windows 应用程序,以查看所有应用程序易受DLL劫持的影响。界面简单且不言自明。此应用程序的唯一缺点是您无法扫描 64 位应用程序。
另一个用于检测DLL劫持的 程序DLL_HIJACK_DETECT可通过GitHub获得。该程序检查应用程序以查看它们是否容易受到DLL劫持。如果是,程序会通知用户。该应用程序有两个版本 - x86 和x64,因此您可以使用每个版本分别扫描 32 位和 64 位应用程序。
需要注意的是,上述程序只是对Windows平台上的应用程序进行漏洞扫描,并不能真正防止DLL文件被劫持。
如何防止 DLL 劫持
程序员应该首先解决这个问题,因为除了加强安全系统之外,您无能为力。如果程序员开始使用绝对路径而不是相对路径,那么漏洞将会减少。读取绝对路径,Windows或任何其他操作系统将不依赖于路径的系统变量,而是直接进入预期的DLL ,从而消除了在更高优先级路径中加载同名DLL的机会。(DLL)这种方法也不是万无一失的,因为如果系统受到威胁,并且网络犯罪分子知道DLL的确切路径,他们会将原始DLL替换为假DLL. 这将覆盖文件,以便将原始DLL更改为恶意代码。但同样,网络犯罪分子需要知道调用DLL的应用程序中提到的确切绝对路径。这个过程对于网络犯罪分子来说是艰难的,因此可以指望。
回到你能做的事情上,试着扩展你的安全系统以更好地保护你的 Windows 系统(secure your Windows system)。使用好的防火墙(firewall)。如果可能,请使用硬件防火墙或打开路由器防火墙。使用良好的入侵检测系统,以便您知道是否有人试图玩弄您的计算机。
如果您要对计算机进行故障排除,您还可以执行以下操作来提高安全性:
- 禁用从远程网络共享加载DLL
- 禁用从WebDAV(WebDAV)加载DLL文件
- 完全禁用WebClient服务或将其设置为手动
- 阻止(Block)TCP端口 445 和 139 ,因为它们最常用于危害计算机
- 安装操作系统和安全软件的最新更新。
微软(Microsoft)发布了一个工具来阻止DLL负载劫持攻击。该工具通过防止应用程序不安全地从DLL文件加载代码来降低DLL劫持攻击的风险。
如果您想在文章中添加任何内容,请在下面发表评论。(If you would like to add anything to the article, please comment below.)
DLL Hijacking Vulnerability Attacks, Prevention & Detection
DLL stands for Dynamic Link Libraries and are external parts of applіcations that run on Windowѕ or any othеr operating system. Mоѕt applications are not complete in themselves and store cоde in different files. If there is a need for the code, the related file is loaded into memory and uѕed. This reduces applicаtion file size while optimizing the usage of RAM. This аrticle exрlains what is DLL Hijacking and how to detect and prevent it.
What are DLL Files or Dynamic Link Libraries
DLL files are Dynamic Link Libraries and as evident by the name, are extensions of different applications. Any application we use may or may not use certain codes. Such codes are stored in different files and are invoked or loaded into RAM only when the related code is required. Thus, it saves an application file from becoming too big and to prevent resource hogging by the application.
The path for DLL files are set by the Windows operating system. The path is set using Global Environmental Variables. By default, if an application requests a DLL file, the operating system looks into the same folder in which the application is stored. If it is not found there, it goes to other folders as set by the global variables. There are priorities attached to paths and it helps Windows in determining what folders to look for the DLLs. This is where the DLL hijacking comes in.
What is DLL Hijacking
Since DLLs are extensions and necessary to using almost all applications on your machines, they are present on the computer in different folders as explained. If the original DLL file is replaced with a fake DLL file containing malicious code, it is known as DLL Hijacking.
As mentioned earlier, there are priorities as to where the operating system looks for DLL files. First, it looks into the same folder as the application folder and then goes searching, based on the priorities set by the environment variables of the operating system. Thus if a good.dll file is in SysWOW64 folder and someone places a bad.dll in a folder that has higher priority compared to SysWOW64 folder, the operating system will use the bad.dll file, as it has the same name as the DLL requested by the application. Once in RAM, it can execute the malicious code contained in the file and may compromise your computer or networks.
How to detect DLL Hijacking
The easiest method to detect and prevent DLL hijacking is to use third-party tools. There are some good free tools available in the market that helps in detecting a DLL hack attempt and prevent it.
One such program is DLL Hijack Auditor but it supports only 32-bit applications. You can install it on your computer and scan all your Windows applications to see what all applications are vulnerable to DLL hijack. The interface is simple and self-explanatory. The only drawback of this application is that you cannot scan 64-bit applications.
Another program, to detect DLL hijacking, DLL_HIJACK_DETECT, is available via GitHub. This program checks applications to see if any of them are vulnerable to DLL hijacking. If it is, the program informs the user. The application has two versions – x86 and x64 so that you can use each to scan both 32-bit and 64-bit applications respectively.
It should be noted that the above programs just scan the applications on the Windows platform for vulnerabilities and do not actually prevent the hijacking of DLL files.
How to prevent DLL Hijacking
The issue should be tackled by the programmers in the first place as there is not much you can do except to beef up your security systems. If instead of a relative path, programmers start using an absolute path, the vulnerability will be reduced. Reading the absolute path, the Windows or any other operating system will not depend on system variables for path and will go straight for the intended DLL, thereby dismissing the chances of loading the same name DLL in a higher priority path. This method too, is not fail-proof because if the system is compromised, and the cybercriminals know the exact path of DLL, they will replace the original DLL with the fake DLL. That would be overwriting the file so that the original DLL is changed into malicious code. But again, the cybercriminal will need to know the exact absolute path mentioned in the application that calls for the DLL. The process is tough for cybercriminals and hence can be counted upon.
Coming back to what you can do, just try to scale up your security systems to better secure your Windows system. Use a good firewall. If possible, use a hardware firewall or turn on the router firewall. Use good intrusion detection systems so that you know if anyone is trying to play with your computer.
If you are into troubleshooting computers, you may also perform the following to up your security:
- Disable DLL loading from remote network shares
- Disable loading of DLL files from WebDAV
- Disable WebClient service completely or set it to manual
- Block the TCP ports 445 and 139 as they are used most for compromising computers
- Install the latest updates to the operating system and security software.
Microsoft has released a tool to block DLL load hijacking attacks. This tool mitigates the risk of DLL hijacking attacks by preventing applications from insecurely loading code from DLL files.
If you would like to add anything to the article, please comment below.
