Robber is a free open supply device developed utilizing Delphi XE2 with none third get together dependencies.
So, let’s fake Windows’s DLL search path appears one thing like this:
A) . <– present working listing of the executable, highest precedence, first test
D) Windowssyswow64 <– lowest precedence, final test
and a few executable “Foo.exe” requests “bar.dll”, which occurs to dwell within the syswow64 (D) subdir. This offers you the chance to position your malicious model in A), B) or C) and will probably be loaded into executable.
As acknowledged earlier than, even an absolute full path cannot defend towards this, if you happen to can change the DLL with your individual model.
Microsoft Windows defend system pathes like System32 utilizing Windows File Protection mechanism however one of the simplest ways to guard executable from DLL hijacking in entrprise options is :
- Use absolute path as an alternative of relative path
- If you’ve gotten private signal, signal your DLL recordsdata and test the check in your software earlier than load DLL into reminiscence. in any other case test the hash of DLL file with unique DLL hash)
And in fact, this is not actually restricted to Windows both. Any OS which permits for dynamic linking of exterior libraries is theoretically vulnerable to this.
Robber use easy mechanism to determine DLLs that liable to hijacking :
- Scan import desk of executable and discover out DLLs that linked to executable
- Search for DLL recordsdata positioned inside executable that match with linked DLL (as i stated earlier than present working listing of the executable has highest precedence)
- If any DLL discovered, scan the export desk of theme
- Compare import desk of executable with export desk of DLL and if any matching was discovered, the executable and matched widespread capabilities flag as DLL hijack candidate.
- Ability to pick out scan kind (signed/unsigned purposes)
- Determine executable signer
- Determine wich referenced DLLs candidate for hijacking
- Determine exported methodology names of candidate DLLs
- Configure guidelines to find out which hijacks is greatest or sensible choice to be used and present theme in numerous colours