VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

DLL Hijacking in antiviruses

Inception #1 (EN)

[Back to index] [Comments]


DLL Hijacking - is referred to as DLL substitution. Many programs, when calling the LoadLibrary(char *) function, transmit the file name as a parameter, rather than the full way to it. That way, you can substitute one library being uploaded for any other one. This has to do with the search of the DLL beginning in the directory that contains the calling EXE-file. In this case the substituted DLL is launched with the same privileges as the running process.

For AV, like for any other software, this attack technique can (and should) be used. Clearly, as a result of a successful attack, our code is working in a proxy application, has the same privileges and can do whatever it wants.

[Read the article]

By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka