A hands-on walkthrough of DLL Search Order Hijacking on Windows. Covers how Windows resolves DLL names using Safe DLL Search Mode, how to identify vulnerable applications using Sysinternals Process Monitor with targeted filters, and how to build a proof-of-concept exploit using a vulnerable C++ victim app and a malicious DLL. Demonstrates the difference between secure (absolute path) and vulnerable (relative path) DLL loading, and shows step-by-step how placing a malicious DLL in an application's directory causes it to be loaded instead of the legitimate system DLL.
Table of contents
How Windows Loads DLLsThe Safe DLL Search ModeFinding Vulnerabilities with Process Monitor (ProcMon)The Baseline: A Secure Application (Notepad)The Target: A Vulnerable ApplicationSort: