A Dynamic-Link Library (DLL) is a shared code module used by Windows applications to perform functions without embedding the code in the main executable. DLLs contain code, data, and resources (icons, fonts, dialogs) that multiple programs can use simultaneously, reducing memory usage and redundancy.
Examples of common DLLs:
kernel32.dll – Manages memory, processes, and I/O operations.user32.dll – Handles graphical user interface (GUI) elements like windows and buttons.ntdll.dll – Provides low-level system functions used by the Windows kernel.ws2_32.dll – Manages network communication (Windows Sockets API).DLL Hijacking occurs when attackers place a malicious DLL in a location that is loaded instead of the legitimate one. Windows follows a search order to locate DLLs, which attackers exploit for code execution.
There are two main types:
1- Search Order Hijacking – Malicious DLL placed in a directory that Windows checks before the legitimate DLL.
2- DLL Side-Loading – Malicious DLL placed alongside a trusted executable that automatically loads it.
Example 1: Search Order Hijacking