Detect DLL Hijacks on Windows

DLL hijacking is an attack that makes applications load malicious dynamic link libraries instead of the intended -- clean and legit -- library on a Windows system.

Programs that don't specify paths to libraries are vulnerable to DLL hijacking as Windows uses a priority based search order in this case to load libraries.

If attackers manage to place malicious libraries in a location with a high priority, then it will be loaded by the application.

Users cannot really do anything about this as it is not clear if paths are set properly or not in applications that they run on the system. It is up to programmers to make sure paths are set properly in the programs before they are released to the public.

As an end user, you can use a program like Dll Hijack Detect to scan the computer system for potential hijacks.

The program identifies all DLLs loaded by running processes on the system. It inspects all library locations where malicious files could be placed and checks in addition if a loaded library appears multiple times in the search order, determines which library is currently loaded and warns you if hijacks are possible.

Not every find indicates that something is wrong. The examples above for example are clean even though libraries have been found in multiple locations on the system.

The program supports a flag to ignore signed DLLs which reduces the output significantly.

DLL Hijack Detect is a command line tool.

1. Download the 32-bit or 64-bit version of the program from the linked resource above.
2. Extract it to a location on your system.
3. Tap on the Windows-key, type cmd.exe, right-click the result and select run as administrator to open an elevated command prompt.
4. Navigate to the location that you have placed the program in.
5. Run dll_hijack_detect_x64.exe or dll_hijack_detect_x32.exe without parameters to scan the system.
6. If you want, add /unsigned to it to only flag DLLs if at least one of them is unsigned.

All that is left to do is go through the report one by one to determine whether DLLs are hijacked on your system.

Tip: Append > c:\output.txt to the command to save the information to the file output.txt on your system. It may be easier to go through a text file than the command line window.

Note: You may need to install the Visual C++ Redistributable Packages for Visual Studio 2013 to run the program.

Additional information about the program are available on the Sans website.