DLL hijacking is a Windows technique where an attacker abuses the DLL search order to make a program load a malicious library instead of the intended one. If a privileged program (a service or an elevated application) looks for a DLL in a writable directory or fails to specify a full path, an attacker places a malicious DLL of the right name there and their code runs with the program’s privileges, often SYSTEM. The fix is loading DLLs from fixed, protected paths.
What DLL hijacking is
Windows programs rely on DLLs (shared libraries). When a program loads a DLL by name, Windows searches a defined order of locations: the application directory, system directories, and the PATH.
DLL hijacking abuses that search. If a privileged program looks for a DLL that is missing, or searches a directory the attacker can write to, the attacker drops a malicious DLL of the expected name and the program loads and runs it, at the program’s privilege level.
The abuse and payload
The attacker finds a privileged program that loads a DLL from a writable or missing location, then plants one:
- Identify the missing or hijackable DLL (procmon-style analysis shows "NAME NOT FOUND" DLL lookups in writable paths).
- Build a malicious DLL whose
DllMainruns the payload:msfvenom -p windows/x64/exec CMD="cmd.exe" -f dll -o hijack.dll - Place it where the program searches first and trigger a load (restart the service or app).
- The code runs as the program’s account, often SYSTEM.
Documented technique shown for defenders.
How to defend
- Have applications load DLLs from fixed, protected paths and use safe loading APIs (full paths,
LoadLibraryExflags). - Remove write access from application and service directories for non-admin users.
- Keep software patched, since vendors fix hijackable load behaviour.
- Use application control (allow-listing) to block unexpected DLLs.
- Monitor for DLLs appearing in program directories and unusual module loads.