什么是dll劫持？ [英] What is dll hijacking?

问题描述

简单的问题：什么是dll劫持？

Simple question: What is dll hijacking?

我读了很多关于哪些应用程序是易受攻击的，但不是很多深度，为什么<

I read a lot about which applications are vulnerable, but not a lot of depth as to why.

答案赞赏。

推荐答案

基础很简单。 Windows具有DLL的搜索路径，与查找可执行文件的$ PATH大致相同。如果您可以找出一个应用程序请求没有绝对路径（触发此搜索过程）的DLL，那么您可以将敌对的DLL放在搜索路径上方的某个位置，以便在真正的版本之前找到它，Windows将会发生将您的攻击代码提供给应用程序。

The basics are simple. Windows has a search path for DLLs, much the same way it has a $PATH for finding executables. If you can figure out what DLLs an app requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it'll be found before the real version is, and Windows will happilly feed your attack code to the application.

所以，假设你的系统的DLL搜索路径看起来像这样：

So, let's pretend your system's DLL search path looks something like this:

a) .     <--current working directory of the application, highest priority, first check
b) \windows
c) \windows\system32
d) \windows\syswow64   <-- lowest priority, last check

和一些应用程序Foo.exe请求bar.dll，恰好是住在syswow64（d）subdir。这可以让您有机会将恶意版本放在a），b）或c）中，并在应用程序请求bar.dll时自动将其加载到应用程序中。而现在你的foo是好的和欺骗的吧。

and some application Foo.exe requests "bar.dll", which happens to live in the syswow64 (d) subdir. This gives you the opportunity to place your malicious version in a), b), or c) and it will be loaded into the app automatically whenever the app requests bar.dll. And now your foo is well and trully bar'd.

如前所述，即使一个绝对的完整路径也不能保护，如果你可以替换DLL你自己的版本。

As stated before, even an absolute full path can't protect against this, if you can replace the DLL with your own version.

当然，这并不仅限于Windows。任何允许动态链接外部库的操作系统理论上都是容易受到这种影响的。

And of course, this isn't really limited to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.

这篇关于什么是dll劫持？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！