windows 什么是dll劫持?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3623490/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is dll hiHymaning?
提问by The Pixel Developer
Simple question: What is dll hiHymaning?
简单的问题:什么是dll劫持?
I read a lot about which applications are vulnerable, but not a lot of depth as to why.
我阅读了很多关于哪些应用程序易受攻击的信息,但没有深入了解为什么.
Answers appreciated.
答案表示赞赏。
回答by Marc B
The basics are simple. Windows has a search path for DLLs, much the same way it has a $PATH for finding executables. If you can figure out what DLLs an app requests without an absolute path (triggering this search process), you can then place your hostile DLL somewhere higher up the search path so it'll be found before the real version is, and Windows will happilly feed your attack code to the application.
基础很简单。Windows 有一个 DLL 的搜索路径,就像它有一个 $PATH 来查找可执行文件一样。如果您可以在没有绝对路径的情况下找出应用程序请求的 DLL(触发此搜索过程),那么您可以将您的恶意 DLL 放置在搜索路径更高的某个位置,以便在真实版本出现之前找到它,并且 Windows 会很高兴将您的攻击代码提供给应用程序。
So, let's pretend your system's DLL search path looks something like this:
因此,让我们假设您系统的 DLL 搜索路径如下所示:
a) . <--current working directory of the application, highest priority, first check
b) \windows
c) \windows\system32
d) \windows\syswow64 <-- lowest priority, last check
and some application Foo.exe requests "bar.dll", which happens to live in the syswow64 (d) subdir. This gives you the opportunity to place your malicious version in a), b), or c) and it will be loaded into the app automatically whenever the app requests bar.dll. And now your foo is well and trully bar'd.
一些应用程序 Foo.exe 请求“bar.dll”,它恰好位于 syswow64 (d) 子目录中。这使您有机会将恶意版本放在 a)、b) 或 c) 中,并且只要应用程序请求 bar.dll,它就会自动加载到应用程序中。现在你的 foo 已经很好了。
As stated before, even an absolute full path can't protect against this, if you can replace the DLL with your own version.
如前所述,如果您可以用您自己的版本替换 DLL,即使是绝对完整路径也无法防止这种情况发生。
And of course, this isn't really limited to Windows either. Any OS which allows for dynamic linking of external libraries is theoretically vulnerable to this.
当然,这也不仅限于 Windows。任何允许动态链接外部库的操作系统在理论上都容易受到影响。
回答by Justin Niessner
DLL HiHymaning is really a simple concept.
DLL 劫持确实是一个简单的概念。
Applications load external code via DLLs (Dynamic Link Libraries). DLL HighHymaning is a process by which malicious code is injected into an application via a malicious DLL with the same name as a DLL used by the application.
应用程序通过 DLL(动态链接库)加载外部代码。DLL劫持是通过与应用程序使用的DLL同名的恶意DLL将恶意代码注入应用程序的过程。
An application is vulnerable to DLL hiHymaning depending on how they reference their DLLs. One example is using relative paths instead of the absolute path to the DLL. Another is loading DLLs using environment variables that may not be set properly in which case the directory defaults to a relative path of the executing application.
应用程序是否容易受到 DLL 劫持,这取决于它们如何引用其 DLL。一个例子是使用相对路径而不是 DLL 的绝对路径。另一个是使用可能未正确设置的环境变量加载 DLL,在这种情况下,目录默认为正在执行的应用程序的相对路径。
