John Hammond Explores DLL Hijacking Vulnerability in Windows 11's dism.exe

In this video, John Hammond explores a "DLL hijacking" vulnerability in the dism.exe executable of Windows 11. This technique allows an attacker to load an arbitrary dynamic link library (DLL) to execute malicious code. John begins by explaining that "DLL hijacking" involves tricking a legitimate program into loading a malicious DLL. This method is often used for post-exploitation activities, such as privilege escalation or persistence on an already compromised system. John demonstrates how this vulnerability can be exploited using dism.exe, a tool for managing and deploying Windows images. He explains that dism.exe, although a legitimate program signed by Microsoft, can be manipulated to load a malicious DLL. Using tools like Process Monitor from Microsoft's Sysinternals suite, John shows how to identify the DLLs that dism.exe attempts to load. He discovers that dism.exe tries to load dismcore.dll, which can be exploited to inject malicious code. To illustrate this technique, John creates a simple DLL in C that displays a message box saying "pwned" when loaded. He compiles this DLL and renames it to dismcore.dll, then places it in the same directory as dism.exe. When he runs dism.exe, the malicious DLL is loaded and the message box appears, demonstrating the "DLL hijacking." John takes the experiment further by creating a DLL that establishes a reverse shell connection to a Linux virtual machine. He compiles this DLL and renames it to dismcore.dll, then places it in the same directory as dism.exe. When he runs dism.exe, a reverse shell connection is established, allowing remote access to the compromised system. John emphasizes that this technique typically requires modifications on the target machine, making it more suitable for post-exploitation scenarios rather than initial attacks. He also mentions that automated tools can be used to identify "DLL hijacking" opportunities in other programs. Finally, John shares useful resources to learn more about "DLL hijacking," including the site hijacklibs.net, which lists "DLL hijacking" opportunities in various Windows programs. He also mentions real-world case studies where this technique has been used, highlighting its potential for privilege escalation and persistence attacks. For penetration testers and cybersecurity professionals, this video offers a practical demonstration and valuable resources for understanding and exploiting "DLL hijacking" vulnerabilities.