DLL waxay u taagan tahay Dynamic Link Libraries waana qaybo ka baxsan codsiyada ku shaqeeya Windows ama nidaamka kale ee hawlgalka. Codsiyada badankoodu ma dhammaystirna iyaga oo ku kaydiya koodka faylal kala duwan. Haddii ay jirto baahi loo qabo koodhka, faylka la xidhiidha waxaa lagu shubaa xusuusta oo la isticmaalo. Tani waxay yaraynaysaa cabbirka faylka codsiga iyada oo la wanaajinayo isticmaalka RAM . Maqaalkani waxa uu sharxayaa waxa ay tahay Afduubka DLL^{(DLL Hijacking)} iyo sida loo ogaado loogana hortago.

Waa maxay Faylasha^(Files) DLL ama Maktabadaha Isku xirka Dynamic^{(Dynamic Link Libraries)}

Faylasha DLL^(DLL) waa Library Link Dynamic^{(Dynamic Link Libraries)} iyo sida ku cad magaca, waa kordhinta codsiyada kala duwan. Codsi kasta oo aan isticmaalno waxaa laga yaabaa ama ma isticmaali karo koodka qaarkood. Koodhadhka noocaan ah waxaa lagu keydiyaa faylal kala duwan waxaana lagu yeeraa ama lagu shubaa RAM kaliya marka koodka la xiriira loo baahdo. Sidaa darteed, waxay ka badbaadisaa faylka codsiga inuu noqdo mid aad u weyn iyo si looga hortago ilo-soo-saarka arjiga.

Dariiqa loo maro faylalka DLL waxa dejiya nidaamka hawlgalka Windows . Waddada waxa loo dejiyay iyadoo la isticmaalayo isbeddellada deegaanka ee caalamiga ah^{(Global Environmental Variables)} . Sida caadiga ah, haddii codsigu codsado faylka DLL , nidaamka hawlgalka wuxuu eegayaa isla galka uu codsiga ku kaydsan yahay. Haddii aan laga helin halkaas, waxay aadaysaa galka kale sida ay dejiyeen doorsoomayaasha caalamiga ah. Waxaa jira mudnaan gaar ah oo ku xiran waddooyinka waxayna ka caawisaa Windows inay go'aamiso galka la raadinayo DLL^(DLLs) -yada . Tani waa meesha afduubka DLL uu yimaado.^(DLL)

Waa maxay afduubka DLL

Maadaama DLL^(DLLs) -yadu ay yihiin kordhin iyo lagama maarmaan u ah isticmaalka ku dhawaad ​​dhammaan codsiyada mishiinnadaada, waxay ku jiraan kombuyuutarka galka kala duwan sida lagu sharaxay. Haddii faylka asalka ah ee DLL lagu beddelo faylka DLL been abuur ah oo ka kooban kood xaasidnimo ah, waxa loo yaqaan DLL Afduubka^{(DLL Hijacking)} .

Sidii hore loo soo sheegay, waxaa jira mudnaan gaar ah oo ku saabsan halka nidaamka qalliinka uu ka raadinayo faylasha DLL . Marka hore^(First) , waxa ay eegi isla galkii galka codsiga ka dibna waxa ay aadaa raadinta, iyada oo ku saleysan mudnaanta ay dejiyeen doorsoomayaasha deegaanka ee nidaamka hawlgalka. Markaa haddii faylka good.dll uu ku jiro gal SysWOW64 qofna geliyo bad.dll galka mudnaan sare leh marka loo eego gal SysWOW64 , nidaamka hawlgalka wuxuu isticmaalayaa faylka bad.dll, maadaama uu la mid yahay DLL . Codsiga ayaa codsaday. Marka RAM la galo , waxay fulin kartaa code-ka xaasidnimada ah ee ku jira feylka waxayna wax u dhimi kartaa kombiyuutarkaaga ama shabakadaha.

Sida loo ogaado afduubka DLL

Habka ugu fudud ee lagu ogaan karo loogana hortagayo afduubka DLL waa in la isticmaalo aaladaha qolo saddexaad. Waxaa jira qaar ka mid ah qalabyada bilaashka ah ee wanaagsan ee laga heli karo suuqa kuwaas oo ka caawinaya in la ogaado isku dayga DLL hack iyo ka hortagga.

Mid ka mid ah barnaamijkan waa DLL Hijack Auditor laakiin waxa ay taageertaa codsiyada 32-bit oo keliya. Waxaad ku rakibi kartaa kombayutarka oo aad iskaan kartaa dhammaan codsiyadaada Windows si aad u aragto waxa dhammaan codsiyada u nugul afduubka DLL . Interface waa mid fudud oo iskiis u sharaxan. Ciladda kaliya ee codsigan ayaa ah inaadan iskaankarin karin codsiyada 64-bit.

Barnaamij kale, si loo ogaado afduubka  DLL , DLL_HIJACK_DETECT, ayaa la heli karaa iyada oo loo marayo GitHub . Barnaamijkani waxa uu eegaa codsiyada si uu u eego in mid ka mid ah uu u nugul yahay afduubka DLL . Haddii ay tahay, barnaamijku wuxuu ku wargelinayaa isticmaalaha. Codsigu wuxuu leeyahay laba nooc - x86 iyo x64 si aad mid kasta u isticmaasho si aad u sawirto codsiyada 32-bit iyo 64-bit siday u kala horreeyaan.

Waa in la ogaadaa in barnaamijyada kor ku xusan ay kaliya iskaan karaan codsiyada ku jira barxadda Windows ee dayacanka oo aan dhab ahaantii ka hortagin afduubka faylasha DLL .

Sida looga hortago afduubka DLL

Arinta waa in marka hore ay wax ka qabtaan barmaamijyada maadaama aysan jirin wax badan oo aad sameyn karto marka laga reebo in aad sare u qaaddo nidaamkaaga amniga. Haddii halkii dariiq qaraabo ah, barnaamij-sameeyayaashu ay bilaabaan inay adeegsadaan waddo dhammaystiran, baylahda waa la dhimi doonaa. Akhrinta dariiqa saxda ah, Windows -ka ama nidaamka kale ee hawlgalka kuma xidhna doono doorsoomayaasha nidaamka ee dariiqa oo si toos ah u aadi doona DLL loogu talagalay , taas oo meesha ka saaraysa fursadaha lagu soo rogo isla magaca DLL ee dariiqa mudnaanta sare leh. Habkani sidoo kale, maaha mid caddaynaya sababtoo ah haddii nidaamka la jabiyo, oo dembiilayaasha internetka ay ogaadaan waddada saxda ah ee DLL , waxay ku beddeli doonaan DLL asalka ah ^(DLL)DLL been abuur ah.. Taasi waxay noqonaysaa in faylka dib loo qoro si DLL -kii asalka ahaa loogu beddelo kood xaasidnimo ah. Laakiin mar labaad, dambiilaha internetka wuxuu u baahan doonaa inuu ogaado dariiqa saxda ah ee saxda ah ee lagu sheegay codsiga u yeeraya DLL . Nidaamku waa ku adag yahay dambiilayaasha internetka oo markaa waa la tirin karaa.

U soo noqoshada waxa aad sameyn karto, kaliya isku day inaad sare u qaaddo nidaamkaaga amniga si aad si fiican u sugo nidaamkaaga Windows^{(secure your Windows system)} . Isticmaal dab- damis^(firewall) wanaagsan . Haddi ay suurtagal tahay, isticmaal firewall hardware ah ama shid dab-damiska router-ka. Isticmaal hababka ogaanshaha soo galitaanka wanaagsan si aad u ogaato haddii qof uu isku dayayo inuu ku ciyaaro kombayutarkaaga.

Haddii aad galayso cilad-saarka kombayutarada, waxa kale oo aad samayn kartaa waxyaabaha soo socda si aad u ilaaliso ammaankaaga:

1. Dami rarida DLL ee saamiyada shabakada fog
2. Jooji rarida faylasha DLL ee ^(DLL)WebDAV
3. Demi gabi ahaan adeega WebClient^(WebClient) ama u dhig buug-gacmeedka
4. Jooji dekedaha ^(Block)TCP 445 iyo 139 maadaama inta badan loo isticmaalo waxyeelada kombayutarada
5. Ku rakib cusbooneysiintii ugu dambeysay ee nidaamka hawlgalka iyo software amniga.

Microsoft ayaa soo saartay qalab looga hortagayo weerarrada afduubka ee DLL . Qalabkani wuxuu yareeyaa khatarta weerarrada afduubka DLL isagoo ka hortagaya codsiyada si ammaan-darro ah koodka galka DLL^(DLL) .

Haddii aad jeclaan lahayd inaad wax ku darto maqaalka, fadlan faallo ka bixi hoos.^{(If you would like to add anything to the article, please comment below.)}

DLL Hijacking Vulnerability Attacks, Prevention & Detection

DLL stands for Dynamic Link Libraries and are external parts of applications that run on Windows or any other operatіng system. Most applications are not complеte in themselves and store cоde in different files. If there iѕ a need for the code, the relatеd file is loaded into mеmоry and used. This reduces application file sіze whіlе optimizing the usаge of RAM. This article explainѕ what is DLL Hijacking and how to detect and prevent it.

What are DLL Files or Dynamic Link Libraries

DLL files are Dynamic Link Libraries and as evident by the name, are extensions of different applications. Any application we use may or may not use certain codes. Such codes are stored in different files and are invoked or loaded into RAM only when the related code is required. Thus, it saves an application file from becoming too big and to prevent resource hogging by the application.

The path for DLL files are set by the Windows operating system. The path is set using Global Environmental Variables. By default, if an application requests a DLL file, the operating system looks into the same folder in which the application is stored. If it is not found there, it goes to other folders as set by the global variables. There are priorities attached to paths and it helps Windows in determining what folders to look for the DLLs. This is where the DLL hijacking comes in.

What is DLL Hijacking

Since DLLs are extensions and necessary to using almost all applications on your machines, they are present on the computer in different folders as explained. If the original DLL file is replaced with a fake DLL file containing malicious code, it is known as DLL Hijacking.

As mentioned earlier, there are priorities as to where the operating system looks for DLL files. First, it looks into the same folder as the application folder and then goes searching, based on the priorities set by the environment variables of the operating system. Thus if a good.dll file is in SysWOW64 folder and someone places a bad.dll in a folder that has higher priority compared to SysWOW64 folder, the operating system will use the bad.dll file, as it has the same name as the DLL requested by the application. Once in RAM, it can execute the malicious code contained in the file and may compromise your computer or networks.

How to detect DLL Hijacking

The easiest method to detect and prevent DLL hijacking is to use third-party tools. There are some good free tools available in the market that helps in detecting a DLL hack attempt and prevent it.

One such program is DLL Hijack Auditor but it supports only 32-bit applications. You can install it on your computer and scan all your Windows applications to see what all applications are vulnerable to DLL hijack. The interface is simple and self-explanatory. The only drawback of this application is that you cannot scan 64-bit applications.

Another program, to detect DLL hijacking, DLL_HIJACK_DETECT, is available via GitHub. This program checks applications to see if any of them are vulnerable to DLL hijacking. If it is, the program informs the user. The application has two versions – x86 and x64 so that you can use each to scan both 32-bit and 64-bit applications respectively.

It should be noted that the above programs just scan the applications on the Windows platform for vulnerabilities and do not actually prevent the hijacking of DLL files.

How to prevent DLL Hijacking

The issue should be tackled by the programmers in the first place as there is not much you can do except to beef up your security systems. If instead of a relative path, programmers start using an absolute path, the vulnerability will be reduced. Reading the absolute path, the Windows or any other operating system will not depend on system variables for path and will go straight for the intended DLL, thereby dismissing the chances of loading the same name DLL in a higher priority path. This method too, is not fail-proof because if the system is compromised, and the cybercriminals know the exact path of DLL, they will replace the original DLL with the fake DLL. That would be overwriting the file so that the original DLL is changed into malicious code. But again, the cybercriminal will need to know the exact absolute path mentioned in the application that calls for the DLL. The process is tough for cybercriminals and hence can be counted upon.

Coming back to what you can do, just try to scale up your security systems to better secure your Windows system. Use a good firewall. If possible, use a hardware firewall or turn on the router firewall. Use good intrusion detection systems so that you know if anyone is trying to play with your computer.

If you are into troubleshooting computers, you may also perform the following to up your security:

1. Disable DLL loading from remote network shares
2. Disable loading of DLL files from WebDAV
3. Disable WebClient service completely or set it to manual
4. Block the TCP ports 445 and 139 as they are used most for compromising computers
5. Install the latest updates to the operating system and security software.

Microsoft has released a tool to block DLL load hijacking attacks. This tool mitigates the risk of DLL hijacking attacks by preventing applications from insecurely loading code from DLL files.

If you would like to add anything to the article, please comment below.

Related posts

• Waa maxay Gelitaanka Fog ee Trojan? Kahortagga, Ogaanshaha & Ka saarida

• Weerarada Malware-ka aan fileyn, Ilaalinta iyo Ogaanshaha

• Sidee Looga Fogaadaa Khayaanada Khiyaamada iyo Weerarada?

• Weerarada Cyber ​​- Qeexid, Noocyada, Ka Hortagga

• Afduubka Browser-ka iyo Aaladaha Ciribtirka Af-duubaha Biraawsarkaaga

• Aaladaha ka saarida Malware ee bilaashka ah si meesha looga saaro Virus gaar ah Windows 11/10

• Sida looga saaro fayraska Windows 11/10; Hagaha ka saarida Malware

• Fayraska ugu Wanaagsan & Sawir-qaadayaasha Malware-ka ayaa BOQOR U DAMAANADNAYA IN UU NOQOTO Virus Kasta

• Waa maxay weerarada Dhulka ee ku noolaanshaha? Sidee loo nabadgeliyaa?

• Qaabka la cayimay qalad lagama heli karo Windows 11/10

• Sida loo hubiyo Registry for malware gudaha Windows 11/10

• Waa maxay FileRepMalware? Ma ka saartaa?

• Sidee Microsoft u aqoonsataa Malware & Codsiyada aan la rabin ee suurtogalka ah

• Barnaamijyada ama Codsiyada aan la rabin ee suurtogalka ah; Iska ilaali inaad ku rakibto PUP/PUA

• Sida loo isticmaalo Malwarebytes Anti-Malware si meesha looga saaro Malware

• Ka saar fayraska USB Flash Drive adoo isticmaalaya Command Prompt ama Faylka Dufcada

• Habka Logo Microsoft ee Maamulaha Hawsha; Ma fayras baa?

• Waa maxay CandyOpen? Sidee looga saaraa CandyOpen Windows 10?

• Waa maxay Rootkit? Sidee buu u shaqeeyaa Rootkits? Rootkits ayaa sharaxay.

• Crystal Security waa aaladda ogaanshaha Malware ee ku saleysan Cloud ee bilaashka ah ee PC