DLL Hijacking:

DLL –Dynamic link library are set of functions, and small programs that are used by large programs that are running in the computer. It’s Microsoft implementation of shared library where the data in the library can be shared by any module within the computer. These functions are responsible for the larger programs to communicate with external devices like printer, mouse etc.

They are not loaded into Random access memory together with the application so the added advantage is memory is saved in RAM. Whenever a DLL is needed it is loaded and run.

For example: A user is editing Microsoft Word document, If and only if the user decides to print the document, then the printer DLL file gets loaded into RAM and run, until that the DLL file does not needs to be loaded.

All DLL file will have .dll extension. All windows and some non-windows applications rely on DLLs as a part of their functionality.

So by this we can say that along with the DLLs built in windows, developers also create DLLs that contain functions which will be used by the application. All the DLLs used by the application are packaged and installed within the application.

DLL hijacking:

When the DLLs are packaged and installed within the application, there is a need to developer to specify certain path at which the packaged DLLs are to be executed but, this is not possible i.e application does not have statically defined path. Then it searches for the directory it was executed from, and then searches the system directory and then placed.

To get an idea of how is it occurred take the above scenario with the below explaining below, an attacker is executing an application that must dynamically search for required DLL when loaded, the application immediately searches the path it was executed from and then finds a DLL that matches. In the Windows system directory, the real DLLs associated with the application are located. The DLL which are placed in the directory with the application is that which has been modified by an attacker to allow remote command shell access into the system.

However, the application never gets the real DLL because it matches.