Finding the same bugs in all the familiar places
A while back, I had a patch of cases where I was regularly looking at samples leveraging DLL Side loading (also called “Search Order Hijacking”) as part of their setup phase. This vulnerability exists because of how Windows handles resolving libraries for applications and can be exploited to cause an application to inadvertently load (at the same privilege level) a malicious library. When a library is loaded by an application (either delayed or at execution), Windows will check the following locations in order for a copy of the library: (https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order) The above shows the locations checked when SafeDllSearchMode is disabled. When enabled, the current directory is checked fifth, instead of second. This process can be exploited when a malicious library is added to one of these locations - before the actual library natively resides. For example, if MyApp.exe is attempting to load TestLib.dll