Save the Environment (Variable)
Posted by jpluimers on 2024/12/05
For my link archive as this is environment variable override trick to override DLL loading is not just limited to executables shipping with Windows, but also with other products (likely: virus scanners that run privileged); another alternative is running a local process serving the WebDAV protocol.
TL;DR β By manipulating environment variables on process level, it is possible to let trusted applications load arbitrary DLLs and execute malicious code. This post lists nearly 100 executables vulnerable to this type of DLL Hijacking on Windows 11 (21H2); it is demonstrated how this can achieved with just three lines of VBScript.
[Wayback/Archive] Save the Environment (Variable)
Via:
- [Wayback/Archive] Wietze on Twitter: “Many applications appear to rely on Environment Variables such as
%SYSTEMROOT%to load DLLs from protected locations. By changing these variables on process level, it is possible to let a legitimate program load arbitrary DLLs. Full blog post here πwietzebeukema.nl/blog/save-the-environment-variables“ - [Wayback/Archive] Wietze on Twitter: “This research was first presented at #DEFCON30. The slides for this talk can be found below, a video recording will be made available at a later date.
media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Wietze%20Beukema%20-%20Save%20The%20Environment%20%28Variable%29%20Hijacking%20Legitimate%20Applications%20with%20a%20Minimal%20Footprint.pdf“ - [Wayback/Archive] Jonas L on Twitter: “@Wietze but you dont need the program to use any env vars at all. you can already redirect loading of any dll as I demonstrate in my poc @ “
- [Wayback/Archive] Jonas L on Twitter: “
github.com/jonaslyk/temp/blob/main/dav.cppMy webdav based reflective loader/per process devicemap based dll injector POC is by now usable. I would really like to have a OOP wrapper for NT- designing such is surprisingly difficult, but this approach shows potential especially considering simple” - [Wayback/Archive] Wietze on Twitter: “@jonasLyk You’re absolutely right, network paths including WebDav are supported, eliminating even the ‘planting’ of the DLL. It should be noted however that loading DLLs from such paths is more likely to set off defensive solutions.”
- [Wayback/Archive] Jonas L on Twitter: “
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment