Beyond Static Analysis: Hunt, Filter, and Confirm Hijacks with DLLHijackHunter
DLLHijackHunter is an automated Windows DLL hijacking detection tool that goes beyond static analysis. It discovers, validates, and confirms DLL hijacking opportunities using a multi-phase pipeline:
- Discovery — Enumerates binaries across services, scheduled tasks, startup items, COM objects, and AutoElevate UAC bypass vectors
- Filtration — Eliminates false positives through intelligent hard and soft gates
- Canary Confirmation — Deploys a harmless canary DLL and triggers the binary to prove the hijack works
- Scoring & Reporting — Ranks findings by exploitability with a tiered confidence system
Most DLL hijacking tools stop at “this DLL might be hijackable.” DLLHijackHunter attempts to validate it, cross-reference it against known exploit intelligence, and confirm real execution paths where possible.
Key Features
Hijack Type Coverage
| Type | Description | Stealth |
|---|---|---|
| Phantom | DLL doesn’t exist anywhere on disk | High |
| Search Order | Place DLL earlier in the Windows search order | High |
| Side-Loading | Abuse legitimate app loading DLLs from its directory | High |
| .local Redirect | Hijack via .local directory redirection |
High |
| KnownDLL Bypass | Attempt bypass via .local or WoW64 edge cases |
Medium |
| ENV PATH | Weaponization of writable directories in system PATH |
High |
| CWD | Current Working Directory hijack | Low |
| AppInit DLLs | AppInit_DLLs registry abuse |
Low |
| IFEO | Image File Execution Options debugger abuse | Medium |
| AppCert DLLs | AppCertDLLs registry hijack |
Low |
UAC Bypass Discovery
DLLHijackHunter includes dedicated UAC bypass discovery:
- Manifest AutoElevate — Scans
System32andSysWOW64for EXEs with<autoElevate>true</autoElevate>in embedded manifests - COM AutoElevation — Scans
HKLM\SOFTWARE\Classes\CLSIDfor COM objects withElevation\Enabled=1 - Side-Load Simulation — For AutoElevate binaries that do not call
SetDllDirectoryorSetDefaultDllDirectories, simulates the “copy EXE to writable folder + drop DLL” attack path
Targeted Vulnerability Knowledge Base
- Targeted vulnerability mapping — Cross-references discovered imports against an offline dictionary of known vulnerable software patterns (for example, HijackLibs-style matches)
- Automated PATH exploitation — Evaluates writable
PATHfolders and generates hijack candidates for native Windows services that searchPATHfor missing DLLs - Expanded phantom DLL hunting — Searches for a broad library of high-value phantom DLL opportunities across multiple categories
Filter Pipeline
The pipeline reduces false positives through two stages:
Hard Gates
- API set schema filtering (
api-ms-*,ext-ms-*) - KnownDLL filtering
- ACL-based writability validation
Soft Gates
- WinSxS manifest penalty
- Privilege delta analysis
LoadLibraryExmitigation checks- Signature validation checks
- Graceful error-handling penalties
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
