## What is a DLL? A [[DLLs|DLL]] is a Dynamic Link Library. In the context of Windows, a DLL is a reusable bunch of code that can be accessed by multiple applications at once. The benefits of DLL's are that Windows executable's can be smaller in size with the same functionality as they can use parts of DLL's for functionality rather than having to ship with them. --- ## What is DLL Search Order Hijacking DLL Search Order Hijacking is when a new malicious DLL is dropped into a directory location in a high priority within Windows' built in search order. When an executable wants to use a DLL, it imports the functionality into it's own code. When the executable doesn't specify an absolute path, Windows will search in the order: 1. Where the executable is running from. (Executable Location) 2. `C:\Windows\System32\` (System32 Folder) 3. `C:\Windows\System\` (System Folder) 4. `C:\Windows\` (Windows Folder) 5. The current working directory of the user (if via CLI) 6. Any directories in the `%PATH%` variable >[!Note] >This list does not include pre-search directories such as DLL Redirection, SxS, DLL's that have already been loaded into memory and a list of known DLL's. > >It also does not take into account whether Safe DLL search mode is enbabled. **Reference**: [Standard search order for unpackaged apps](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#standard-search-order-for-unpackaged-apps)