## What is a DLL? A [[DLLs|DLL]] is a Dynamic Link Library. In the context of Windows, a DLL is a reusable bunch of code that can be accessed by multiple applications at once. The benefits of DLL's are that Windows executable's can be smaller in size with the same functionality as they can use parts of DLL's for functionality rather than having to ship with them. --- ## What is DLL Sideloading DLL Sideloading is when a new malicious DLL is dropped in the same place as an executable so that it gets sideloaded. DLL Sideloading is just a type of [[DLL Search Order Hijacking]] and takes advantage of Windows's in-built search order for DLL's. When an executable wants to use a DLL, it imports the functionality into it's own code. When the executable doesn't specify an absolute path, Windows will search in the order: 1. Where the executable is running from. (Executable Location) 2. `C:\Windows\System32\` (System32 Folder) 3. `C:\Windows\System\` (System Folder) 4. `C:\Windows\` (Windows Folder) 5. The current working directory of the user (if via CLI) 6. Any directories in the `%PATH%` variable >[!Note] >This list does not include pre-search directories such as DLL Redirection, SxS, DLL's that have already been loaded into memory and a list of known DLL's. > >It also does not take into account whether Safe DLL search mode is enbabled. **Reference**: [Standard search order for unpackaged apps](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#standard-search-order-for-unpackaged-apps) ## Difference between DDL Hijacking and DLL Sideloading DLL Hijacking is when you replace an existing DLL with a malicious one whereas DLL sideloading, you are just placing a malicious DLL in the executable's directory to abuse the search order.