Get Persistence Against Obsidian: Hijacking Execution Flow and Bypassing Safe Search Order

By /

Listen to this Post

In a recent discovery, leveraging profapi.dll can help attackers achieve persistence against SysAdmins and programmers by hijacking execution flow and bypassing Safe Search Order. Below are the key resources and proof-of-concept (POC) links:

You Should Know:

  1. Understanding DLL Hijacking & Safe Search Order Bypass
    DLL hijacking exploits Windows’ DLL search order to load a malicious DLL instead of a legitimate one. The Safe Search Order is a security feature that restricts where Windows looks for DLLs. Bypassing it allows attackers to execute malicious payloads persistently.

2. Practical Steps for Persistence via profapi.dll

Here’s how attackers can abuse `profapi.dll`:

  1. Identify a vulnerable application that loads `profapi.dll` without proper path validation.
  2. Place a malicious DLL in a writable directory with higher search precedence (e.g., C:\Temp\).
  3. Trigger the application to load the malicious DLL instead of the legitimate one.

Example Malicious DLL (C++ Skeleton):

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { 
if (ul_reason_for_call == DLL_PROCESS_ATTACH) { 
system("cmd.exe /c calc.exe"); // Replace with payload 
} 
return TRUE; 
}

#### **3. Verifying DLL Search Order**

Use Process Monitor (ProcMon) to analyze DLL loading behavior:

1. Filter for **`profapi.dll`** in Process Monitor.

  1. Observe the search paths where Windows attempts to load the DLL.

#### **4. Mitigation Techniques**

  • Enable Safe DLL Search Mode (Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode).
  • Use Absolute Paths for critical DLLs in applications.
  • Restrict Write Permissions on directories like C:\Temp\.

#### **5. Red Team Commands for Persistence**

  • PowerShell to Identify Vulnerable Processes: 
    Get-Process | Where-Object { $_.Modules.ModuleName -like "*profapi*" }
  • Linux Equivalent (for cross-platform analysis): 
    ldd /path/to/binary | grep profapi

#### **6. Blue Team Detection (SIEM/SOC Rules)**

  • Monitor for unusual DLL loads (Sysmon Event ID 7).
  • Alert on processes loading DLLs from non-standard paths.

### **What Undercode Say**

DLL hijacking remains a potent persistence technique, especially when bypassing Safe Search Order. Defenders must enforce strict DLL integrity checks, while attackers refine evasion tactics. Understanding both sides is crucial for robust security.

**Expected Output:**

  • Successful execution of a malicious payload via `profapi.dll` hijacking.
  • Detection alerts triggered by abnormal DLL load events.

References:

Reported By: Hassan Sohrabian – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: