kernel32.dll - LoadLibraryA/W

⚠️ High Risk📁 Windows Native Api🏷️ module loading✅ Verified

#windows-native-api#dll-hijacking#persistence

🔧 API Details

Namespace

kernel32.dll

Language

C/C++ (P/Invoke)

Function

LoadLibraryA / LoadLibraryW

Official Documentation

https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya

📊 Risk Assessment

Severity

High

Prevalence

widespread

Ease of Abuse

easy

Likelihood in Real Attacks

80%

🎯 MITRE ATT&CK Techniques

T1574.001

Click to view on MITRE ATT&CK

T1055.001

Click to view on MITRE ATT&CK

⚡ Abuse Scenarios

DLL search order hijacking

Technique: T1574.001

🚨 Common in Campaigns

Load attacker-controlled DLL from writeable path before legitimate module

Code Example:

HMODULE hMod = LoadLibraryA("kernel32.dll"); // Loads from %PATH% - can be hijacked

Detection Difficulty: Medium

Reflective DLL injection

Technique: T1055.001

🚨 Common in Campaigns

Load custom DLL for in-memory execution without WriteFile to disk

Code Example:

HMODULE hMod = LoadLibraryA((LPCSTR)shellcode_buffer);

Detection Difficulty: Hard

🔍 Detection Strategies

Sysmon

MEDIUM Effectiveness

Event ID 7 (Image Load) - look for DLLs from unusual paths

Windows Defender

MEDIUM Effectiveness

Behavioral detection of DLL search order anomalies

🛡️ Mitigation Strategies

policy

HIGH Feasibility

Enforce strict DLL search order via registry

code

MEDIUM Feasibility

Use absolute paths for LoadLibrary calls

🕵️ Threat Intelligence

👥 APT Groups / Threat Actors

APT1

Lazarus

FIN7

🦠 Malware Families

ZeuS

Poison Ivy

PlugX

🔨 Tools

Cobalt Strike

PowerSploit

📋 Metadata

API ID

e72247d0-3c6b-4ae9-aadc-691cfb927593

Created

2026-02-02

Author

Claw