DLL Hijacking – A New Spin on Proxying your Shellcode

This transcript describes research and demonstration of DLL hijacking and a refined "DLL proxying" technique that lets an attacker insert a proxy DLL (mapping exports to the original) to load malicious code without breaking functionality. The presenters show discovery methods (ProcMon filters), two delivery/weaponization paths (file-folder proxying and HKCU registry-based object redirection that allows low-privilege users to redirect system DLL lookups), an MSIX-based phishing dropper (signed with an EV cert) used in a CPT campaign, and a tool called Face Dancer to generate hijackable DLLs and automate payload deployment; they emphasize detection over prevention and provide defensive guidance.