▄████████ ███▄▄▄▄      ▄████████  ▄█       ▄██   ▄      ▄████████  ▄█     ▄████████      ████████▄   ▄█        ▄█       
  ███    ███ ███▀▀▀██▄   ███    ███ ███       ███   ██▄   ███    ███ ███    ███    ███      ███   ▀███ ███       ███       
  ███    ███ ███   ███   ███    ███ ███       ███▄▄▄███   ███    █▀  ███▌   ███    █▀       ███    ███ ███       ███       
  ███    ███ ███   ███   ███    ███ ███       ▀▀▀▀▀▀███   ███        ███▌   ███             ███    ███ ███       ███       
▀███████████ ███   ███ ▀███████████ ███       ▄██   ███ ▀███████████ ███▌ ▀███████████      ███    ███ ███       ███       
  ███    ███ ███   ███   ███    ███ ███       ███   ███          ███ ███           ███      ███    ███ ███       ███       
  ███    ███ ███   ███   ███    ███ ███▌    ▄ ███   ███    ▄█    ███ ███     ▄█    ███      ███   ▄███ ███▌    ▄ ███▌    ▄ 
  ███    █▀   ▀█   █▀    ███    █▀  █████▄▄██  ▀█████▀   ▄████████▀  █▀    ▄████████▀       ████████▀  █████▄▄██ █████▄▄██ 
                                    ▀                                                                  ▀         ▀        
Using DLL hijacking to aid in malware analysis.

=====|=================== Home ===================|=====
Research - Nerd section.
Primers on DLLs - Basic information needed to understand DLLs.
Types of DLL Hijacking - According to the MITRE ATT&CK framework.
References - Credits where credits are due.
=====|============================================|=====
DLL Research - Nerd section.
DLL hijacking is a vulnerability in Windows DLL load order in which a malware loads its own malicious DLL that will be run before a legitimate one does; this way, it can handle any calls made and execute the contained code with the same privileges as the running application.

With that in mind, the idea was to use this same technique and turn it around; is it possible to trick malware into calling DLLs that were specifically modified to handle malicious events? Understanding this could help in malware analysis by automating and deciding how to handle malicious activity executed through DLLs.
The objective for this type of DLL hijacking substantially changes; rather than achieving privileged execution, the DLL was going to modify any returns to calls made by the malware without directly interacting with the malicious process.

Primers on DLLs - Basic information needed to understand DLLs.
The first thing we need to know is that when software is compiled, it is either:
Statically linked in which library code is directly embedded into the executable at compile time (self contained programs).
Dynamically linked in which libraries are loaded at runtime and are expected to already be present on the system.
Now it might be a good idea to brush up on what and how DLLs work; a dynamic link library (DLL) is a file that contains code and data that can be used by other programs. Dynamic link libraries are only used, unexpectedly, in dynamically linked software. It works in the same way a code library works during development but the advantage is that these dynamic libraries reside on systems and generally don't need to be shipped with every piece of software. There is obviously the case of proprietary DLLs but those are usually sent as parts of software suites that will share code between each component.

Types of DLL Hijacking - According to the MITRE ATT&CK framework.
Next on the chores list, we need to do some research on DLL hijacking overall: this brings us to the good old MITRE ATT&CK T1574.001 which gives an initial idea of a series of techniques:
DLL Sideloading
Consists of hijacking which DLL a program loads by planting it and then invoking a legitimate application that executes the malicious DLL payload. This is usually taken advantage of when the malicious DLL needs to mask its actions behind a victim application which is legitimate and trusted.
    
DLL Search Order Hijacking
The default search order that Windows uses to load DLLs is hijacked, allowing a malicious DLL to be prioritized over a legitimate library. Windows entirely makes the decision in this case.
    
DLL Redirection
Modifies the search order via DLL redirection which has to be enabled in the Registry or via the creation of a redirection file, causing a program to load a DLL from a different location.
    
Phantom DLL Hijacking
Targets references to non-existent DLL files and loads a malicious library with the correct name in the location of the missing module.
    
DLL Substitution
Directly substitutes the legitimate DLLs with malicious ones.
In general, DLL hijacking will cause programs to still behave normally because, after executing their payload, they can redirect the call to the benign library to evade detection. This is a note that's being saved here since I'm thinking about having some calls modify the actual behavior whereas only want logging capabilities for others.
Of these techniques, DLL search order hijacking, DLL redirection and DLL substitution seem like the best directions for what we're trying to do here. Admittedly, DLL substitution is surely the easiest and most straight forward and shouldn't cause any major problems since this project is aimed for analysis VMs but we'll still play around with each technique a bit for fun.

2/3 of the techniques are impacted by DLL search order so that was obviously the next topic.
=====|==================== Top ===================|=====
References - Credits where credits are due.
itm4n - Aside from generic/standard reference websites, a good deal of help was from itm4n's blog that explains DLL hijacking theory and was nice to read up on.
Official Microsoft Documentation:
What is a DLL - Microsoft Learn
Windows Internals Part 1 and 2 is a pretty recognized Windows reference which is nice to have for anything Windows related. More info on Microsoft Learn.