What is the root cause of DLL hijacking vulnerabilities and how does SafeDllSearchMode affect exploitation?

DLL hijacking vulnerabilities occur when a program calls a DLL without specifying its full path, allowing an attacker to place a malicious DLL with the same name in the application's directory. SafeDllSearchMode, enabled by default since Windows XP SP2, changes the search order: with it enabled, the application directory is searched first, then system directories, followed by the current directory (see Automated DLL Hijacking Vulnerability Identification Tool Rattler Testing). Disabling SafeDllSearchMode moves the current directory to second priority, making hijacking easier, but even with it enabled, uncommon DLLs not in the KnownDLLs list are still vulnerable because the application directory is searched first.