Side-Loading is everywhere you look...

As I wanted to blog more this year I’ll start a mini-series of blog post detailing various signed executables that can be used for side-loading arbitrary code. Some of them I used in engagements, some I discovered and saved for later.

But let me start by quoting the excellent MITRE ATT&CK matrix regarding this technique (ID: T1073):

DLL Side-Loading Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL.

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

Well-known examples are mcoemcpy.exe or RasTlsc.exe used by the OceanLotus APT:

Before disclosing the first entry in this series, let me introduce a skeleton DLL that I’ll be using for demonstrating the code execution. The DLL is written in PureBasic, as most of my code for automatically detecting these side-loading issues is written in PureBasic.

; ***************************************************************************
; *                                                                         *
; * Author:      marpie ([email protected])                                *
; * License:     BSD 2-clause                                               *
; * Copyright:   (c) 2019, a12d404.net                                      *
; * Status:      Prototype                                                  *
; * Created:     20190101                                                   *
; * Last Update: 20190101                                                   *
; *                                                                         *
; ***************************************************************************
EnableExplicit

; ---------------------------------------------------------------------------
;- Prototypes
Macro LoopForever()
  Sleep_(-1)
EndMacro

; ---------------------------------------------------------------------------
;- Exports: goopdate.dll - GoogleUpdate.exe - 32bit

ProcedureDLL.l DllEntry()
  OutputDebugString_("DllEntry()")
  ;LoopForever()
EndProcedure

; ---------------------------------------------------------------------------

ProcedureDLL AttachProcess(Instance)
  OutputDebugString_("AttachProcess()")
EndProcedure

ProcedureDLL DetachProcess(Instance)
  OutputDebugString_("DetachProcess()")
EndProcedure

ProcedureDLL AttachThread(Instance)
  OutputDebugString_("AttachThread()")
EndProcedure

ProcedureDLL DetachThread(Instance)
  OutputDebugString_("DetachThread()")
EndProcedure

But now, let’s start of by abusing the Google Chrome Updater (GoogleUpdate.exe):

Google Update imports the DLL goopdate.dll and calls the function DllEntry.

Side-Loading our code in goopdate.dll

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders

Other parts of this series:

About this site // disclaimer

This is my personal blog. The views expressed on these pages are mine alone and not those of my employer or former employers. As with time views may change and become outdated and even invalid and therefore may not represent my current views. All information is provided as-is. If not otherwise stated the content is provided under the 2-clause BSD License.

Follow me on Twitter @markus_pieton