Side-Loading is everywhere you look...

As I wanted to blog more this year I’ll start a mini-series of blog post detailing various signed executables that can be used for side-loading arbitrary code. Some of them I used in engagements, some I discovered and saved for later.

But let me start by quoting the excellent MITRE ATT&CK matrix regarding this technique (ID: T1073):

DLL Side-Loading Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL.

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

Well-known examples are mcoemcpy.exe or RasTlsc.exe used by the OceanLotus APT:

Before disclosing the first entry in this series, let me introduce a skeleton DLL that I’ll be using for demonstrating the code execution. The DLL is written in PureBasic, as most of my code for automatically detecting these side-loading issues is written in PureBasic.

; ***************************************************************************
; *                                                                         *
; * Author:      marpie ([email protected].net)                                *
; * License:     BSD 2-clause                                               *
; * Copyright:   (c) 2019, a12d404.net                                      *
; * Status:      Prototype                                                  *
; * Created:     20190101                                                   *
; * Last Update: 20190101                                                   *
; *                                                                         *
; ***************************************************************************
EnableExplicit

; ---------------------------------------------------------------------------
;- Prototypes
Macro LoopForever()
  Sleep_(-1)
EndMacro

; ---------------------------------------------------------------------------
;- Exports: goopdate.dll - GoogleUpdate.exe - 32bit

ProcedureDLL.l DllEntry()
  OutputDebugString_("DllEntry()")
  ;LoopForever()
EndProcedure

; ---------------------------------------------------------------------------

ProcedureDLL AttachProcess(Instance)
  OutputDebugString_("AttachProcess()")
EndProcedure

ProcedureDLL DetachProcess(Instance)
  OutputDebugString_("DetachProcess()")
EndProcedure

ProcedureDLL AttachThread(Instance)
  OutputDebugString_("AttachThread()")
EndProcedure

ProcedureDLL DetachThread(Instance)
  OutputDebugString_("DetachThread()")
EndProcedure

But now, let’s start of by abusing the Google Chrome Updater (GoogleUpdate.exe):

Google Update imports the DLL goopdate.dll and calls the function DllEntry.

Side-Loading our code in goopdate.dll

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders

Other parts of this series: