TL;DR: see Part 1 for an introduction to this series and an overview of the available posts.

My all time favorite side-loading target is Windows Defender, as most of the time the executable (MsMpEng.exe) is already on the system and you only need to place your DLL, with one export (ServiceCrtMain), in the right folder and copy the executable.

  • Name: Microsoft Windows Defender (x64)
  • Executable: MsMpEng.exe
  • SHA256: a72ea60be2adb8f15bbec86910dc1c1f41abe888fb87b1f3f902dcaa85e774f6
  • SHA1: fdb29638944a097d83c8c3442970287a890a0a03
  • MD5: ed70edcc4107f3727973c312e0049bd5
  • Certificate: Microsoft Corporation/Microsoft Code Signing PCA/Microsoft Root Certificate Authority

  • Name: Microsoft Windows Defender (x32)
  • Executable: MsMpEng.exe
  • SHA256: 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
  • SHA1: 3d409b39b8502fcd23335a878f2cbdaf6d721995
  • MD5: 8cc83221870dd07144e63df594c391d9
  • Certificate: Microsoft Corporation/Microsoft Code Signing PCA/Microsoft Root Certificate Authority

DLL-Template:

; ***************************************************************************
; *                                                                         *
; * Author:      marpie ([email protected])                                *
; * License:     BSD 2-clause                                               *
; * Copyright:   (c) 2019, a12d404.net                                      *
; * Status:      Prototype                                                  *
; * Created:     20190104                                                   *
; * Last Update: 20190104                                                   *
; *                                                                         *
; ***************************************************************************
EnableExplicit

; ---------------------------------------------------------------------------
;- Prototypes
Macro LoopForever()
  Sleep_(-1)
EndMacro

Macro DbgOutFunctionName()
  OutputDebugString_("Func: " + #PB_Compiler_Procedure)
EndMacro

Macro DummyExport(proc_name)
  ProcedureDLL proc_name()
    DbgOutFunctionName()
    LoopForever()
  EndProcedure
EndMacro

; ---------------------------------------------------------------------------
;- Exports: mpsvc.dll - MsMpEng.exe (Microsoft Malware Protection Antimalware Service Executable)

DummyExport(ServiceCrtMain)

; ---------------------------------------------------------------------------

ProcedureDLL AttachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL AttachThread(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachThread(Instance)
  DbgOutFunctionName()
EndProcedure

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders

About this site // disclaimer

This is my personal blog. The views expressed on these pages are mine alone and not those of my employer or former employers. As with time views may change and become outdated and even invalid and therefore may not represent my current views. All information is provided as-is. If not otherwise stated the content is provided under the 2-clause BSD License.

Follow me on Twitter @markus_pieton