Weaponizing Dynamic Link Libraries (DLL)

Transcript

1. Weaponizing Dynamic Link Libraries (DLL)

2. # Whoami Athis SN aka apt0xp3nda19 Head @DEF CON Chennai

   DCG9144 Areas of Interest & Expertise: Red Team, MalDev, Exp Dev, Reverse Eng & Malware Analysis Certs: CRTP, CRTA, MCRTA ...

3. # Agenda Introduction to DLLs DLL Internals Phantom DLL Hijacking

   DLL SideLoading & Proxying DLL Injection Reflective DLL Injection

4. Introduction to DLLs

5. # DLLs 101 A Dynamic Link Library (DLL) is a

   Portable Executable (PE) module that functions as a repository for reusable code, data, and resources. Unlike standard applications, a DLL cannot execute independently and must be loaded into the address space of a host process to function. Once loaded, it operates entirely within the security context of that specific process.

6. DLL Internals

7. # Internal Structure of a DLL A DLL follows the

   Portable Executable (PE) file format. It contains a DOS Header, NT Headers, an Optional Header, and Section Headers. The IMAGE_FILE_DLL flag identifies the file as a DLL. Important sections include .text, .data, .rdata, .idata, .edata, and .reloc. Data Directories define import tables, export tables, relocations, and TLS.

8. # Export & Import Mechanisms The Export Table defines functions

   exposed to other modules. Functions may be exported by name or ordinal. The Import Table defines dependencies on external DLLs. The Import Address Table (IAT) is populated by the Windows loader.

9. # DLL Search Order

10. # Linking Static Linking Dynamic Linking Runtime Linking

11. # DLL Search Order

12. # Sample DLL

13. Phantom DLL Hijacking

14. # Phantom DLL Hijacking Phantom DLL Hijacking targets applications that

    attempt to load DLLs that are missing or optional on the system. When the application searches for a non-existent dependency, Windows still follows its normal DLL search process. This missing dependency creates an opportunity for attackers to introduce a malicious DLL with the expected name. Since no legitimate file needs to be replaced, the attacker supplies the absent DLL, causing their code to be executed when the application loads it.

15. # Internal Workings

16. Demo: Phantom DLL Hijacking

17. # Phantom DLL Hijacking Prevention Remove unnecessary or outdated DLL

    references from applications. Use fully qualified paths when loading optional dependencies. Monitor application logs for repeated failed DLL load attempts. Restrict write permissions in application directories to prevent malicious DLL placement.

18. DLL Side-Loading & Proxying

19. # DLL Side-Loading DLL Side-Loading abuses legitimate, digitally signed executables

    by placing a malicious DLL in the same directory as the trusted binary. Because Windows prioritizes the application’s local directory during the DLL search process, the malicious DLL is loaded instead of the intended one. As a result, the signed executable unknowingly runs attacker-controlled code while appearing legitimate and trusted.

20. # How Side-Loading Works?

21. # DLL Proxying DLL Proxying is a technique where a

    malicious DLL is crafted to mimic the legitimate DLL’s exported functions. It forwards legitimate function calls to the real DLL, ensuring the application continues to work normally. Malicious code is executed before or after forwarding the calls, allowing stealthy execution while preserving functionality. This method is commonly observed in advanced persistent threat (APT) operations due to its ability to blend in with trusted processes.

22. # DLL Proxying Workings

23. Demo: DLL SideLoading & Proxying

24. # DLL Side-Loading & Proxying Prevention Validate and enforce DLL

    digital signatures before loading. Use secure DLL loading mechanisms (e.g., LoadLibraryEx with safe flags). Implement application whitelisting (e.g., AppLocker or WDAC). Monitor signed binaries loading DLLs from non- standard directories.

25. DLL Injection

26. # DLL Injection DLL Injection forces a running process to

    load a malicious DLL, allowing code execution inside another process’s memory space. The injected DLL runs with the same privileges as the target process, making it powerful for privilege abuse or stealth. This technique is widely used in malware, red team operations, debugging tools, and API hooking scenarios.

27. # Injection Mechanism The attacker first obtains a handle to

    the target process, then allocates memory within it. The DLL path is written into the remote process using WriteProcessMemory, after which a remote thread is created via CreateRemoteThread. This thread executes LoadLibrary, causing the target process to load the malicious DLL.

28. Demo: DLL Injection

29. # DLL Injection Enable process protection mechanisms (e.g., Protected Process

    Light where applicable). Restrict unnecessary process handle permissions (PROCESS_ALL_ACCESS). Monitor suspicious API usage such as WriteProcessMemory and CreateRemoteThread. Deploy EDR solutions to detect cross-process memory manipulation.

30. Reflective DLL Injection

31. # Reflective DLL Injection Reflective DLL Injection loads a DLL

    directly into a target process’s memory without relying on the standard Windows loader. The DLL carries its own custom reflective loader, which allows it to initialize and execute independently after being injected into memory.

32. # Internal Workings In this technique, the raw DLL bytes

    are written straight into the target process’s memory space. The embedded reflective loader then manually allocates memory, maps the DLL sections, resolves imports, and applies relocations before transferring execution to the DLL’s entry point - all without calling the normal loading mechanisms.

33. # Why Reflective? Because the DLL never touches disk, it

    avoids standard loader tracking and significantly reduces forensic artifacts. This makes it popular in advanced post- exploitation toolkits, as it is harder to detect through traditional file-based monitoring solutions.

34. Demo: Reflective DLL Injection

35. # Reflective DLL Injection Prevention Monitor abnormal memory allocations and

    executable memory regions. Detect manual mapping behavior and in- memory module anomalies. Use behavioral detection instead of relying only on file-based monitoring. Enable advanced EDR/Defender memory scanning capabilities.

36. # Connections are Precious :) Athis SN Athis SN VincePanda

    19 AthisSn