DLL Sideloading

Introduction

What is DLL sidelaoding and how does it get abused? In simple terms, it’s a technique that takes advantage of the way Windows searches for and loads DLLs. When a legitimate program is launched, it looks for DLLs in specific directories. If you can identify which DLLs an application requests without specifying an absolute path, you can replace you own arbitrary DLL higher up in the search path. This can be used to load arbitrary DLLs into legitmate applications without the need for an injector. The exact search order can be found here.

Finding Vulnerable Applications

To find vulnerable applications you can use tools like Process Monitor (procmon). Let’s use Steam as an example:

  1. Open Procmon and apply the following filters (Filter->Filter…): “Process Name is " “Path Contains dll” “Result is NAME NOT FOUND”

  2. Launch the target application (in this case, Steam).

  3. Procmon will display a list of DLls that Steam is attempting to load but cannot find.

  4. After launching Steam, you’ll see a list of DLLs that couldn’t be found. Look for DLLs that are being searched for in locations where you have write access, such as the application’s directory or user-writable folders.

  5. One common pattern to look for is DLLs being searched in the application’s directory before system directories. This is a prime opportunity for sideloading.

  6. Once you’ve identified a suitable DLL to replace, you’ll need to create your own malicious version. Here’s a basic template in C++

#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule,
                      DWORD  ul_reason_for_call,
                      LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        // Your malicious code here
        MessageBox(NULL, "DLL Sideloaded!", "Success", MB_OK);
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Implementing the Sideload

  1. Place your compiled DLL in the location where the application is searching for it. This is typically the same directory as the executable or a subdirectory.
  2. Launch the application again. If successful, you should see your message box appear, confirming the sideload worked.