DLL Sideloading

Not the perfect way, but the faster way

Recently, I purchased a commercial C4 and it turns out that my knowledge about loader locks and DLL sideloading was all wrong. There is a lot of ways DLL sideloads could go wrong one of which is loader lock, checkout DLL koppeling to know more.

How to find DLL sideloads


Get-ChildItem -Path "C:\" -Filter *.exe -Recurse -File -Name | ForEach-Object {
    Write-Host $_
    $bin = "C:\" + $_
    C:\Tools\Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f $bin >> check_appdata.txt
}

How to make ProxyDlls

Use SharpProxyDLL to make a proxy dll . replace the tmpXYZ export to C:\\Windows\\SYSTEM32\\XYZ.dll

Not so ideal hack

@paranoidNinja told me we should not load our shellcode from DLLMain but since I'm on clock, I want to share a not so ideal hack to get away. This is not the best way and your shell could die, but hey it works.

Make sure you do this change before compiling your dll (hopefully generated from SharpPorxyDll)

Compile and enjoy

Last updated