Discovering Binaries for DLL Sideloading
How to find undocumented LOLBins and use them for DLL Sideloading
There are many ways to discover binaries that can be used for DLL Sideloading, but today I will talk about my methodology. I will be demonstrating how I found that Notepad++ can be used to sideload a malicious DLL. So let’s get to it!
Enumeration
The first thing that I always start with is enumerating what programs are installed on the system. This means looking through program files, inspecting what services are running on the system, etc. It’s important to note that when I’m looking for these installed programs I’m also thinking what functions they have. For example, what are the main functions of Microsoft Edge? Providing GUI access to servers via protocols (HTTP, HTTPs), reading information, downloading and executing files, etc. Specifically, I’m looking for programs with juicy functions like reading, writing, executing, and accessing.
Now that I found a program with these functionalities, I can take two routes. One is determining what programs the installed binary launches and it’s imported functions. The other would be observing how the binary is conducting its functions, similar to the binaries in the LOLBAS project. This article will cover the first route, the other will be discussed in a future blog.
You might be wondering why enumerating the functions the program serves is important to finding “good” binaries that can be DLL Sideloaded. The answer is evasion, you want the operations you’re doing with the DLL you are sideloading to look as normal as possible. For example, let’s say you’re conducting a Red Team engagement where your DLL reaches out to a Command & Control Server (C2), in this case, a DLL which can reach external servers is ideal.
Discovering the DLL
Now that you found an interesting binary let’s see if we can sideload it. In my case, I will be using Notepad++. If you install Notepad++ for the first time you’ll notice an update GUI box appear on your screen. Generally speaking, I like to look for binaries that launch other binaries when looking for sideloadable binaries for evasion purposes. The updater executable is called GUP.exe, you can find what binaries are being launched by a process via a tool such as Process Hacker.
As you can see in Figure 1 the parent process of GUP.exe is notepad++.exe. Now it’s time to see if we can DLL sideload it. My favorite way to see if a binary can be sideloaded is to use the Developer Command Prompt Tools. The command dumpbin can be used to dump certain contents of a binary. For this situation, we want to see what the binary GUP.exe is importing.
Figure 2 illustrates that the GUP.exe binary imports libcurl.dll, which is a client-side URL transfer library. This DLL can access external files! Now when the DLL is replaced with our malicious DLL the process tree will look more legitimate.
Troubleshooting other issues
Not every binary is the same, especially when it comes to the loading of a DLL or creating a new process. Remember that GUP.exe only ran on the first install? Well if we look deeper we can see from a simple Google search that Notepad++ runs its updater executable every 15 days on launch. How can this be used in an engagement without knowing when Notepad++ will update? Taking it a step further looking at Notepad++ configuration files, we can see that there’s a section in config.xml for when Notepad++ should update in Figure 3.
Exploitation
A possible avenue that can be taken is using macros to change the update date and then execute. Figure 4 is an example of a macro that can be used to change the update date to the current date and then execute Notepad++.
Now all that needs to be done is to put the updater executable and libcurl.dll in the relative location to Notepad++. The updater executable also needs gup.xml for the updater GUI to appear. If gup.xml is not shipped with the other files then an error will be thrown, which will look suspicious. Below is a full example of using Notepad++ to sideload a malicious DLL with a PowerPoint Macro file that calls back to a C2 server.
That’s a wrap! Hope you can find more binaries that can be sideloaded!
If you want to learn more cybersecurity from me subscribe to my substack!