kleiton0x00/Proxy-DLL-Loads kleiton0x00/Proxy-DLL-Loads

  • Stars
    star
    320
  • Rank 131,126 (Top 3 %)
  • Language
    C
  • License
    MIT License
  • Created about 1 year ago
  • Updated 6 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
kleiton0x00/Proxy-DLL-Loads
github

kleiton0x00

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.

Proxy DLL Loads

A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls. This repo is not about teaching you what DLL Load proxying is and how it works, it is greatly explained on this blogpost. Instead, the main focus is on finding undocumented callback functions by reversing the DLLs and creating your own version.

Hunting for undocumented syscalls

Before getting in directly to reversing the DLLs, we need to first know what to look for. We can start by looking at the Microsoft documentation (MSDN), which provides an excellent example of a custom thread pool, which creates a work item and a thread pool timer. The code alone is also suitable for archiving the execution of LoadLibrary via callback functions, but as already known, the userland functions are prone to hooking. So using their respective syscalls would be a better approach. Looking at the MSDN documentation, the example code uses the following Win32API functions:

CreateThreadpool
SetThreadpoolThreadMaximum
SetThreadpoolThreadMinimum
CreateThreadpoolCleanupGroup
CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolCleanupGroupMembers

If you use IDA, open kernel32.dll, go to "Exports" and search for the mentioned Win32 APIs, in this case CreateThreadpool. Double-clicking the function redirect us to its dissassembled code:
Screenshot from 2023-10-23 10-33-17
Through the assembly instructions, we see the TpAllocPool syscall being executed: call cs:__imp_TpAllocPool

If you repeat the process with the other functions, you will end up with the following syscalls:

Ntdll!TpAllocPool
Ntdll!TpSetPoolMaxThreads
Ntdll!TpSetPoolMinThreads
Ntdll!TpAllocCleanupGroup
Ntdll!TpAllocTimer
Ntdll!TpSetTimer
Ntdll!TpReleaseCleanupGroupMembers

Now you have everything you need to start creating your own version of proxying the DLL Loads. You can look at this documentation from Process Hacker to help you implement the undocumented syscalls in your code.

Debugging

Set a breakpoint before the assembly code in Callbackstub get's executed. Look at right tab of x64dbg as the registers are being populated.

demo_dbg.mp4 
RAX -> pointer to LoadLibraryA
RCX -> library name string

Result

Screenshot from 2023-10-21 20-21-05

Resources

https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/
https://github.com/hlldz/misc/tree/main/proxy_calls
https://processhacker.sourceforge.io/doc/nttp_8h.html#adad18de6710381f08cf36a0fa72e7529

Detections

https://github.com/elastic/protections-artifacts/blob/main/behavior/rules/defense_evasion_library_loaded_via_a_callback_function.toml

More Repositories

1

Advanced-SQL-Injection-Cheatsheet

A cheat sheet that contains advanced queries for SQL Injection of all types.
2,797
star
2

ppmap

A scanner/exploitation tool written in GO, which leverages client-side Prototype Pollution to XSS by exploiting known gadgets.
Go
488
star
3

XSScope

XSScope is one of the most powerful and advanced GUI Framework for Modern Browser exploitation via XSS.
HTML
307
star
4

RedditC2

Abusing Reddit API to host the C2 traffic, since most of the blue-team members use Reddit, it might be a great way to make the traffic look legit.
Python
253
star
5

Shelltropy

A technique of hiding malicious shellcode via Shannon encoding.
Assembly
242
star
6

RemoteShellcodeExec

Execute shellcode from a remote-hosted bin file using Winhttp.
C
220
star
7

CORS-one-liner

A one liner Bash command which finds CORS in every possible endpoint.
114
star
8

CRLF-one-liner

A simple Bash one liner with aim to automate CRLF vulnerability scanning.
67
star
9

HTTP-Smuggling-Calculator

Perform TE.CL HTTP Request Smuggling attacks by crafting HTTP Request automatically.
Python
67
star
10

Todesstern

A simple mutator engine which focuses on finding unknown classes of injection vulnerabilities
Python
63
star
11

contexter

Contexter - A secondary context path traversal / server-side parameter pollution testing tool written in Python 3
Python
18
star
12

kleiton0x00.github.io

SCSS
10
star
13

kleiton0x00

2
star