Part II of DLL Sideloading introductions. This time it's specifically about persistence instead of initial access payloads. In those cases, especially for pre-installed applications, it's needed to have a stable process which doesn't crash or has a LoaderLock. We are going through some typical issues plus provide two approaches for stable execution.
0:21 - Start, Introduction
6:30 - Sideloading example for Version.dll in C++
11:30 - MessageBox success but multiple C2 connections
13:25 - Shellcode execution instead with multiple connections but the process died
16:00 - Troubleshooting the potential issue
24:00 - More stable Alternative No. one: Payload execution from another function than DllMain
35:40 - Alternative to API monitor for targeted payload function execution
43:50 - Chromium/Electron based protection mechanisms as root cause for crashes
46:35 - Automating payload generation with my private Packer
54:22 - Ideas for avoiding multiple time execution
01:09:00 - Avoid execution in any protected child process
01:11:00 - Even better: Using a Mutex for single time execution
01:18:42 - Summarization
Links mentioned:
- • DLL Sideloading
- github.com/mre...
- www.netspi.com...
- elliotonsecuri...
- gist.github.co...