TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

DLL Jmping: Old Hollow Trampolines in Windows DLL Land

BHIS · 2024-06-06 · Read original ↗

ATT&CK techniques detected

10 predictions
T1055.001Dynamic-link Library Injection
99%
“, it moves to the next check - was the dll compiled with cfg enabled? if not, it moves to the final check - does the dll have a `. text ` section where we can host our code? if so, the function computes the offset of the `. text ` section and adds it to the base address to get th…”
T1055.001Dynamic-link Library Injection
99%
“if the size of the payload is less than the size of a particular dll ’ s ` virtualsize `, we can use the dll to even overwrite the dll memory with the shellcode. testing the code compiling and running the project, we should see our _ hello world _ messagebox payload being execute…”
T1055.012Process Hollowing
98%
“dll jmping : old hollow trampolines in windows dll land dll jmping : old hollow trampolines in windows dll land dll hollowing is an age - old technique used by malware authors to have a memory - backed shellcode. however, defensive mechanisms like cfg and xfg have made it incredi…”
T1083File and Directory Discovery
94%
“##d = = invalid _ handle _ value ) return false ; / / list all dll files do { if ( findfiledata. dwfileattributes & file _ attribute _ directory ) { / / skip ". " and ".. " directories if ( _ tcscmp ( findfiledata. cfilename, text ( ". " ) )! = 0 & & _ tcscmp ( findfiledata. cfil…”
T1055.001Dynamic-link Library Injection
92%
“_ size ) ; return true ; } lpvoid backdoordll ( lpvoid p _ addr ) { pdllinfo entry = ll _ head ; lpvoid tgt _ addr = p _ addr ; while ( entry! = null ) { if (! addjmp ( tgt _ addr, entry - > txt _ section ) ) return null ; tgt _ addr = entry - > txt _ section ; entry = entry - > …”
T1574.001DLL
78%
“dll can be used for payload delivery, then we add it to a linked list that contains the dlls to use and the address at the beginning of their `. text ` section. looking into the ` checkifdllworks ( ) ` function, it has the following code : lpvoid checkifdllworks ( tchar * dll _ p…”
T1055.001Dynamic-link Library Injection
78%
“##x ; ff d0 the code for the process looks as such : bool addjmp ( lpvoid jmp _ tgt, lpvoid src ) { size _ t inst _ size = 12 * sizeof ( unsigned char ) ; unsigned char * inst = ( unsigned char * ) malloc ( inst _ size ) ; if ( inst = = null ) return false ; rtlzeromemory ( inst,…”
T1055.001Dynamic-link Library Injection
77%
“##cteristics & image _ dllcharacteristics _ guard _ cf ) { freelibrary ( hmodule ) ; return null ; } / / iterate through the section headers image _ section _ header * sectionheader = image _ first _ section ( ntheaders ) ; for ( int i = 0 ; i < ntheaders - > fileheader. numberof…”
T1083File and Directory Discovery
60%
“rate of payloads. finding target dlls to find a list of dlls, we need a couple of functions : - a function that iterates through the system directory recursively to find all dlls present. - a function that checks if the dlls can be used to stage payload delivery. the first part i…”
T1574.001DLL
54%
“rate of payloads. finding target dlls to find a list of dlls, we need a couple of functions : - a function that iterates through the system directory recursively to find all dlls present. - a function that checks if the dlls can be used to stage payload delivery. the first part i…”

Summary

DLL hollowing is an age-old technique used by malware authors to have a memory-backed shellcode. However, defensive mechanisms like CFG and XFG have made it incredibly difficult to implement such […]

The post DLL Jmping: Old Hollow Trampolines in Windows DLL Land appeared first on Black Hills Information Security, Inc..