Recently, X-Force Red released a tool called Windows Feature Hunter, which identifies targets for dynamic link library (DLL) side-loading on a Windows system using Frida. To provide a defensive counter-measure perspective for DLL side-loading, X-Force Incident Response has released SideLoaderHunter, which is a system profiling script and Sysmon configuration designed to identify evidence of side-loading on Windows systems. This post will talk about why IBM X-Force thinks the tool is needed, describe its functions and analyze some use cases.
What Is DLL Side-Loading?
In Microsoft Windows, programs can define which libraries are loaded at runtime by specifying a full path or using another mechanism such as a manifest. A program manifest is an external file or embedded resource within an application used to manage the names and versions of shared side-by-side assemblies to which the application should load upon execution. A program manifest can include DLL redirections, filenames or full paths. If a manifest refers to only a library filename, it is considered a weak reference and is vulnerable to a DLL side-loading attack.
If a weak reference is made to a library, Windows attempts to locate the DLL through a pre-defined search order. The first location that Windows will search is the directory from which the application is loaded.
A DLL side-loading attack is an adversarial technique that aims to take advantage of weak library references and the default Windows search order by placing a malicious DLL ..
Support the originator by clicking the read the rest link below.
