DLL Side-Loading for Fun (and Profit?) - Day 2

Posted: - Updated: - Category: security - Tags: side-loading

TL;DR: see Part 1 for an introduction to this series and an overview of the available posts.

After a slow first day, let’s up our game with some AntiVirus fun from our friends over at Avira (21 executables) and one launcher (at the end of the post):

  • Avira Antivirus(x86) - 1 executable
  • Avira Free Software Updater(x86) - 4 executables
  • Avira Game Booster(x86) - 1 executable
  • Avira Optimizer Host(x86) - 1 executable
  • Avira Phantom VPN (x86 & x64) - 2 executables
  • Avira Privacy Pal(x86) - 3 executables
  • Avira Safe Shopping(x86) - 1 executable
  • Avira System Speedup(x86) - 7 executables

  • Avira Systray(x86) - 1 executable

  • Name: Avira - Antivirus(x86)
  • Executable: checkwindows10drivers.exe
  • SHA256: 02398908b347153c737672f1acf53d554d4bca4e6c2a7a8ddf304024d2447919
  • SHA1: 8c8c5c8dada23712fbc4a7f487ec74221e6a9a92
  • MD5: 7fdb91966a7d49ff9e4eaa5b6d25a600

  • Certificate: Avira Operations GmbH & Co. KG/VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Free Software Updater(x86)
  • Executable: Avira.SoftwareUpdater.ServiceHost.exe
  • SHA256: d7f7c3fd07642684076a99647d07333757e39a38b2dada3e9efb8144bf41c1c8
  • SHA1: 68d1a5b02376f64af6ce1d5ad4c1acce71a77c4f
  • MD5: a5c8805730e06c2c1991e9430c3184a0

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Free Software Updater(x86)
  • Executable: AviraSoftwareUpdater.exe
  • SHA256: bcc0f1bef8fc27b2e7f29e79d7ef84bd0429c27394bb4fc25517315e46d54627
  • SHA1: f8a01413030cb1ecdafe7c1b42761de8d7b25224
  • MD5: 8b0b1c85f79efeedea7b6ed61bf1efe3

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Free Software Updater(x86)
  • Executable: AviraSoftwareUpdaterToastNotificationsBridge.exe
  • SHA256: 99014c90eaf5187f35e7a72f16556168bd945ea67e45224a1d0e57c434ae997b
  • SHA1: 7379a19a5459647240df47ba7b3569308cbadf9a
  • MD5: 2ea3069953a03743a2a4196958d3ff08

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Free Software Updater(x86)
  • Executable: CefSharp.BrowserSubprocess.exe
  • SHA256: 34d07045fa780db5aab7936b4c945af6cfbef65b4e4e1eaa371c4cfe684632f1
  • SHA1: 0c1d5610e31fa2a3718a1e58eee8c69f7919cd10
  • MD5: 5fe5007222e135cdf0704693e3d2f40f

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Game Booster(x86)
  • Executable: Avira.GameBooster.Core.ErrorReporter.exe
  • SHA256: 8c0edc3bc3a4000b2857738730984dd7df4c1d776a9953f619a38c71ba4709d8
  • SHA1: a6b50f05713aeb5be6e7df060e070b6f4d2567e8
  • MD5: 32d12e975879c7ea90a2885ab5122b8b

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Optimizer Host(x86)
  • Executable: Avira.OptimizerHost.exe
  • SHA256: 70131f57d22fe3e8de85a8e95fb74cc1bbb1e8706e51b09771e4d6c3a5721c05
  • SHA1: ddd8ac17c08a6ce2e2ceb4e0110a211eb597d7a1
  • MD5: 10172704730e637a1d4815a24fb14d95

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira Phantom VPN (x86)
  • Executable: Avira.VPN.Notifier.exe
  • SHA256: 3518ec7a125da4fe7bb0fc3b26cdeeef3b0afb6c747c7157316163d1e7ab2feb
  • SHA1: 1d99e6c551e5ef9ad0088db3868eb5d77cd05b7d
  • MD5: 258b1b3824eafafec8e4d2d098c23277

  • Certificate: Avira Operations GmbH & Co. KG/VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira Phantom VPN (x64)
  • Executable: Avira.WebAppHost.exe
  • SHA256: 8b58a80c56cf5e668ead219836b5f0013a696108fdf5542720f4a94f48d96c7c
  • SHA1: 857b9967c067a05c2bfabc79f087fd66eb198e93
  • MD5: 248f70a1f626518a7591959cf47d19b6

  • Certificate: Avira Operations GmbH & Co. KG/VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Privacy Pal(x86)
  • Executable: Avira.Optimizer.Common.ErrorReporter.exe
  • SHA256: b3ca7f3db9ef464d7891370c0fb7f3e20c2bce683e204b25a5c46d00c899bfe7
  • SHA1: 754ccff14b3313b864b1e8fa55100a7dff781e30
  • MD5: 51fc630ba6fbe50a76593c38a3dfc27e

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Privacy Pal(x86)
  • Executable: Avira.PrivacyPal.Service.exe
  • SHA256: b3a6afcc4e2a020144284d131c3ca249f534e4bc657b1ce1edd43aeafc7989c5
  • SHA1: 222f9373fc31a49ba6be92adf73aab5cbdb835c7
  • MD5: 043d2289eb1fbd53679d07ce10a0c876

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Privacy Pal(x86)
  • Executable: Avira.PrivacyPal.UI.Application.exe
  • SHA256: b400e06940709384aeec578e0603e4694a51d4e7c7aaa9eb7b19bb2e49a499a9
  • SHA1: 9b0587653e253a296b5da86d69008340e02f2374
  • MD5: 3f18e5c14b8ad588f962e5dfaed1c251

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Safe Shopping(x86)
  • Executable: Avira Safe Shopping.exe
  • SHA256: a9b5678e868936998e215305d2d5d860d6077480bc74896463c914a8fb5c0f54
  • SHA1: 2ae7f4668ddcccf4efc97c895a74bf1416f4e376
  • MD5: 0558054a7b14823f52177814ab8e71ed

  • Certificate: Solute GmbH/thawte SHA256 Code Signing CA/thawte Primary Root CA

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.Core.Common.Starter.exe
  • SHA256: 6fb25bea61d07fd683d08bd25091e91a7ebdfe38ab8672e124449aef308cb16b
  • SHA1: 5fe163332729812394faafd97d12ed1248f41f10
  • MD5: 88e2bfdd248eae47aa608938d51094c7

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.Maintenance.exe
  • SHA256: 104ee193f8b008ca7889c9c101607458a4a5d9dd3bbad0c85435415c082e15d0
  • SHA1: 7d23786ac1db3c2f0c47b4dadd327a84f2c469f1
  • MD5: 40ad0c81196dcc00e144b84a8183ee76

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.Service.exe
  • SHA256: 2ca9a2aa5aba579765b75548915b6339a1d503c1eb15a9f5cc4e0950b5031ea1
  • SHA1: 410266c83c3c4a6b142eb7ef18b8d3c7e0d893d3
  • MD5: 424b47d51d5330d4a7f1f030580e8d0f

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.UI.HelpOverlay.exe
  • SHA256: 9ec2b86c617b58ecc3dce28c65284cd6c1e80228848d812e91eec3fa49c13e7b
  • SHA1: f4fb072beb76bb1aeaa09d736db05afff55e8972
  • MD5: 3efffeb3df594423784122d0a885f7ef

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.UI.Popup.exe
  • SHA256: 46a4cb520498987ea38fcff8b9bcac5987d2acc9436449d413a4859b0bb77cc1
  • SHA1: 4fa9e229f805ffb1eb10be23e1ece83a73f32fef
  • MD5: 60003473cde1f5377caee09eb9afec4c

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira.SystemSpeedup.UI.ServiceProfiler.exe
  • SHA256: 2423ed625ca857c466840337f857ca069727239a2284042e7e676fed77739ff8
  • SHA1: 4d5e90c06599e2bdbda3ad830cbf4d3a0629385e
  • MD5: 5aa1ad636dd8d43ede9f076fc56d01fd

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - System Speedup(x86)
  • Executable: Avira_System_Speedup.exe
  • SHA256: a5017f00a56ce58397e56ba7b185d08763ba26edf03220d9c4704846bd5776fa
  • SHA1: b305ec97f553731a662dcb77f70a4039a0308aa5
  • MD5: 6342eedd81595a67fea103cfddd8d5c0

  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Avira - Systray(x86)
  • Executable: Avira.Systray.exe
  • SHA256: 17dc9e5321c2af351e47f914219a920df37ffa2f625563327aaf34bb7c12506d
  • SHA1: 519f64bea775ed6ab86d0c12087a9a1086805358
  • MD5: d63d9bfd8947f60f7e9e74e8fef40059
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

DLL-Template:

; ---------------------------------------------------------------------------
;- Exports: version.dll

ProcedureDLL.l GetFileVersionInfoSizeW()
  DbgOutFunctionName()
EndProcedure

ProcedureDLL.l GetFileVersionInfoW()
  DbgOutFunctionName()
EndProcedure

ProcedureDLL.l VerQueryValueW()
  DbgOutFunctionName()
EndProcedure

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders

… and as an added bonus, you can use Avira.GameBooster.ProcessStarter.exe as an Launcher …

  • Name: Avira - Game Booster(x86)
  • Executable: Avira.GameBooster.ProcessStarter.exe
  • SHA256: c0def4ff61a4545699422273761c464f35d532cc0cc65756e4ec20be383ff897
  • SHA1: 653c5fef45774243354fc718f3fb98a8a5d3e223
  • MD5: f6fb5c1eb58aff98c0815919a3a5e03d
  • Certificate: Avira Operations GmbH & Co. KG/Symantec Class 3 Extended Validation Code Signing CA - G2/VeriSign Class 3 Public Primary Certification Authority - G5

… via: Avira.GameBooster.ProcessStarter.exe calc.exe