DLL Side-Loading for Fun (and Profit?) - Day 5 & 6
TL;DR: see Part 1 for an introduction to this series and an overview of the available posts.
Since I forgot to post yesterday, I merged the two posts. So below you’ll find DLL side-loading targets using Oracle Java and Avast Antivirus Business.
For Oracle Java the DLL-Template is provided below. For the Avast target, just create a DLL (wsc.dll) with one export (called _run@4) and execute wsc_proxy.exe.
Avast Antivirus Business (x86)
- Name:
Avast - Antivirus Business(x86) - Executable:
wsc_proxy.exe - SHA256:
81aa1e5578e99de5d99d775910704aa1e92b50139fc1a1a9a5fb1d60a3a7897e - SHA1:
03aaf714728eae7ba833bdf36be15a3136f4bb46 - MD5:
39f551472d83951eae833db975991219 - Certificate:
AVAST Software s.r.o./DigiCert High Assurance Code Signing CA-1/DigiCert High Assurance EV Root CA
Oracle Java (x64)
- Executable:
javacpl.exe - SHA256:
2dfac2e76ac4f67d13e37d8f0f69e62d3260df8e7b1c87e264eb1db19dd54759 - SHA1:
22036de995b61ec3a7c7171acf0afc841ebc2b7d - MD5:
7364ff9145c4a99a0975ae08bb9939a3 -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
java-rmi.exe - SHA256:
d0a0aa2d3f457a3d119765af7458ef5c41c9f8bcc3b29a8d955bc936720a8dd6 - SHA1:
904100abcac7fae1d0e981fa650e1688595029d7 - MD5:
c3bf9fa32fe17747657daca1d248fcb3 -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
jjs.exe - SHA256:
f8b2647918ea7b755bd2bb66cf236a2845f1f7e42301b0bfe3e5dcc0c455fc02 - SHA1:
413ad12bc3bfa7b034061fb886b67f91b0bba922 - MD5:
5a2034a86b64dca5f19d93c031950248 -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
keytool.exe - SHA256:
55341328a97d8244d4ced6f3bd79665171c1c17d08b0ae0982af308f674341bc - SHA1:
38aca6498cf6abc64633b1423ee99a7bbebde093 - MD5:
68383bccc06ccb652e1c3abc4085c19c -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
kinit.exe - SHA256:
18c62b4e5428eed573454f9c7a90fb777ad8c0a3f04470303b7b441609d44cbe - SHA1:
33e1d205443a7f97a4203ff13ee86d94208d7f38 - MD5:
409b29ca764874eb4e1aaaf13295e0fe -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
klist.exe - SHA256:
c7353e55514becb443f4cc4238c38cd1f5f466851e9a9bbad4738d301682ae58 - SHA1:
37eb5aa8c2a3ca8930a97e00f842ff9059d55221 - MD5:
7c5b0ef9949c0d935a0b8e61ea5c4a86 -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
ktab.exe - SHA256:
941778b2622cfd1b1c35bbd092bd5a01d68a8c501077ddd4926694997babc5ec - SHA1:
9c529e4df520e552c2c9c22696feb9b12f0bedd1 - MD5:
f0983a787ff925ebd8940e0916a9324d -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
orbd.exe - SHA256:
76a94f3b118bb3eb469fe64d8a50a660ed4d20d80394427df866fa6f8cd137d4 - SHA1:
1011bd5ea2e46483fd417c494a92078f64beb02f - MD5:
67e74bbd8ab446c77464a2dff70d49c4 -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
pack200.exe - SHA256:
739e391a375e9b0dadeea859183a96a34737d6303e7d16e19f9130014500644d - SHA1:
64af474c831c3fbede243683be48c8530155a413 - MD5:
43470b2ddbbc7733ce3174ccb0dfaa1f -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
policytool.exe - SHA256:
2622cf15d4b9c42ced5491a929d02a4d083f13b6c1cfd9f2659f4b1dacd54c57 - SHA1:
ec128f8c4876ffcb807897b1b2e1c10c2f6ffa0e - MD5:
e5ae58a6467f5a927068856e730980d2 -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
rmid.exe - SHA256:
f5feb44a1b2da6c09c022d427a8fb513c23a80842a5bde1c48049e10c0011449 - SHA1:
8764c9fcf91d0860ca237f537ceda735a43dd697 - MD5:
3ef59771b19e8f8c04b800072c60a8c9 -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
rmiregistry.exe - SHA256:
26dc673abadb59744acae14ed9c3471101f3581295f2fb21aa23eba01697d982 - SHA1:
7d4eb727a417db9f4b4c5d0e636784b7555bbeab - MD5:
bd49ad337e128744b7c4829952129eb6 -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
servertool.exe - SHA256:
2b1edd3ff4a770c0ceb02719e2071a3f7faf02b716567472a771dfa13e51714a - SHA1:
762f22176835eabee4dc3ab96936e3ed0f73f992 - MD5:
f345369270650ddd7b9f322c0ad343b0 -
Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5 - Executable:
tnameserv.exe - SHA256:
21312ed3be2818537f91614b8344e2664bb335a833427ffeb21cb2cdde4de492 - SHA1:
a3ee9b5ece6bac47387c96995e23144c2ba5738d - MD5:
9dfe966da7007d8eec1102bf7883c739 - Certificate:
Oracle America, Inc./Symantec Class 3 SHA256 Code Signing CA/VeriSign Class 3 Public Primary Certification Authority - G5
DLL-Template (Java):
EnableExplicit
; ---------------------------------------------------------------------------
;- Prototypes
Macro LoopForever()
Sleep_(-1)
EndMacro
Macro DbgOutFunctionName()
OutputDebugString_("Func: " + #PB_Compiler_Procedure)
EndMacro
Macro DummyExport(proc_name)
ProcedureDLL proc_name()
DbgOutFunctionName()
LoopForever()
EndProcedure
EndMacro
; ---------------------------------------------------------------------------
;- Exports: deploy.dll - javacpl.exe
DummyExport(GetCurrentJavaHomeFromRegistry)
; ---------------------------------------------------------------------------
;- Exports: jli.dll for java-rmi.exe and others
DummyExport(JLI_CmdToArgs)
DummyExport(JLI_GetStdArgc)
DummyExport(JLI_GetStdArgs)
DummyExport(JLI_Launch)
DummyExport(JLI_MemAlloc)
; ---------------------------------------------------------------------------
ProcedureDLL AttachProcess(Instance)
DbgOutFunctionName()
EndProcedure
ProcedureDLL DetachProcess(Instance)
DbgOutFunctionName()
EndProcedure
ProcedureDLL AttachThread(Instance)
DbgOutFunctionName()
EndProcedure
ProcedureDLL DetachThread(Instance)
DbgOutFunctionName()
EndProcedure
Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…
A description of all executables will be collected on Github: signed-loaders
marpie
@markus_pieton