Hello to all, after a long break i’m back to take more adventure about Process Injection techniques, our today’s technique is DLL Sideloading, where you will learn about how to trick a legitimate executable to load your own malicious code, sounds easy? LETS JUMP IN.
The plan of our blog is as follow:
1- What is DLL Sideloading and how it works 2- An implementation with cpp 3- Video Demo 4- Detection of DLL Sideloading 5- Conclusion
What is DLL Sideloading and how it works.
DLL sideloading is a technique used by attackers to exploit a vulnerability in the way applications load dynamic link libraries (DLLs) on Windows operating systems. It involves placing a malicious DLL in a location where a legitimate application is likely to load it instead of the intended, trusted DLL. SO Windows follows a DLL search order to locate and load required libraries. This order typically includes The application directory (where the executable is located) first, second the System32 and SysWOW64 directories (containing core Windows DLLs) and finally any directories specified in the system’s environment variables.
Ok now we took a quick idea about what is DLL Sideloading, let us now take a look about its historic,
Stuxnet, a highly sophisticated cyberweapon targeting Iran’s nuclear program, used DLL sideloading to inject malicious code into legitimate Windows processes. also The PlugX Remote Access Trojan (RAT) used DLL sideloading with legitimate applications like Adobe, McAfee, and Microsoft software to bypass security measures.