(YARA) YARA_DLLProxying
rule DLLProxying {
condition:
// Check for presence of DLL_PROCESS_ATTACH in DllMain function
uint16(0) == 0x6461 and (
// Check for the presence of LoadLibrary, which is used to load the legitimate DLL
uint32(2) == 0x6C6C6100 and uint32(6) == 0x6574726F and
// Check for the presence of GetProcAddress, which is used to retrieve the addresses of the functions in the legitimate DLL
uint32(10) == 0x72630067 and uint32(14) == 0x61647079 and uint32(18) == 0x61636F00 and uint32(22) == 0x0072696E and
// Check for the presence of a function that will be used to redirect function calls to the legitimate DLL
// This example uses a function named "ProxyFunction", but the function name can be anything
uint32(26) == 0x646E6900 and uint32(30) == 0x00667379
)
// Check for presence of dllexport attribute on the function that redirects calls to the legitimate DLL
// This example uses a function named "ProxyFunction", but the function name can be anything
and (pe.exports("ProxyFunction") or pe.exports("ProxyFunction@0"))
}
Associated Techniques
| Technique Name | Technique ID's | Snippet(s) | OS |
|---|---|---|---|
| DLL Proxying | U1240 |
Created
December 6, 2022
Last Revised
December 6, 2022