Hunting for Windows “Features” with Frida: DLL Sideloading

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Offensive security professionals have been using Frida for analyzing iOS and Android mobile applications. However, there has been minimal usage of Frida for desktop operating systems such as Windows. Frida is described by the author as a “Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.” From a security research and adversarial simulation perspective, Frida can be used to identify MITRE ATT&CK technique T1574.002 also known as dynamic-link library (DLL) sideloading. Frida is not limited to identifying DLL sideloading. It can also identify MITRE ATT&CK technique T1546.015 also known as Component Object Model (COM) hijacking. This blog post will review DLL sideloading, and how attackers and offensive security professionals can identify potential DLL sideloading opportunities using X-Force Red’s proof-of-concept Frida tool Windows Feature Hunter (WFH).

What Is DLL Sideloading?

MITRE ATT&CK describes DLL sideloading in T1574.002 as follows:

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

MITRE ATT&CK goes on to say that “side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other.”

Microsoft also wrote a blog post where they define what is considered a vulnerability, saying that CWD scenarios would be addressed with a security fix, while PATH directory scenarios would not, “since there can’t be a non-admin directory in the PATH, [it] can’t be exploited.”

Windows DLL Search Order

Microsoft details DLL search order in this post. The post describes DLL search order, as shown in the excerpt below:

A system can contain multiple versions of the same dynamic-link library (DLL). Applications can control the location…