Load/Inject malicious DLL using Microsoft Tools

More and more malware are relying on Microsoft tools to hide their malicious activity and damage the system. These tools can be used to bypass security products which trust Microsoft signed binary, and can be a serious alternative to rundll32 to execute malicious DLL like NotPetya or Wannacry.

In this article we will see how some Microsoft tools can be used to execute external code from DLL. Firstly we will see how to inject a DLL into a defined process, and then how to simply execute some DLL functions like rundll32.

The DLLs used here are benign and they will just start a child process but it could be any program or ransomware like NotPetya or Wannacry.

 

Inject DLL code

Mavinject

Mavinject (Microsoft Application Virtualization Injector) is part of Microsoft Application Virtualization since 2006 and can be found in system32 folders in Win10.

This tool allows to inject a DLL into a specified running process, this will result of an execution of the entrypoint of the DLL.

Mavinject32.exe <PID> /INJECTRUNNING <DLL PATH>

Mavinject64.exe <PID> /INJECTRUNNING <DLL PATH>

OR

Mavinject.exe <PID> /INJECTRUNNING <DLL PATH>

On windows 10, the 32bits version of mavinject can be found in the SYSWOW64 folder and the 64bits version in the system32 folder.

Mavinject proc details

In this example, “notepad.exe” is not shown as a parent process of “calculator.exe” because on Windows 10 the calculator is a windows app started by “svchost.exe”.

The DLL has been injected in the target process “notepad” and its entrypoint is executed and can do any malicious actions stealthy.

 

Tracker

Tracker is a dev tool from MSBuild tools which is on Windows since 2005 and can be found on any DotNet Framework folder from the version 2.0.

This tool allows to run an executable before loading a DLL into it.

Tracker.exe /d <DLL TO LOAD> /c <Command to track/execute>

In this image, we can see the command line used to load a DLL, the calculator executed and the library loaded into the process. The calculator is a child process of “tracker.exe”

Tracker proc details

In this example, the DLL has been loaded by the process calc.exe, once the DLL is loaded, the entrypoint is executed. Again, it could be any malicious code or ransomware hidden inside the calculator process.

The tracker executable located in the Visual Studio folder uses rundll32 to execute the DLL with the argument #1. But here the DLL was loaded in memory directly with the tracker.exe located in the SDKs folder.

 

Load DLL code

Regsvr32

Regsvr32 is a native command line tool of Windows which allows to register and unregister DLLs and ActiveX controls in the Windows Registry.

Depending on the argument to call regsvr32, the DllRegisterServer or DllUnregisterServer exported function of the DLL is called.

Regsrv32 /s [/u] <DLL PATH>

In the following screenshot, we can see the command line used to execute the functions of the DLL and the execution result, the DllRegisterServer function starts a notepad, and the DllUnregisterServer function starts a powershell.

Regsvr32 is the parent process, we can see two regsvr32 because it has to start a 32bits version of regsvr32 to load a 32bits DLL.

Regsvr32 proc details

This method is an alternative to rundll32 and can be used to host malicious DLL code into a Microsoft signed Process.

 

Odbcconf

ODBCCONF is a command line tool which allows to configure data source names and ODBC drivers. It will be soon deleted from Windows Data Access Components after more than 15 years of good services.

odbcconf /s /a {REGSVR <DLL PATH>}

Like regsvr32 this program can register our DLL with the DllRegisterServer function.

In this example, a calculator process is started and odbcconf exits itself after the process creation.

odbcconf proc details

This method allows an attacker to execute some malicious code stealthy like regsvr32.

 

Regasm

Regasm (Assembly Registration Tool) is a component of NetFramework and allows to register/unregister an assembly file, with that feature we can again load malicious code from a DLL.

Regasm.exe /u <DLL PATH>

This command will execute the ComUnregisterFunction of the DLL as we can see below.

In this image, we can see the command line used to execute our code, the code executed is a child-process of regasm.

Regasm proc details

 

RegSvcs

Regsvcs (.NET Services Installation Tool) allows to load and register an assembly like regasm.exe.

Regsvcs.exe [/u] <DLL PATH>

This command will execute the ComRegisterFunction/ComUnregisterFunction of the DLL.

In this image, we can see the command line used to execute our function ComRegisterFunction, the code executed is a child-process of RegSvcs.exe.

Regsvcs proc details

 

InstallUtil

InstallUtil (Installer Tool) is a command line tool which allows to install and uninstall server ressources. It can be used to execute external code.

InstallUtil.exe /U <DLL PATH>

This command will execute the Uninstall function of our library as we can see below.

In this image, we can see the command line used to execute our code, the code executed is a child-process of “InstallUtil.exe”.

InstallUtil proc details

 

How SAFE Endpoint blocks these actions

SAFE Endpoint Security is a multi-layer security product which will block this type of attacks or malicious file using multiple methods and at each step of the attack:

  • SAFE Endpoint Security limits the access of some administrative tools (cmd.exe, powershell.exe, rundll32.exe, regsvr32.exe, …)
  • Thanks to the analysis engine, unsigned library are analysed. This feature allows to prevent malicious DLL to be loaded.

In the following video, some malicious DLLs are loaded using the different methods described before. SAFE Endpoint Security is set to protection mode in order to block malicious actions:

 

Conclusion

As we saw, a lot of Microsoft tools allow to load or inject malicious code into a letigimate application. This technique is more and more used to hide a malicious activity on the system, which can bypass traditionnal security solutions.

To prevent this type of attacks, it’s important to control process execution flow in order to prevent malicious usage of Microsoft binaries.
In addition to that, it’s necessary to perform a deep analysis of unknown DLL loaded on the system in order to prevent malicious code to run from a legitimate application.