Category Archives: Sideloading

More hidden Phantom DLLs

Posted on by

Pretty much all of the phantom DLL scenarios that I have been describing over the years are linked to specific use cases, where the code referencing these non-existing DLLs is most of the time immediately accessible from a native OS program. And as such, the technique can be leveraged immediately. In other words, anyone with some basic know-how about phantom DLLs can control the process of loading payloads leveraging this trick at any time.

The complexity of Windows OS cannot be understated.

Despite many efforts, hours spent reversing, I often come across situations where I simply don’t understand the code, the logic, or the conditions to load certain phantom DLLs are so convoluted, that it is simply not worth inspecting any further….

This is where this post begins.

There are still many phantom DLLs that I have not described yet, but the chances that I ever will are not very high. This is because most of the ‘obvious’ phantom DLLs are already pretty well-described, and the effort that one has to make to describe the ones that are left is ‘uuuuge. But… there is an easier way.

Instead of chasing unicorns, we can just list the possible scenarios w/o going into details on how they are invoked. From a defender’s perspective it is still a win, because we can simply focus on detection of phantom DLL files being created, without a need to understand how they will be loaded by threat actors.

Okay…

That’s a lot of words to describe never-seen-before IOCs.

So, here they are.

When the files are created that match the file names in the column 2, it is worth investigating further…

DLL ForwardSideloading, Part 2

Posted on by

The 2nd part following my first take on this subject was kinda inevitable.

Why?

Sixtyvividtails is one of my fav researchers, because a) he reads my posts, breaks them apart, and usually comes up with some amazing/creative comments/additional thoughts that often lead us to some new, cool discoveries (see f.ex. this) b) he also made a social media bet that I (obviously) couldn’t leave unchallenged. Thank you Sixtyvividtails, you are an inspiration and I love your research and creative ideas a lot!

So, to business…

My first find was this unsigned Realtek DLL (RealWoWDLL.dll – VT Link) that exported the intriguing forward:

testker -> kerberos.Spinitialize

Then… I went for holidays 🙂

I did go there with an idea though that after coming back I will do a more structured follow-up research…

So when I came back, I immediately got to work.

The first target was an obvious one – run the very same forwarder-extractor script over the Windows 2025 server files. The results are here. Many of these combos can be used for DLL ForwardSideloading.

The second target was bigger. I checked my repo of ‘good’ files only to discover that I am sitting on around 700K ‘clean’ DLLs, both 32- and 64-bit. Sadly, I don know which ones of them are truly signed or not, unless the actual PE file of the DLL is physically signed (aka not via a catalogue). Still, 700K files is a lot, and there is a hope that it’s worth analyzing them all to see how many of them are non-Microsoft, and actually use/leverage the forwarded exports…

So, I ran my script over the last weekend and after few days it spat out its results.

And here’s the catch:

  • yes, some vendors do appear to be using forwarded functions same as Microsoft and Realtek
  • many functions that have their names exported by DLLs (mapping present in the export table) are not necessarily meant to be used by any other program, but since some do include a “.” character in their name, they could actually be used to facilitate DLL ForwardSideloading !

See the (filtered) results here.