kernel32.dll HeapReAlloc -> NTDLL.RtlReAllocateHeap
kernel32.dll HeapSize -> NTDLL.RtlSizeHeap<\/pre>\n\n\n\n
Now, most of us assume that lots of forwards redirect the execution to most popular Windows DLLs, and these are typically just your regular KnownDLLs: ntdll, kernelbase, ole32, etc. — ones that are on the KnownDLLs list + very often already loaded into memory.<\/p>\n\n\n\n
I decided to check what forwards we can find on the Win 11 OS, because I had a cunning plan: If I can find a forward that does not redirect to KnownDlls, then I can execute an indirect DLL sideloading, one that is on par with traditional EXE sideloading technique.<\/p>\n\n\n\n
Meaning?<\/p>\n\n\n\n
Use a signed rundll32.exe to load a signed DLL that will then load the payload DLL of our choice… by using that exported function.<\/p>\n\n\n\n
This is a list of forwards<\/a> I have generated.<\/p>\n\n\n\n We can quickly identify a non-KnownDlls pair, where:<\/p>\n\n\n\n So, copying keyiso.dll<\/em> to c:\\test, and then placing a payload in NCRYPTPROV.dll<\/em> in the same folder, and then finally executing:<\/p>\n\n\n\n will load a copy of the keyiso.dll<\/em> first, then the function resolution of KeyIsoSetAuditingInterface<\/em> will resolve it first to NCRYPTPROV.SetAuditingInterface<\/em> forward, and then automatically load the NCRYPTPROV.dll<\/em>, and only then execute the function’s code. In the example below, I didn’t bother to implement SetAuditingInterface<\/em> in the test DLL, just to showcase the execution flow leading to (actually misleading, since it refers to the outer DLL\/API name combo) ‘missing API’ message box.<\/p>\n\n\n\n The DLLMain_64_DLL_PROCESS_ATTACH.txt<\/em> file is created by the test payload, indicating its DllMain function has been executed.<\/p>\n\n\n\n Obviously, this technique does not need to rely on OS libraries. I am pretty sure that a bigger study of exported functions from a larger corpora of signed DLLs will yield a set of combos that can be used to implement this technique.<\/p>\n","protected":false},"excerpt":{"rendered":" Some DLLs export functions (via export table) that are just forwarding execution to functions implemented in other libraries. It’s a very common practice and one of the most known forwards are: kernel32.dll HeapAlloc -> NTDLL.RtlAllocateHeapkernel32.dll HeapReAlloc -> NTDLL.RtlReAllocateHeapkernel32.dll HeapSize -> … Continue reading keyiso.dll KeyIsoSetAuditingInterface -> NCRYPTPROV.SetAuditingInterface<\/pre>\n\n\n\n
rundll32.exe c:\\test\\keyiso.dll, KeyIsoSetAuditingInterface<\/pre>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2025\/08\/keyiso.png\")
<\/a><\/figure>\n\n\n\n