https://github.com/mandiant/duedlligence

https://github.com/mandiant/duedlligence

Last synced: about 1 year ago
JSON representation

• Host: GitHub
• URL: https://github.com/mandiant/duedlligence
• Owner: mandiant
• License: apache-2.0
• Archived: true
• Created: 2019-10-04T18:34:27.000Z (over 6 years ago)
• Default Branch: master
• Last Pushed: 2023-06-02T14:24:43.000Z (about 3 years ago)
• Last Synced: 2025-03-11T18:52:33.156Z (over 1 year ago)
• Language: C#
• Size: 520 KB
• Stars: 468
• Watchers: 18
• Forks: 89
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

          
# DueDLLigence

Shellcode runner framework for application whitelisting bypasses and DLL side-loading. The shellcode included in this project spawns calc.exe.

Authors: Evan Pena (@evan_pena2003), Ruben Boonen (@FuzzySec), Casey Erikson (@EriksocSecurity), Brett Hawkins (@h4wkst3r)

If desired, change the injection type by modifying the following line to the appropriate injection type


```public const ExecutionMethod method = ExecutionMethod.CreateThread;```

Blog Post References:


https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html


https://www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html

Running the DLL with the following legitimate exes 

## Application Whitelisting Bypasses. Lolbins

### Control.exe

Export: CPlApplet

Syntax: Rename compiled “dll” extension to “cpl” and just double click it!


```Control.exe [cplfile]```


```Rundll32.exe Shell32.dll, Control_RunDLL [cplfile]```

### Rasautou

Export: powershell


```rasautou –d {dllpayload} –p powershell –a a –e e```

### Msiexec

Export: DllUnregisterServer


```msiexec /z {full path to msiexec.dll}```

## DLL Side-Loading Binaries and Details

### Tortoise SVN (SubWCRev.exe)

Executable: SubWCRev.exe


File Path: C:\Program Files\Tortoise SVN\bin


MD5 Hash: c422a95929dd627b4c2be52226287003


DLL == "crshhndl.dll"; Arch == x64; OS == Win7 & 10;


Exports: InitCrashHandler,SendReport,IsReadyToExit,SetCustomInfo,AddUserInfoToReport,RemoveUserInfoFromReport,AddFileToReport,RemoveFileFromReport,GetVersionFromApp,GetVersionFromFile

### Dism Image Servicing Utility (Dism.exe)

Executable: Dism.exe


File Path: C:\Windows\System32


MD5 Hash: 5e70ab0bf74bba785b83da53a3056a21


DLL == "DismCore.dll"; Arch == x64; OS == Win7 & 10;


Export: DllGetClassObject

### PotPlayerMini

Executable: PotPlayer.exe


File Path: {Installation Directory}


MD5 Hash: f16903b2ff82689404f7d0820f461e5d


DLL == "PotPlayer.dll"; Arch == x86;


Exports: PreprocessCmdLineExW,UninitPotPlayer,CreatePotPlayerExW,DestroyPotPlayer,SetPotPlayRegKeyW,RunPotPlayer

Credit for the DueDLLigence name goes to Paul Sanders (@saul_panders)