Overview
Frida-based dynamic instrumentation for identifying Windows "features" exploitable for:
- DLL Sideloading (T1574.002)
- COM Hijacking (T1546.015)
WFH Dridex variant: ~966 validated sideloads vs 96 from original.
MITRE ATT&CK Mapping
T1574.002 - DLL Side-Loading
| Tactic | ID | Description | |--------|-----|-------------| | Persistence | TA0003 | Maintain access via trusted process | | Privilege Escalation | TA0004 | Inherit elevated token | | Defense Evasion | TA0005 | Execute under signed binary |
Hooked APIs:
LoadLibraryW(LPCWSTR lpLibFileName)
LoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags)
GetProcAddress(HMODULE hModule, LPCSTR lpProcName)
Attack Chain:
1. Identify signed exe with weak DLL reference
2. Copy exe to attacker-controlled directory
3. Place malicious DLL with expected name
4. Execute → DLL loads in trusted context
T1546.015 - COM Hijacking
| Tactic | ID | Description | |--------|-----|-------------| | Persistence | TA0003 | Survive reboots via registry | | Privilege Escalation | TA0004 | Hijack elevated COM server |
Hooked APIs:
RegQueryValueExW → CLSID\{GUID}\InProcServer32
Attack Chain:
1. Monitor COM object instantiation
2. Create HKCU shadow of HKLM CLSID entry
3. Point InProcServer32 to malicious DLL
4. Application loads attacker DLL on COM call
Usage Patterns
DLL Sideloading Detection
# Single target
python wfh.py -t .\mspaint.exe -m dll
# Batch (copy exes to WFH dir first)
python wfh.py -t * -m dll
# Verbose with timeout
python wfh.py -t * -m dll -v -timeout 30
COM Hijacking Detection
python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com -v
WFH Dridex (Enhanced)
# Requires MinGW G++ in PATH
python wfh_dridex.py
# Outputs: results.csv with validated sideloads
Bulk Windows Binary Scan
# Copy all signed Windows binaries
Get-ChildItem c:\ -File | ForEach-Object {
if($_ -match '.+?exe$') {Get-AuthenticodeSignature $_.fullname}
} | Where {$_.IsOSBinary} | ForEach-Object {Copy-Item $_.path .}
# Hunt
python wfh.py -t * -m dll
python wfh.py -t * -m com
High-Value Targets
| Executable | Sideloadable DLLs | |------------|-------------------| | mspaint.exe | gdiplus.dll, MSFTEDIT.DLL, PROPSYS.dll, WINMM.dll, MFC42u.dll | | charmap.exe | MSFTEDIT.DLL, GetUName.dll | | iexplore.exe | ie_to_edge_bho_64.dll, Windows.Storage.dll |
Full System32 results: WFH_Dridex_System32_08172022.csv
Defensive Countermeasures
Detection Tools
| Tool | Purpose | |------|---------| | SideLoadHunter | Sysmon + PowerShell profiling | | HijackLibs | Known sideload database (507 WFH contributions) |
Sysmon Detection Rules
<!-- DLL Sideloading: Signed exe from non-standard path -->
<RuleGroup name="DLL Sideload" groupRelation="and">
<ImageLoad onmatch="include">
<ImageLoaded condition="contains">\Users\</ImageLoaded>
<Signed condition="is">true</Signed>
</ImageLoad>
</RuleGroup>
<!-- COM Hijack: HKCU InProcServer32 modification -->
<RuleGroup name="COM Hijack" groupRelation="or">
<RegistryEvent onmatch="include">
<TargetObject condition="contains">CLSID</TargetObject>
<TargetObject condition="contains">InProcServer32</TargetObject>
</RegistryEvent>
</RuleGroup>
Detection Signals
| Signal | Indicator | |--------|-----------| | Path Anomaly | Signed exe running from %TEMP%, Downloads, user dirs | | DLL Location | Non-System32 DLL loaded by Windows binary | | Registry Shadow | HKCU COM registration duplicating HKLM entry | | Manifest Weakness | LoadLibrary with filename-only (no full path) |
GF(3) Integration
Skill Trit: MINUS (-1) = Validator/Constrainer
Color Hue: Vermillion (0-60° warm, warning spectrum)
Conservation: Pairs with PLUS skill for balanced execution
Triad Assignment:
- MINUS: vermillion-hunter (detect vulnerabilities)
- ERGODIC: defense-synthesis (correlate findings)
- PLUS: exploit-executor (validate exploitability)
Dependencies
pip install frida frida-tools
# For WFH Dridex:
# MinGW G++ 64-bit with g++.exe in PATH