3. Overview 🔎
● DLL Hollowing
● What is CFG
● Problems posed by CFG
● Dynamically finding
Targets
● Control Flow
● VirusTotal Analysis
4. DLL Hollowing
DLL hollowing is a form of process injection, which is when an
attacker inserts malicious code into known benign software.
With DLL hollowing, the attacker can insert the code into the
current process or into a remote process's memory space by
loading a new DLL and overwriting sections of its code. The
goal of the attacker is to hide from causal analysis. When
looking for quick wins, researchers or Incident Response
analysts will look for any process or executable that does not
look normal. In most use cases, the process and the DLL are
both benign. Looking at the file system of the EXE and DLL will
show nothing out of the ordinary.
@TRUSTEDSEC
5. What is CFG?
Control Flow Guard (CFG) is a highly-optimized platform security feature that was
created to combat memory corruption vulnerabilities. By placing tight restrictions
on where an application can execute code from, it makes it much harder for
exploits to execute arbitrary code through vulnerabilities such as buffer overflows.
dumpbin /headers /loadconfig
C:WindowsSystem32ntdll.dll
6. Problems posed by CFG
The compiler does the following:
● Adds lightweight security checks to the compiled code.
● Identifies the set of functions in the application that are valid
targets for indirect calls.
The runtime support, provided by the Windows kernel:
● Efficiently maintains state that identifies valid indirect call
targets.
● Implements the logic that verifies that an indirect call target is
valid.
When a CFG check fails at runtime, Windows immediately terminates
the program, thus breaking any exploit that attempts to indirectly call
an invalid address.
https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
8. Finding Target DLLs
To use a DLL for this technique, a DLL must meet the following requirements:
● DLL must NOT already be loaded in memory
● DLL MUST HAVE a .text section
● DLL must NOT have CFG enabled
* The most common example of these types of DLLs which I could find were
the modules from Powershell v1 DLLs, Media Player DLLs and VirtualBox
DLLs.