Skip to content
/ sideloader Public
forked from JJK96/sideloader

Automatically find sideload opportunities and generate DLLs

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

NorthwaveSecurity/sideloader

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
client
client
 
 
server
server
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Sideloader

Automatically find sideload opportunities and generate DLLs
DescriptionInstallationUsageLimitationsIssuesLicense
Built with ❤ by the Northwave Red Team

Description

Automatically find sideload opportunities and generate DLLs. The program consists of a server and client. The server allows uploading binaries and running them while capturing the loaded libraries using Procmon. The client uses this oracle to first determine the DLLs loaded by the given process. Then the client compiles DLL templates that implement all exported functions for the loaded DLLs. Each of these functions writes the function name to a log file. The client downloads this log file and analyses is to see which function was first executed. This function can then be used as the entry point for code execution. The client uses the exploit template to generate an exploit DLL. This DLL hijacks the execution flow of the binary to execute it's own content.

This process is based on windows-dll-hijacking, which was used to create hijacklibs.net.

The final output of a run is a project directory that allows building and rebuilding all necessary DLLs and outputs a ZIP containing the full sideload including exploit.

Installation

pip install -e .

or

make install

Copy settings.example.toml to settings.toml and fill the necessary values. You can also install a settings file in ~/.config/sideloader/settings.toml

Usage

Run the server on a Windows system as Administrator. Please keep in mind that the server system allows code execution by design, implement necessary security measures accordingly!

Configure settings.toml to point to the URL of your server.

Run the client:

sideloader --help
sideloader <binary> -o <output_dir>

Use the resulting <output_dir>/<dll_name>.dll template to compile your exploit code. Then place all necessary DLLs next to your target binary to create your (initial access) payload.

Tests

Test have not been implemented yet. In the future, execute them with:

make tests

Limitations

  • Only the DLLs in the import table of a binary are used. This is because I currently don't have a way to determine the exports of an arbitrary DLL. An alternative would be allowing to specify the original DLL and extracting the info from there.
  • The imported functions of a DLL are determined based on the export table of the provided executable. This might not include all functions, which may result in errors for DLLs that are not loaded while loading the executable.

Issues

Issues or new features can be reported via the Github issue tracker. Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.

License

Sideloader is open-sourced software licensed under the MIT license.

About

Automatically find sideload opportunities and generate DLLs

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 79.4%
  • C 12.3%
  • Makefile 6.0%
  • HTML 2.3%