Automated DLL Sideloading Tool With EDR Evasion Capabilities
MIT License
While DLL sideloading can be used for legitimate purposes, such as loading necessary libraries for a program to function, it can also be used for malicious purposes. Attackers can use DLL sideloading to execute arbitrary code on a target system, often by exploiting vulnerabilities in legitimate applications that are used to load DLLs.
To automate the DLL sideloading process and make it more effective, Chimera was created a tool that includes evasion methodologies to bypass EDR/AV products. This tool can automatically encrypt a shellcode via XOR with a random key and create template Images that can be imported into Visual Studio to create a malicious DLL.
Also, Dynamic Syscalls from SysWhispers3 is used and a modified assembly version to evade the pattern that the EDR search for, Random nop sleds are added and registers are moved. Furthermore, Early Bird Injection is also used to inject the shellcode in another process which the user can specify with Sandbox Evasion mechanisms like HardDisk check & if the process is being debugged. Finally Timing attack is placed in the loader which uses waitable timers to delay the execution of the shellcode.
This tool has been tested and shown to be effective at bypassing EDR/AV products and executing arbitrary code on a target system.
The updated version of Chimera Unleashed has demonstrated significant advancements in evading both static and dynamic analysis, particularly in the context of Microsoft 365's Endpoint Detection and Response (EDR) system. The tool's sideloading techniques, even when applied to well-known binaries like OneDrive, successfully eluded detection. However, it's noteworthy that while the sideloading aspect remained undetected, the Early Bird Injection process employed by the tool was identified by the EDR system. This highlights an area for further refinement in enhancing the tool's overall stealth capabilities.
Key Updates and Features:
Chimera is written in python3 and there is no need to install any extra dependencies.
Chimera currently supports two DLL options either Microsoft teams or Microsoft OneDrive.
Someone can create userenv.dll which is a missing DLL from Microsoft Teams and insert it into the specific folder to
%USERPROFILE%/Appdata/local/Microsoft/Teams/current
For Microsoft OneDrive the script uses version DLL which is common because it's missing from the binary example onedriveupdater.exe
Chimera Unleashed uses argparser
for command-line argument parsing. The following arguments are available:
--raw
or -r
: Path to file containing shellcode. Required.--path
or -p
: Path to output the C template file. Required.--pname
or -n
: Name of process to inject shellcode into. Required.--dexports
or -d
: Specify which DLL Exports to use (either 'teams' or 'onedrive'). Required.--enc
or -e
: Specify preferred encryption (XOR / AES). Required.--inj
or -i
: Specify preferred injection technique (EB / MS). Required.--rshell
or -s
: [Optional] Replace shellcode variable name with a unique name. Default is 'encoded_shell'.--rxor
or -x
: [Optional] Replace xor encryption name with a unique name. Default is 'do_xor'.--rkey
or -k
: [Optional] Replace key variable name with a unique name. Default is 'key'.--rsleep
or -z
: [Optional] Total sleep time to include during execution (seconds). Default is 4000.--size
or -f
: [Optional] File size of junk data in KB. Zero (0) is disabled, and one (1) is random filesize. Default is 0.Example usage: python Chimera.py --raw <path_to_shellcode> --path <output_path> --pname <process_name> --dexports <exports_file> --enc AES --inj EB --rshell my_shellcode
Once the compilation process is complete, a DLL will be generated, which should include either "version.dll" for OneDrive or "userenv.dll" for Microsoft Teams. Next, it is necessary to rename the original DLLs.
For instance, the original "userenv.dll" should be renamed as "tmpB0F7.dll," while the original "version.dll" should be renamed as "tmp44BC.dll." Additionally, you have the option to modify the name of the proxy DLL as desired by altering the source code of the DLL exports instead of using the default script names.
code.h file contains the shellcode.
Step 1: Creating a New Visual Studio Project with DLL Template
Step 2: Importing Files into the Visual Studio Project
Step 3: Build Customization
Step 4: Enable MASM
Step 5:
Step 1: Change optimization
Step 2: Remove Debug Information
Original Contributor:
Contributor:
To the maximum extent permitted by applicable law, myself(George Sotiriadis) and/or affiliates who have submitted content to my repo, shall not be liable for any indirect, incidental, special, consequential or punitive damages, or any loss of profits or revenue, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses, resulting from (i) your access to this resource and/or inability to access this resource; (ii) any conduct or content of any third party referenced by this resource, including without limitation, any defamatory, offensive or illegal conduct or other users or third parties; (iii) any content obtained from this resource
https://evasions.checkpoint.com/
https://github.com/Flangvik/SharpDllProxy