Skip to content

Commit e5c000d

Browse files
kevoreillykevoreilly
committed
Sideloader: restrict version proxy deployment to detection of side-loading msimg32.dll only
1 parent 7ffdd39 commit e5c000d

File tree

1 file changed

+40
-11
lines changed

1 file changed

+40
-11
lines changed

analyzer/windows/lib/api/process.py

+40-11
Original file line numberDiff line numberDiff line change
@@ -759,13 +759,11 @@ def inject(self, interest=None, nosleepskip=False):
759759
bin_name = LOADER64_NAME
760760
dll = CAPEMON64_NAME
761761
bit_str = "64-bit"
762-
side_dll = SIDELOADER64_NAME
763762
else:
764763
ttd_name = TTD32_NAME
765764
bin_name = LOADER32_NAME
766765
dll = CAPEMON32_NAME
767766
bit_str = "32-bit"
768-
side_dll = SIDELOADER32_NAME
769767

770768
bin_name = os.path.join(Path.cwd(), bin_name)
771769
dll = os.path.join(Path.cwd(), dll)
@@ -790,15 +788,8 @@ def inject(self, interest=None, nosleepskip=False):
790788

791789
path = os.path.dirname(nt_path_to_dos_path_ansi(self.get_filepath()))
792790

793-
if self.detect_dll_sideloading(path):
794-
try:
795-
copy(dll, os.path.join(path, "capemon.dll"))
796-
copy(side_dll, os.path.join(path, "version.dll"))
797-
copy(os.path.join(Path.cwd(), "dll", f"{self.pid}.ini"), os.path.join(path, "config.ini"))
798-
except OSError as e:
799-
log.error("Failed to copy DLL: %s", e)
800-
return False
801-
log.info("%s DLL to sideload is %s, sideloader %s", bit_str, os.path.join(path, "capemon.dll"), os.path.join(path, "version.dll"))
791+
if self.detect_dll_sideloading(path) and self.has_msimg32(path):
792+
self.deploy_version_proxy(path)
802793
return True
803794

804795
log.info("%s DLL to inject is %s, loader %s", bit_str, dll, bin_name)
@@ -865,3 +856,41 @@ def __str__(self):
865856
"""Get a string representation of this process."""
866857
image_name = self.get_image_name() or "???"
867858
return f"<{self.__class__.__name__} {self.pid} {image_name}>"
859+
860+
def has_msimg32(self, directory_path: str) -> bool:
861+
"""Check if msimg32.dll exists in directory"""
862+
try:
863+
return any(
864+
f.name.lower() == "msimg32.dll"
865+
for f in Path(directory_path).glob("*")
866+
if f.is_file()
867+
)
868+
except (OSError, PermissionError):
869+
return False
870+
871+
def deploy_version_proxy(self, directory_path: str):
872+
"""Deploy version.dll proxy loader"""
873+
if self.is_64bit():
874+
dll = CAPEMON64_NAME
875+
side_dll = SIDELOADER64_NAME
876+
bit_str = "64-bit"
877+
else:
878+
dll = CAPEMON32_NAME
879+
side_dll = SIDELOADER32_NAME
880+
bit_str = "32-bit"
881+
882+
dll = os.path.join(Path.cwd(), dll)
883+
884+
if not os.path.exists(dll):
885+
log.warning("invalid path %s for monitor DLL to be sideloaded in %s, sideloading aborted", dll, self)
886+
return
887+
888+
try:
889+
copy(dll, os.path.join(directory_path, "capemon.dll"))
890+
copy(side_dll, os.path.join(directory_path, "version.dll"))
891+
copy(os.path.join(Path.cwd(), "dll", f"{self.pid}.ini"), os.path.join(directory_path, "config.ini"))
892+
except OSError as e:
893+
log.error("Failed to copy DLL: %s", e)
894+
return
895+
log.info("%s DLL to sideload is %s, sideloader %s", bit_str, os.path.join(directory_path, "capemon.dll"), os.path.join(directory_path, "version.dll"))
896+
return

0 commit comments

Comments
 (0)