Reverse Engineering of DLL Honeyfiles

 

Threat actors often use .exe files as droppers or downloaders. However, some advanced threat groups prefer using .dll files to remain stealthy and evade detection. This is where techniques like DLL injection, DLL hijacking, and DLL sideloading come into play.

Blue teams have started deploying DLL honeyfiles decoy DLL files designed to detect unauthorized access. These files are structured like legitimate DLLs, but when executed, they send an alert indicating they’ve been launched.

I'm interested in understanding how these alerts are triggered specifically, how the DLL notifies a server or endpoint when it's executed. It appears that some kind of token is embedded within the DLL, allowing it to send a signal upon execution.

Keep in mind that DLL files start with an MZ header and are classified as PE (Portable Executable) file formats.

To extract the URL or token and identify that a file is a DLL honeyfile (rather than a legitimate DLL), you can use several tools that assist in this kind of analysis. Some useful options include:

1. Detect It Easy (DIE): A tool for inspecting PE files. It can help you identify unusual sections, packed code, or embedded resources that may indicate a honeyfile.

2. Strings (by Sysinternals): This tool extracts readable ASCII and Unicode strings from binary files. You can use it to look for embedded URLs, tokens, or indicators that the DLL may be designed to phone home or send alerts.

In Detect It Easy (DIE), you can simply click on the "Strings" tab at the bottom. With a small scroll down, you’ll often see the URL associated with the OpenCanary token, which indicates that the file is a honeyfile.

Well, if you're interested in using Strings by Sysinternals, you can just run the command strings.exe rundll32.dll > dump.txt, which pipes all readable strings from the DLL file into a text file. After that, open the dump.txt file and scroll down you'll likely see an OpenCanary token or a URL related to it. To make the search easier, you can simply press Ctrl+F and look for the keyword http. You can refer to the image below to see what these indicators typically look like.

Parse the strings from DLL file into .txt file :

Search for the result inside notepad.exe :

f you're more interested in a command-line approach, you can use the following command:
more < rundll32.exe | findstr "http" > urls_from_dll.exe
This command reads the contents of the rundll32.exe file, filters out any lines containing the string "http" using findstr, and saves the results into a file named urls_from_dll.exe. This is a quick way to extract potential URLs directly from the binary without generating a full string dump.