Skip to content

JimKw1kX/Dll-Shellcode-Loader

BranchesTags

Repository files navigation

License: MIT Follow @JimKwik_X

A DLL Shellcode Loader POC

image

Techniques used:

  • NTDLL.dll unhooking
  • Indirect Syscalls
  • Rop Gadgets
  • Anti analysis by self deleting after execution
  • Threadless injection with with HWBP
  • Remote payload download over HTTPs with a customed header for authtication
  • VEH unhooking
  • DLL sideload
  • Payload AES encryption on the fly

Compile in Visual Studio -> x64 -> Release

Usage:

Run by Rundll32.exe

Add #Define badger on the top of dllmain.c as the entry point is defined in here

Run as:

rundll32.exe Dllloader.dll,run

Sideload Notepad++

  1. Add #Define NOTEPAD on the top of dllmain.c as the entry point is defined in here

  2. Rename Dllloader.dll to libcurl.dll and place it in updater folder

  3. Run updater.exe in the updater folder to sideload the dll

Sideload OpenHardwareMonitor

  1. Add #Define MONITOR on the top of dllmain.c as the entry point is defined in here

  2. Rename Dllloader.dll to DWrite.dll and place it in OpenHardwareMonitor folder

  3. Run OpenHardwareMonitor.exe in the OpenHardwareMonitor folder to sideload the dll

💡Tips:

  • Use the signtool to sign a certificate on the DLL due to some EDRs flag unsigned dlls straightaway such as Elastic once the loader drops on the disk. Also change the dates similar to the orginal dll that has been replaced.

elastic

  • Signtool Powershell commands
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365
openssl pkcs12 -inkey key.pem -in cert.pem -export -out sign.pfx
signtool sign /f sign.pfx /p password /t http://timestamp.digicert.com /fd sha256 DWrite.dll
  • Changing dates
$x = "DWrite.dll"
$(Get-Item $x).creationtime=$(Get-Date "03/3/2024")
$(Get-Item $x).lastwritetime=$(Get-Date "03/3/2022")
$(Get-Item $x).lastaccesstime=$(Get-Date "07/23/2024")
  • Add metadata to the DLL and do not leave it blank

Add a Resource.rc file in Visual Studio and the following metadata for DWrite.dll so it looks like this

DWrite

1 VERSIONINFO
 FILEVERSION 9.6.0.0 // File version separated by commas
 PRODUCTVERSION 0.9.6.0
 FILEFLAGSMASK 0x0L
#ifdef _DEBUG
 FILEFLAGS 0x1L
#else
 FILEFLAGS 0x0L
#endif
 FILEOS 0x0L
 FILETYPE 0x0L
 FILESUBTYPE 0x0L
BEGIN
    BLOCK "StringFileInfo"
    BEGIN
        BLOCK "040904B0"
        BEGIN 
            // Modify the values below
            VALUE "CompanyName", "(C) 2009-2020 Michael Möller"
            VALUE "FileDescription", "Open Hardware Monitor Library"
            VALUE "InternalName", "Chrome"
            VALUE "LegalCopyright", "(C) 2009-2020 Michael Möller"
            VALUE "OriginalFilename", "OpenHardwareMonitorLib.dll"
            VALUE "ProductName", "Open Hardware Monitor Library"
            VALUE "ProductVersion", "0.9.6"
        END
    END
    BLOCK "VarFileInfo"
    BEGIN
        VALUE "Translation", 0x409, 1200
    END
END

⚠️ Disclaimer:

Always tweak the code during the red team engagement, this is just a POC and its not a good idea to add everything in one loader. Its better to use stagers to prevent the main C2 shellcode gets burnt.

Video Demo

Click here to see the full demo.

About

Dll Shellcode Loader POC

Topics

malware hacking malware-research malware-development shellcode-loader pentest-tool redteam purpleteam process-injection

Resources

Readme

License

MIT license
Activity

Stars

4 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages