
DLL or Dynamic Link Library is a non-executable file. DLLs are used to store data required by an application. DLLs usually contain Binary Numbers which are later used by executable applications to obtain certain files. Injecting DLL files with malware or malicious code is one of favorite method that use by attacker to hack computer devices.
DInjector
Dlinjector is collection of shellcode injection to weaponized DLL files.
This repository is an accumulation of my code snippets for various shellcode injection techniques using fantastic D/Invoke API by @TheWover and @FuzzySecurity.
Features:
- Fully ported to D/Invoke API
- Encrypted payloads which can be invoked from a URL or passed in base64 as an argument
- Built-in AMSI bypass
- PPID spoofing and block non-Microsoft DLLs (stolen from TikiTorch, write-up is here)
- Sandbox detection & evasion
Based on my testings the DInvoke NuGet package itself is being flagged by many commercial AV/EDR solutions when incuded as an embedded resource via Costura.Fody (or similar approaches), so I’ve shrinked it a bit and included from source to achieve better OpSec.
Usage
- Compile the project in VS.
- Generate a shellcode for your favourite C2:
3. Encrypt the shellcode:
4. Serve the encrypted shellcode and prepare C2 listener:
- Use the PowerShell download cradle to load DInjector.dll as
System.Reflection.Assembly
and execute it from memory.
I do not recommend putting the assembly on disk because it will very likely be flagged.
Required global arguments:
Name | Example Value | Description |
---|---|---|
/am51 | True , False | Applies AMSI bypass |
/sc | http://10.10.13.37/enc | Sets shellcode path (can be loaded from URL or as a Base64 string) |
/password | Passw0rd! | Sets password to decrypt the shellcode |
Modules
OpSec safe considerations are based on my personal usage expirience and some testings along the way.
- FunctionPointer
- FunctionPointerV2
- ClipboardPointer
- CurrentThread
- RemoteThread
- RemoteThreadDll
- RemoteThreadView
- RemoteThreadSuspended
- RemoteThreadAPC
- RemoteThreadContext
- ProcessHollow