Didier Stevens

Thursday 28 January 2010

Quickpost: Shellcode to Load a DLL From Memory

Filed under: Hacking,My Software,Quickpost — Didier Stevens @ 3:08

I finally took time to develop shellcode to load a DLL, not with LoadLibrary, but directly from memory. Not storing the DLL on disk prevents it from being detected by AV software; not using LoadLibrary bypasses HIPS software that monitors this system call.

My shellcode is based on Joachim’s code.

In previous posts, I showed how to load a DLL or shellcode with VBA in Excel. This is a combination of both techniques: a VBA macro loads and executes shellcode in Excel’s process space, and the shellcode loads a DLL from memory into Excel’s process memory.

With the code of the previous post, the DLL appears in the list of loaded DLLs:

With this shellcode, it doesn’t:


Quickpost info


19 Comments »

  1. Any chance you’re publishing the code?

    Comment by Matthew Wollenweber — Thursday 28 January 2010 @ 17:17

  2. @Matthew Wollenweber I’m still debating what I should do with it…

    Comment by Didier Stevens — Thursday 28 January 2010 @ 20:37

  3. Understandable. Most people have ethical concerns about posting such things. I’m of the belief that if something is generally known a particular implementation serves as a good example. Is there a chance your code might show up in malware? Absolutely, but similar things exist in the wild – not to mention in Metasploit, Canvas, and probably Core (though I don’t have a copy of that). Thus, I think it will serve to inform more people of how clever attackers can be.

    Comment by Matthew Wollenweber — Sunday 31 January 2010 @ 0:18

  4. @Matthew Wollenweber: I too believe this exists already, but I can’t find it online. Looked into the shellcode repositories of MSF, Milw0rm en Offensive Security.

    Comment by Didier Stevens — Sunday 31 January 2010 @ 21:55

  5. I believe this is the shellcode that you are referring to:

    Payload::Windows::ReflectiveDllInject

    I too would be interested to see your code.

    Comment by PJ — Monday 1 February 2010 @ 1:54

  6. hi sir,

    i am doing research on application behavioral modelling, if you can please tell me how to attach to build a malicious pdf document and attach payload to it. i want to test my software whether it can block a payload.

    if you want, i can give you a demo. Please help.

    Comment by him — Monday 1 February 2010 @ 9:13

  7. @PJ: I saw the ReflectiveDLLInject code, and although the end result is the same, my shellcode works differently.

    A reflective DLL is compiled with a special, location independent bootstrap function. That function loads the DLL from memory into memory. The Payload::Windows::ReflectiveDllInject shellcode finds and executes the bootstrap function.

    My shellcode is different: the DLL to be loaded doesn’t need bootstrap code, everything is done by the shellcode (that’s why it’s big: 2000+ bytes, 22K asm file).

    Summary: both method achieve the same result. MSF’s shellcode is way smaller, but the DLL needs special code. My shellcode is big, but the DLL needs no special code.

    Comment by Didier Stevens — Monday 1 February 2010 @ 9:18

  8. @him: use the Metasploit framework, it has different modules to exploit Adobe reader vulnerabilities.

    Comment by Didier Stevens — Monday 1 February 2010 @ 9:33

  9. [...] Quickpost: Shellcode to Load a DLL From Memory – didierstevens.com The author developed shellcode to load a DLL, not with LoadLibrary, but directly from memory. [...]

    Pingback by Week 4 in Review – 2010 | Infosec Events — Monday 1 February 2010 @ 16:57

  10. Is that DLL is visible in IceSword ?

    Comment by Ian — Wednesday 3 February 2010 @ 14:23

  11. @Ian: Nope. Tested with Notepad. IceSword lists 25 modules before the injection, and 25 modules after the injection.

    Comment by Didier Stevens — Wednesday 3 February 2010 @ 19:18

  12. [...] This is a screenshot of cmd.dll injected inside Excel with my memory module shellcode: [...]

    Pingback by cmd.dll « Didier Stevens — Thursday 4 February 2010 @ 1:17

  13. [...] The shellcode loads a DLL from memory into memory. [...]

    Pingback by Excel with cmd.dll & regedit.dll « Didier Stevens — Monday 8 February 2010 @ 21:18

  14. [...] to Shellcode Filed under: Hacking, My Software, Shellcode — Didier Stevens @ 0:40 The DLL-loading shellcode I used in my cmd.xls spreadsheet was generated with a method I worked out to generate WIN32 [...]

    Pingback by MemoryLoadLibrary: From C Program to Shellcode « Didier Stevens — Tuesday 16 February 2010 @ 0:41

  15. So 4 years later have you ever released the code? I looked around but did not find it.

    Comment by Dave — Monday 27 January 2014 @ 5:47

  16. @Dave Yeah, I published it the same year on my Shellcode page.

    http://blog.didierstevens.com/programs/shellcode/

    Comment by Didier Stevens — Monday 27 January 2014 @ 19:32

  17. Several similar techniques are online (albeit probably not as elegant). I vote share the shell code…

    Comment by Marqo09 — Friday 4 April 2014 @ 23:48


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 238 other followers

%d bloggers like this: