Comments on: Quickpost: Shellcode to Load a DLL From Memory

By: [0x0027]Exploit writing tutorial part 9 : Introduction to Win32 shellcoding « Eohnik.c

Sun, 05 Sep 2010 12:29:39 +0000

[...] http://blog.didierstevens.com/2010/01/28/quickpost-shellcode-to-load-a-dll-from-memory/ [...]

By: Exploit writing tutorial part 9 : Introduction to Win32 shellcoding | Peter Van Eeckhoutte's Blog

Thu, 25 Feb 2010 16:25:46 +0000

[...] http://blog.didierstevens.com/2010/01/28/quickpost-shellcode-to-load-a-dll-from-memory/ [...]

By: MemoryLoadLibrary: From C Program to Shellcode « Didier Stevens

MemoryLoadLibrary: From C Program to Shellcode « Didier Stevens — Tue, 16 Feb 2010 00:41:32 +0000

[...] to Shellcode Filed under: Hacking, My Software, Shellcode — Didier Stevens @ 0:40 The DLL-loading shellcode I used in my cmd.xls spreadsheet was generated with a method I worked out to generate WIN32 [...]

By: Excel with cmd.dll & regedit.dll « Didier Stevens

Excel with cmd.dll & regedit.dll « Didier Stevens — Mon, 08 Feb 2010 21:18:24 +0000

[...] The shellcode loads a DLL from memory into memory. [...]

By: cmd.dll « Didier Stevens

cmd.dll « Didier Stevens — Thu, 04 Feb 2010 01:17:38 +0000

[...] This is a screenshot of cmd.dll injected inside Excel with my memory module shellcode: [...]

By: Didier Stevens

Didier Stevens — Wed, 03 Feb 2010 19:18:12 +0000

@Ian: Nope. Tested with Notepad. IceSword lists 25 modules before the injection, and 25 modules after the injection.

By: Ian

Ian — Wed, 03 Feb 2010 14:23:24 +0000

Is that DLL is visible in IceSword ?

By: Week 4 in Review – 2010 | Infosec Events

Week 4 in Review – 2010 | Infosec Events — Mon, 01 Feb 2010 16:57:12 +0000

[...] Quickpost: Shellcode to Load a DLL From Memory – didierstevens.com The author developed shellcode to load a DLL, not with LoadLibrary, but directly from memory. [...]

By: Didier Stevens

Didier Stevens — Mon, 01 Feb 2010 09:33:16 +0000

@him: use the Metasploit framework, it has different modules to exploit Adobe reader vulnerabilities.

By: Didier Stevens

Didier Stevens — Mon, 01 Feb 2010 09:18:07 +0000

@PJ: I saw the ReflectiveDLLInject code, and although the end result is the same, my shellcode works differently.

A reflective DLL is compiled with a special, location independent bootstrap function. That function loads the DLL from memory into memory. The Payload::Windows::ReflectiveDllInject shellcode finds and executes the bootstrap function.

My shellcode is different: the DLL to be loaded doesn’t need bootstrap code, everything is done by the shellcode (that’s why it’s big: 2000+ bytes, 22K asm file).

Summary: both method achieve the same result. MSF’s shellcode is way smaller, but the DLL needs special code. My shellcode is big, but the DLL needs no special code.