Metasploit mailing list archives
Reflective DLL Injection
From: jerome.athias at free.fr (Jerome Athias)
Date: Sat, 01 Nov 2008 09:22:48 +0100
Hi Stephen, congratulations and thanks for your research! It's very interresting. I hope to be able to use it in one of my project. Maybe this one could be interesting for you... I spent time on a win32/64 backdoor. The main goal is: 1) to inject in memory the server part of the backdoor in memory 2) to take control of the server via a client (nothing new here) What is (i think) quite new in me backdoor server is that it includes a "live - in memory - compiler". So, in few words: the client send programming code to the server (actually via a socket, using compressLZW+cryptRC516 crypt/uncrypt functions), and this code will be dynamically + all in memory compiled and executed. My problem is (was) that I use my favorite (su**ing) IDE to code my server, but this IDE can't (could not*) generate a DLL. So, actually my server is a .EXE file. Since a friend of mine (Vince ;p) released a tool (alpha stage for now) to be able to build a DLL from my IDE... (* http://vroy1.free.fr/wpfr/index.php ) I hope to be able to release soon a backdoor server in form of a DLL (or set of DLLs, ie. like the plugins of Sub7, allowing the client to code remotely - in memory.) The server allready supports more than 500 functions to access files/registry/devices/users/logs/services/bluetooth/Active Directory, etc If you're interested by a PoC, just let me know. Kind regards /JA Stephen Fewer a ?crit :
Hello, Just released a short paper on Reflective DLL Injection. Abstract: Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) loader. You can download the paper here: http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf And the PoC code here: http://www.harmonysecurity.com/files/ReflectiveDllInjection_v1.0.zip Support for Reflective DLL Injection has been added to Metasploit in the form of a payload stage and a modified VNC DLL (both are currently in the development tree). Cheers Stephen Fewer
Current thread:
- Reflective DLL Injection Jerome Athias (Nov 01)
- Reflective DLL Injection Jun Koi (Nov 02)
- Reflective DLL Injection egypt at metasploit.com (Nov 02)
- Message not available
- Reflective DLL Injection Harmony Security (Nov 03)
- Reflective DLL Injection Jun Koi (Nov 06)
- Reflective DLL Injection Harmony Security (Nov 06)
- Reflective DLL Injection Jerome Athias (Nov 06)
- Reflective DLL Injection Jun Koi (Nov 02)
- <Possible follow-ups>
- Reflective DLL Injection metafan at intern0t.net (Nov 01)
- Reflective DLL Injection Jerome Athias (Nov 01)
- XBACKDOOR v1.0 released Jerome Athias (Nov 02)