Reflective DLL Injection

[metafan at intern0t.net (metafan at intern0t.net)]

Hi there Jerome,


That sounds quite awesome as i haven't seen a backdoor (yet),
which you can send programming code to and then compile if that
was the plan with your current project and it also sounds cool
that you are going to make a dll as well but exactly how are you
going to be able to implement with Metasploit? Or is that solved?

I know there's a function to inject a dll and execute in Metasploit,
and yes there's also the famous meterpreter payload which is the best
payload for post-exploitation at the moment (at least in my oppinion),
but since i haven't seen this kind of backdoor yet, it wouldn't hurt
to see it when you're done with it :)

(Or when it works, it doesn't matter if it's detected by AV's etc as
i'm only testing for legally purposes anyway! ;D But keep up the good job).


~ MaXe

PS: I hope i replied to the list and didn't make a new thread :)


> Hi Stephen,
>
> congratulations and thanks for your research! It's very interresting.
> I hope to be able to use it in one of my project.
> Maybe this one could be interesting for you...
>
> I spent time on a win32/64 backdoor.
> The main goal is:
> 1) to inject in memory the server part of the backdoor in memory
> 2) to take control of the server via a client
> (nothing new here)
>
> What is (i think) quite new in me backdoor server is that it includes a
> "live - in memory - compiler".
> So, in few words: the client send programming code to the server
> (actually via a socket, using compressLZW+cryptRC516 crypt/uncrypt
> functions), and this code will be dynamically + all in memory compiled
> and executed.
>
> My problem is (was) that I use my favorite (su**ing) IDE to code my
> server, but this IDE can't (could not*) generate a DLL.
> So, actually my server is a .EXE file.
> Since a friend of mine (Vince ;p) released a tool (alpha stage for now)
> to be able to build a DLL from my IDE...
> (* http://vroy1.free.fr/wpfr/index.php )
> I hope to be able to release soon a backdoor server in form of a DLL (or
> set of DLLs, ie. like the plugins of Sub7, allowing the client to code
> remotely - in memory.)
> The server allready supports more than 500 functions to access
> files/registry/devices/users/logs/services/bluetooth/Active Directory, etc
>
> If you're interested by a PoC, just let me know.
>
> Kind regards
> /JA
>
> Stephen Fewer a ?crit :
> > Hello, Just released a short paper on Reflective DLL Injection.
> >
> > Abstract: Reflective DLL injection is a library injection technique in
> > which the concept of reflective programming is employed to perform the
> > loading of a library from memory into a host process. As such the
> > library is responsible for loading itself by implementing a minimal
> > Portable Executable (PE) loader.
> >
> > You can download the paper here:
> > http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
> >
> > And the PoC code here:
> > http://www.harmonysecurity.com/files/ReflectiveDllInjection_v1.0.zip
> >
> > Support for Reflective DLL Injection has been added to Metasploit in the
> > form of a payload stage and a modified VNC DLL (both are currently in
> > the development tree).
> >
> > Cheers
> >
> > Stephen Fewer
>
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework