Metasploit mailing list archives
Reflective DLL Injection
From: metafan at intern0t.net (metafan at intern0t.net)
Date: Sat, 01 Nov 2008 05:16:07 -0400
Hi there Jerome, That sounds quite awesome as i haven't seen a backdoor (yet), which you can send programming code to and then compile if that was the plan with your current project and it also sounds cool that you are going to make a dll as well but exactly how are you going to be able to implement with Metasploit? Or is that solved? I know there's a function to inject a dll and execute in Metasploit, and yes there's also the famous meterpreter payload which is the best payload for post-exploitation at the moment (at least in my oppinion), but since i haven't seen this kind of backdoor yet, it wouldn't hurt to see it when you're done with it :) (Or when it works, it doesn't matter if it's detected by AV's etc as i'm only testing for legally purposes anyway! ;D But keep up the good job). ~ MaXe PS: I hope i replied to the list and didn't make a new thread :)
Hi Stephen, congratulations and thanks for your research! It's very interresting. I hope to be able to use it in one of my project. Maybe this one could be interesting for you... I spent time on a win32/64 backdoor. The main goal is: 1) to inject in memory the server part of the backdoor in memory 2) to take control of the server via a client (nothing new here) What is (i think) quite new in me backdoor server is that it includes a "live - in memory - compiler". So, in few words: the client send programming code to the server (actually via a socket, using compressLZW+cryptRC516 crypt/uncrypt functions), and this code will be dynamically + all in memory compiled and executed. My problem is (was) that I use my favorite (su**ing) IDE to code my server, but this IDE can't (could not*) generate a DLL. So, actually my server is a .EXE file. Since a friend of mine (Vince ;p) released a tool (alpha stage for now) to be able to build a DLL from my IDE... (* http://vroy1.free.fr/wpfr/index.php ) I hope to be able to release soon a backdoor server in form of a DLL (or set of DLLs, ie. like the plugins of Sub7, allowing the client to code remotely - in memory.) The server allready supports more than 500 functions to access files/registry/devices/users/logs/services/bluetooth/Active Directory, etc If you're interested by a PoC, just let me know. Kind regards /JA Stephen Fewer a ?crit :Hello, Just released a short paper on Reflective DLL Injection. Abstract: Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) loader. You can download the paper here: http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf And the PoC code here: http://www.harmonysecurity.com/files/ReflectiveDllInjection_v1.0.zip Support for Reflective DLL Injection has been added to Metasploit in the form of a payload stage and a modified VNC DLL (both are currently in the development tree). Cheers Stephen Fewer_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
Current thread:
- Reflective DLL Injection Jerome Athias (Nov 01)
- Reflective DLL Injection Jun Koi (Nov 02)
- Reflective DLL Injection egypt at metasploit.com (Nov 02)
- Message not available
- Reflective DLL Injection Harmony Security (Nov 03)
- Reflective DLL Injection Jun Koi (Nov 06)
- Reflective DLL Injection Harmony Security (Nov 06)
- Reflective DLL Injection Jerome Athias (Nov 06)
- Reflective DLL Injection Jun Koi (Nov 02)
- <Possible follow-ups>
- Reflective DLL Injection metafan at intern0t.net (Nov 01)
- Reflective DLL Injection Jerome Athias (Nov 01)
- XBACKDOOR v1.0 released Jerome Athias (Nov 02)