DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library. DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend.

While Standard DLL Injection is Cool, It has it’s pros and cons. One major being that it’s required for the Dll to be stored on disk.

That’s when our Malware Jesus, Stephen Fewer developed Reflective DLL Injection. In Reflective DLL Injection, The DLL can be loaded entirely from memory without ever touching the disk. In this Post I am going to show you how to

Create a Reflective DLL Injector, Create a Reflective DLL, How to pass Parameters to the Reflective DLL and how to get it’s Output.

Giving you the power to run anything in memory.

Let’s start. First of all, I must link the Original Reflective DLL Injection Repository. But we are going to be using my Fork of Reflective DLL Injection, Which is modified to get output from the DLL using named Pipes.

https://github.com/quantumcored/ReflectiveDLLInjection

You can play around with this code and compile it with whatever you want. But for simplicity, I’m going to use the Visual Studio project itself that’s attached.

All the code in this Post is from the repositories above.

Understanding the Changes

https://github.com/quantumcored/ReflectiveDLLInjection/blob/master/dll/src/Output.cpp

The DLL function Send(const char* data); is used to send the Injecting program the output of the dll using named pipes, We’ll go over on how to do this in a moment.

On the Injecting Side

https://github.com/quantumcored/ReflectiveDLLInjection/blob/master/inject/src/Output.cpp

Before Injection of the DLL, The Prepare(); function is called which starts the Named Pipe Thread to receive the DLL Output. You can see example usage of this here :

https://github.com/quantumcored/ReflectiveDLLInjection/blob/master/inject/src/Inject.cpp

So basically, To receive Output from the Reflective DLL, We are creating a Named Pipe Server before injecting,

Then the Reflective DLL is injected and Writes the output to the Named Pipe Server.

Passing Parameters to the DLL

This one didn’t require any modifications, The original Reflective DLL Injection allows you to pass parameters using LoadRemoteLibraryR function.

Example Code :

The Example code above expects the dll to be in unsigned char* DLL and it passes cpCommandLine into it.

Reading Parameters in the DLL

In your reflective dll, The parameters are in lpReserverd, From which a string an easily be extracted by.

char* cpCommandLine = (char*)lpReserved;

Sample Code :

The above will show a message box showing the parameters that were passed from the injector.

Making a Reflective DLL

A Simple Reflective DLL Example is here

https://github.com/quantumcored/ReflectiveDLLInjection/blob/master/dll/src/ReflectiveDll.cpp

I’m gonna be using this as base to build our sample DLL. This, Currently, Shows a message box and returns output “Evening the Odds”. I wrote this for testing Outputs.

Let’s make a DLL that Reads in a URL from Parameters and Opens it, Then return output.

The above dll is pretty simple, It reads in the url from parameters, Opens the url using ShellExecute and sends output to the injector that the url Url was opened.

But a Reflective DLL is nothing without the injector. So let’s make a complete injector for this.

Here’s how this would look like in testing, The url was opened and the DLL successfully returned output!

Loading the DLL over socket

The DLL can also be loaded over a network using Sockets, And injected.

Sample code :

https://github.com/quantumcored/remote_hacker_probe/blob/main/probe/windows/ProbeCpp.cpp#L257

Giving almost full stealth when running code remotely.

Reflective DLL Malware Payloads

Having the ability to run your own code in Memory is a great. You can write your own Reflective DLLS and run them.

That’s how metasploits meterpreter works. It relies heavily on Reflective DLL Injection. Many advanced frameworks use Reflective DLL Injection, Including Cobalt Strike, Metasploit and many APT’s.

Thanks for reading!


Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] Tutorial on how to write a DLL for Remote Hacker Probe & / OR your own projects. […]

1
0
Would love your thoughts, please comment.x
()
x