DLL Hollowing
Deep dive into a stealthier DLL hollowing/memory allocation variant.
https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/
#malware #dll #hollowing
Deep dive into a stealthier DLL hollowing/memory allocation variant.
https://www.secforce.com/blog/dll-hollowing-a-deep-dive-into-a-stealthier-memory-allocation-variant/
#malware #dll #hollowing
www.secforce.com
SECFORCE - Security without compromise
Cybersecurity consultancy specialized in offensive security helping top-tier organisations all over the world.
UAC bypass - DLL hijacking
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
https://github.com/SecuProject/DLLHijackingScanner
#uac #bypass #dll #hijacking
This is a PoC for bypassing UAC using DLL hijacking and abusing the "Trusted Directories" verification.
https://github.com/SecuProject/DLLHijackingScanner
#uac #bypass #dll #hijacking
Process Injection via KernelCallBackTable
Process injection via the KernelCallBackTable involves replacing original callback function by custom payload so that whenever the function is invoked, payload will be triggered. In this case the fnCOPYDATA callback function has been used.
C# Code Snippet:
https://gist.github.com/sbasu7241/5dd8c278762c6305b4b2009d44d60c13
#edr #evasion #dll #injection #kernelcallbacktable
Process injection via the KernelCallBackTable involves replacing original callback function by custom payload so that whenever the function is invoked, payload will be triggered. In this case the fnCOPYDATA callback function has been used.
C# Code Snippet:
https://gist.github.com/sbasu7241/5dd8c278762c6305b4b2009d44d60c13
#edr #evasion #dll #injection #kernelcallbacktable
👍2
📌 Save the Environment
Many applications appear to rely on Environment Variables such as
By changing these variables on process level, it is possible to let a legitimate program load arbitrary DLLs.
Research:
https://www.wietzebeukema.nl/blog/save-the-environment-variables
Source Code:
https://github.com/wietze/windows-dll-env-hijacking
#maldev #dll #hijacking #environment
Many applications appear to rely on Environment Variables such as
%SYSTEMROOT% to load DLLs from protected locations. By changing these variables on process level, it is possible to let a legitimate program load arbitrary DLLs.
Research:
https://www.wietzebeukema.nl/blog/save-the-environment-variables
Source Code:
https://github.com/wietze/windows-dll-env-hijacking
#maldev #dll #hijacking #environment
👍9
⚛️ AtomLdr
A DLL loader with advanced evasive.
Features:
• DLL unhooking from \KnwonDlls\ directory, with no RWX sections
• The encrypted payload is saved in the resource section and retrieved via custom code
• AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered
• Indirect syscalls, utilizing HellHall with ROP gadgets
• Payload injection using APC calls - alertable thread
• Api hashing using two different implementations of the CRC32 string hashing algorithm
• The total Size is 17kb
https://github.com/NUL0x4C/AtomLdr
#loader #dll #edr #evasion #redteam
A DLL loader with advanced evasive.
Features:
• DLL unhooking from \KnwonDlls\ directory, with no RWX sections
• The encrypted payload is saved in the resource section and retrieved via custom code
• AES256-CBC Payload encryption using custom no table/data-dependent branches using ctaes; this is one of the best custom AES implementations I've encountered
• Indirect syscalls, utilizing HellHall with ROP gadgets
• Payload injection using APC calls - alertable thread
• Api hashing using two different implementations of the CRC32 string hashing algorithm
• The total Size is 17kb
https://github.com/NUL0x4C/AtomLdr
#loader #dll #edr #evasion #redteam
🔥7👍3
🔑 KeePass2: DLL Hijacking and Hooking API
This new article about a way to get the Master Password of a KeePass database.
https://skr1x.github.io/keepass-dll-hijacking/
#keepass #dll #hijacking #redteam
This new article about a way to get the Master Password of a KeePass database.
https://skr1x.github.io/keepass-dll-hijacking/
#keepass #dll #hijacking #redteam
👍8😁1
Learn the process of crafting a personalized RDI/sRDI loader in C and ASM, incorporating code optimization to achieve full position independence.
🔗 https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/
#maldev #reflective #dll #clang #asm
Please open Telegram to view this post
VIEW IN TELEGRAM
Malicious Group
Writing your own RDI /sRDI loader using C and ASM
In this post, I am going to show the readers how to write their own RDI/sRDI loader in C, and then show how to optimize the code to make it fully position independent.
🔥12👍2
DLHell is a tool for performing local and remote DCOM Windows DLL proxying. It can intercept DLLs on remote objects to execute arbitrary commands. The tool supports various authentication methods and provides capabilities for local and remote DLL proxying, as well as DCOM DLL proxying.
🔗 Source:
https://github.com/synacktiv/DLHell
#windows #dll #proxing #dcom
Please open Telegram to view this post
VIEW IN TELEGRAM
GitHub
GitHub - synacktiv/DLHell: Local & remote Windows DLL Proxying
Local & remote Windows DLL Proxying. Contribute to synacktiv/DLHell development by creating an account on GitHub.
👍6❤3