Welcome to part 3 of our series! That last one was crazy long. This one is going to be pretty short because we’re not really going to introduce any new concepts or encryption or fancy stuff like that.
This post is going to be all about the dll!
A dll is a great way to avoid detection. Many of the code snippets that you’ll find on Github or ExploitDB will be written to compile as executables, but they can easily be converted for use as a dll.
Let’s get started.
Setting Up Our Script
If you remember from Part 2 of our series, we created a script that obfuscated our malware and automatically compiled it for us. We can do the same thing to create a dll.
The only thing we need to do is change the compilation settings in our malware_creator.sh file.
We need to add a “-shared” flag and our script will compile to a dll.
We can save the file and then all we need to do is designate our malware as a dll when we are prompted.
Next, we need to edit our malware.c template file. instead of having a Main function leading to our shellcode execution, we’re going to designate a dll export.
And then under the “rce” function we will add our DLLMain.
And that should be it! When we run our script, we should have a nice dll waiting for us.
Well, it compiled. Let’s see if it works.
All right! Pretty cool, huh? Let’s see what kind of detections we have with this.
Wow…so…I guess it’s FUD? For now anyway. Let’s compare this is the executable version of our malware.
As you can see, the executable version of our malware is detected by 2 AV vendors. But as a dll, we have bypassed the last two AV vendors on AntiScan.me.
Let’s give it a real world test. How about we test our dll it against a Windows 11 VM running Microsoft Defender For Endpoint and ESET AV.
Looks like it works!
Now that we have a dll, we can start to look at how we might execute this on a system without having to use rundll32.exe. There are literally a million ways to do this, but a stager is probably the easiest way to do it as a POC.
We can create a stager pretty easily in C.
And here is an example of the shittiest stager in offsec. We can compile it with GCC.
x86_64-w64-mingw32-gcc -o stager.exe stager.c
Let’s see if it throws any detections.
It’s FUD. Maybe AntiScan.me was like, “this is so shitty that nobody would actually use it”.
But let’s give it a go and see if we can get code execution. First, we host our dll on our kali/ubuntu box with a python server.
python3 -m http.server 9090
Transfer the stager executable to our Windows test box and give it a go.
And it worked. How about on our Windows Defender for Endpoint/ESET box?
I told you it would be a short one! The main point of this post was show that even if your executables are being flagged by certain vendors, there are options. One of those options is to turn it into a dll.
Dlls offer a wide variety of benefits. Using Visual Studio, your options open immensely. You can embed them in other legitimate projects and call them from an actual executable instead of having to use a stager like we did.
We also demonstrated in this article that we could easily transition our obfuscation script to compile dlls by swapping out a few lines of code.
As always, I will be uploading the scripts to my Malware_Project folder on GitHub here:
If you liked this and want more content, follow me on here or on Twitter @assume_breach