PythonMemoryModule: load dll and unmanaged exe entirely from memory
PythonMemoryModule
pure-python implementation of MemoryModule technique to load a dll or unmanaged exe entirely from memory
PythonMemoryModule is a Python ctypes porting of the MemoryModule technique originally published by Joachim Bauch. It can load a dll or unmanaged exe using Python without requiring the use of an external library (pyd). It leverages pefile to parse PE headers and ctypes.
The tool was originally thought to be used as a Pyramid module to provide evasion against AV/EDR by loading dll/exe payloads in python.exe entirely from memory, however, other use-cases are possible (IP protection, pyds in-memory loading, spinoffs for other stealthier techniques) so I decided to create a dedicated repo.
Why it can be useful
- It basically allows using of the MemoryModule technique entirely in Python-interpreted language, enabling the loading of a dll from a memory buffer using the stock signed python.exe binary without requiring dropping on disk external code/libraries (such as pymemorymodule bindings) that can be flagged by AV/EDRs or can raise user’s suspicion.
- Using the MemoryModule technique in compiled language loaders would require embedding MemoryModule code within the loaders themselves. This can be avoided using Python-interpreted language and PythonMemoryModule since the code can be executed dynamically and in memory.
- you can get some level of Intellectual Property protection by dynamically in-memory downloading, decrypting, and loading dlls that should be hidden from prying eyes. Bear in mind that the dlls can be still recovered from memory and reverse-engineered, but at least it would require some more effort by the attacker.
- you can load a stageless payload dll without performing injection or shellcode execution. The loading process mimics the LoadLibrary Windows API (which takes a path on disk as input) without actually calling it and operating in memory.
How to detect it
Using the MemoryModule technique will mostly respect the sections’ permissions of the target DLL and avoid the noisy RWX approach. However, within the program memory, there will be a private commit not backed by a dll on disk and this is a MemoryModule telltale.
