sRDI – Shellcode Reflective DLL Injection
sRDI – Shellcode Reflective DLL Injection
sRDI allows for the conversion of DLL files to position independent shellcode.
Functionality is accomplished via two components:
- C project which compiles a PE loader implementation (RDI) to shellcode
- Conversion code which attaches the DLL, RDI, and user data together with a bootstrap
This project is comprised of the following elements:
- ShellcodeRDI: Compiles shellcode for the DLL loader
- NativeLoader: Converts DLL to shellcode if necessary, then injects into memory
- DotNetLoader: C# implementation of NativeLoader
- Python\ConvertToShellcode.py: Convert DLL to shellcode in place
- Python\EncodeBlobs.py: Encodes compiled sRDI blobs for static embedding
- PowerShell\ConvertTo-Shellcode.ps1: Convert DLL to shellcode in place
- FunctionTest: Imports sRDI C function for debug testing
- TestDLL: Example DLL that includes two exported functions for the call on Load and after
The DLL does not need to be compiled with RDI, however, the technique is cross-compatible.
Building
Use
Convert DLL to shellcode using python
Load DLL into memory using C# loader
Convert DLL with python script and load with Native EXE
Convert DLL with powershell and load with Invoke-Shellcode
Stealth Considerations
There are many ways to detect memory injection. The loader function implements two stealth improvements on traditional RDI:
- Proper Permissions: When relocating sections, memory permissions are set based on the section characteristics rather than a massive RWX blob.
- PE Header Cleaning (Optional): The DOS Header and DOS Stub for the target DLL are completely wiped with null bytes on load (Except for e_lfanew). This can be toggled with 0x1 in the flags argument for C/C#, or via command line args in Python/Powershell.
Copyright (c) 2013, Matthew Graeber
All rights reserved.
Source: https://github.com/monoxgas/