Reflective DLLs and You

Hey all,

This post is about reflective dynamic link libraries (DLL) and will do a simple walk-through on how to write one.  This is a technique developed by Stephen Fewer and will use his code to make the magic happen.  I realize this is a topic that has been discussed several times so I’m going to keep this post simple and tight.


What is a DLL? A DLL is portable code that is often shared by applications.  However, with respect to this post, a DLL is an opportunity to execute code.  Why even bother with this? If our goal is to execute code why not write an exe to disk? For a moment, consider the footprint: writing to disk, creating a process, and then doing stuff; it can add up in a hurry.  Enter DLLs and how we can go about loading them into memory.

Normally, DLLs are loaded into memory when a process is started; however, they can also be injected into an already running process.  Through DLL injection we no longer need to create a process to execute code (various DLL injection techniques); yet, we still need to write our file to disk in order to inject.  Reflective DLL injection solves this. Developed by Stephen Fewer,  this technique allows us to inject code into an existing process without ever writing to disk.  So using reflective DLL injection we go from writing to disk and creating a process to injecting our code entirely in memory … thank you Stephen.

How to Defend or Detect

Endpoint protection platforms (EPP) are starting to flag these techniques.  Personally, I would explore reflective DLL injection on an endpoint using my EPP software to identify any limitations. Additionally,  reflective DLLs will often execute malicious code by using Windows API calls, a potential detection point.  For example, createremotethread is a popular technique to execute shellcode in a remote process.

After watching Raphael’s latest post on in-memory evasion, a few other tools:

Continue reading “Reflective DLLs and You”

Empire and Proxy Pivots

Hey all,

This post is about spawning an Empire session over an already established foothold using reverse port forwarding.  Spoiler, it’s all in the custom proxy settings.


Why not run an entirely new session back to the C2 infrastructure?  Personally, I spend quite a bit of time running my externally destined traffic through the gauntlet: NGFWs, NIDS, and proxies *cough* check your stager *cough*. Every time you call home the chance for detection increases, especially when introducing different types of C2 network traffic.

Onto the example. Setup the reverse port forward; I used Cobalt Strike, but any old reverse port forwarder could be used, like SSH, meterpreter, and so on.


Continue reading “Empire and Proxy Pivots”