Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR brings direct syscalls capability to the original Reflective DLL Injection library. This is a new implementation based on this first PR. This includes the logic to retrieve the syscall numbers using a technique similar to the one used in this evasion module. This is based on the assumption that the syscall numbers are sequential and can be deduced from the position of the related native API function in memory. The technique consists in selecting the system call function starting with
Zw…
from NTDLL exports and sorting them in ascending order of their memory addresses. The syscall number of one given native API function is simply its index in this array.Also, this implementation uses a "trampoline" logic similar to what is used by RecycledGate to ensure that all the system calls go through
ntdll.dll
.Only the following native API functions have been implemented with these techniques so far:
These functions now replace the functions used by the original Reflective DLL Injection implementation.
This also supports x86, x64 and Wow64 architectures. Note that ARM is not supported.
So far, this has been tested successfully on the following systems:
Testing
You will need to open the solution with Visual Studio, select the
Release
configuration (Debug
doesn't work for some reasons I haven't investigated yet) and select the platformx64
orWin32
, according to your target OS. Note that Wow64 binaries are supported, so you can still run a x86 binary on a x64 architecture.The build will generate an executable and a dll.
For a x86 build:
Release\inject.Win32.exe
Release\reflective_dll.Win32.dll
For a x64 build:
x64\Release\inject.x64.exe
x64\Release\reflective_dll.x64.dll
Note that both the executable and the dll need to be located in the same folder.
Executing the
inject
binary should inject the dll and pop up a Messagebox:TODO
Add a custom implementation of the following functions from
kernel32.dll
:These functions are used by the reflective loader. Getting rid of calls through
kernel32.dll
would certainly reduce the footprint.