- Injects x64 managed DLL into x64 managed/unmanaged process (process must have GUI because we obtain its windows handle) using setwindowshook
- Here as a TROLL, we inject into hidden window taskmgr to do a lsass dump undetected (see Test Case section below)
- The injector DLL and injected DLL is the same DLL hence no additional DLL required
- Integrity level of target process must be same or lower as injector process
Original Project: https://github.com/enkomio/ManagedInjector
- ported code to inject into 64 bit binaries ---> original project ony allows dll injection into 32 bit binaries
- removed IPC logic because it was overbearing
- created boilerplate code to just run your payload directly in the RunOnRemoteProcess() function instead of the previous convoluted way
- project still uses DLLExport to get a .NET DLL to export functions
- Note this is not a dependency to the project but more of a postprocessing. DLLExport will modify your final .NET DLL to export a function.
- Can manually do the function exporting if you want https://blog.xpnsec.com/rundll32-your-dotnet/
- Download project & Compile solution as X64, Release
- No external dependencies needed
> Requires High Integrity depending on use case
> [System.Reflection.Assembly]::LoadFrom("C:\Users\public\TrollDump.dll")
> [TrollDump.ForFun]::Main("C:\windows\system32\taskmgr.exe")
- In this POC, we do a lsass dump, you can run whatever "DLL exported function logic" you want by modifying the function RunOnRemoteProcess() and recompiling.
- As mentioned earlier, the code serves as boilerplate for the dll injection, what you choose to do after is conveniently writable in c# managed code.
- Win 2019 build 17763.737 with latest windefender patches
- both dllinject + lsass dump
- Other AVs (unnamed)
- dllinject works fine
- obviously whether lsass dump works or not depends if the AV allows taskmgr to dump lsass
- Not tested on any EDRs -> i suspect the dll injection should still work on specific EDRs
- DLL needs to be on disk so should be obfuscated
- DLL should only be used to do injection, actual payload should never be embedded into DLL and should be reflectively loaded
- Obviously injecting CLR into unmanaged process is suspicious but hey!
- setwindowshook although a classic technique is most often tied to keylogging, not our use case
- Can be super creative with whichever GUI process you want to inject (if running as system, can inject into dwm.exe as well)
- Inject into gui-less process
- currently for setwindowshook it uses WH_CALLWNDPROC, you can modify it to use WH_GETMESSAGE but the target process must be running a message loop (GetMessage())
- if you can find a non gui binary that implements a message loop (i suspect unlikely) then you can inject into guiless binaries as well
- common for GUI processes to run GetMessage()
- Fully reflective and not needed to drop on disk
- Based on setwindowshook, it seems like the DLL must be on disk?
- i tried to use c# delegates to pass a function pointer to run instead of the exported DLL function and that didnt work (this is the classic c# keylogger technique for local process but we are doing remote process)
- you can give this a try by incorporating other techniques, i think its doable
- Taskmgr will automatically spawn as High Integrity even if our current process is Medium (so technically if we inject DLL into it, its a UAC bypass)
- The injection seems to work fine as per the WIN API return results
- although sendMessage() succeeds, message is silently dropped. Explained here https://stackoverflow.com/questions/40122964/cross-process-postmessage-uipi-restrictions-and-uiaccess-true
- However, taskmgr fails to call the exported function
- The injection seems to work fine as per the WIN API return results
Should only be used for educational purposes!