Skip to content
/ DLLProxy_Example1 Public

DLL proxy example for notepad++ updater libcurl.dll. In this instance, must rename the original libcurl.dll to libcurl1.dll so forwarding happens properly.

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

seahop/DLLProxy_Example1

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
DLLProxy.cpp
DLLProxy.cpp
 
 
README.MD
README.MD
 
 

Repository files navigation

This takes in a binary file and executes in memory. Tested with a Cobalt Strike .bin file and works for a PoC. Must move the C:\Program Files\notepad++\updater\libcurl.dll to libcurl1.dll so fowarding happens properly with this scripts current configuration.

When Notepad++ starts up, it automatically checks for an update (GUP.exe), and the proxy DLL is called, binary is searched, copied, and then executed in memory. No AV/EDR evasion and trickery added to this, just a simple PoC.

To create your own, pull back the DLL you wish to proxy, use VS Native Tools Command prompt on the DLL (dumpbin /exports nameof.dll), and map them in order with ordinal (ex. @1, @2, etc). Depending on how many exports the DLL has, it can be quite a lengthy process getting them in order but it is scriptable: #pragma comment(linker, "/export:curl_easy_cleanup=libcurl1.curl_easy_cleanup,@1")

About

DLL proxy example for notepad++ updater libcurl.dll. In this instance, must rename the original libcurl.dll to libcurl1.dll so forwarding happens properly.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages