• XSS.stack #1 – первый литературный журнал от юзеров форума

Nim - LoadLibrary & GetProcAddress Loading -> Execute my DLL

Отслеживать
dripper

dripper

RAID-массив
Забанен
Регистрация
19.05.2022
Сообщения
60
Реакции
6
Пожалуйста, обратите внимание, что пользователь заблокирован
I do not know how is this magic happening in NIM (of course i will work on this) but this is interesting to check. I just called LoadLibrary and GetProcAddress to get export of dll which is __declspec defined. And it executed the dll, which is strange?
Is this normal or i found a method to execute the dll to bypass AV/EDR? opinions)

Код: 
# Compile : nim c file.nim
import winim

var
    lib:HMODULE
    process:HOOKPROC
 
lib = LoadLibraryA("test.dll")
echo "Handle: ",GetLastError()
process = cast[HOOKPROC](GetProcAddress(lib,"DllMain"))

Also i am open for job) PM me.
 
Последнее редактирование:
Решение
dripper сказал(а):
wait i got this. i have had CplApplet, DllMain and my custom export name defined with __declspec. The CplApplet is called by default as soon as LoadLibrary is called)) so even if your cpl file is renamed to .dll and loaded from LoadLibrary it will be called and dll is executed. i think it is not the issue with the NIM but windows behavior.))
can you verify? if this is true you have a new execution method and no need to call anything after LoadLibrary))

code used and expanded from -> https://www.ired.team/offensive-sec...l-item-through-an-exported-cplapplet-function
Так функция CplApplet вызывается при DLL_PROCESS_ATTACH, а что не так? Когда передаётся управление на точку...
Сортировать по дате Сортировать по голосам
Пожалуйста, обратите внимание, что пользователь заблокирован
dripper сказал(а):
And it executed the dll, which is strange?
What is strange? DllMain is always called when you load the dll into memory, LoadLibrary calls it to initialize the dll.
 
За 0 Против
Пожалуйста, обратите внимание, что пользователь заблокирован
DildoFagins сказал(а):
What is strange? DllMain is always called when you load the dll into memory, LoadLibrary calls it to initialize the dll.
No even if export name is not DllMain still it will be loaded and executed. Expectedly it should just initialize not execute. you can check the code on your side)
 
За 0 Против
Пожалуйста, обратите внимание, что пользователь заблокирован
dripper сказал(а):
No even if export name is not DllMain still it will be loaded and executed. Expectedly it should just initialize not execute. you can check the code on your side)
Post the DLL with the export that is not DllMain the here. The DLL entrypoint may be called any how, only the PE-headers matter.
 
За 0 Против
Пожалуйста, обратите внимание, что пользователь заблокирован
wait i got this. i have had CplApplet, DllMain and my custom export name defined with __declspec. The CplApplet is called by default as soon as LoadLibrary is called)) so even if your cpl file is renamed to .dll and loaded from LoadLibrary it will be called and dll is executed. i think it is not the issue with the NIM but windows behavior.))
can you verify? if this is true you have a new execution method and no need to call anything after LoadLibrary))

code used and expanded from -> https://www.ired.team/offensive-sec...l-item-through-an-exported-cplapplet-function
 
За 0 Против
dripper сказал(а):
wait i got this. i have had CplApplet, DllMain and my custom export name defined with __declspec. The CplApplet is called by default as soon as LoadLibrary is called)) so even if your cpl file is renamed to .dll and loaded from LoadLibrary it will be called and dll is executed. i think it is not the issue with the NIM but windows behavior.))
can you verify? if this is true you have a new execution method and no need to call anything after LoadLibrary))

code used and expanded from -> https://www.ired.team/offensive-sec...l-item-through-an-exported-cplapplet-function
Так функция CplApplet вызывается при DLL_PROCESS_ATTACH, а что не так? Когда передаётся управление на точку входа длл (а LoadLibrary её вызывает), вызывается CplApplet...
 
За 0 Против
Решение
Пожалуйста, обратите внимание, что пользователь заблокирован
dripper сказал(а):
can you verify?
I will be able to verify if you post the code here. In the example code on ired.team the CplApplet is called from DllMain, as it was already mentioned by Alan Wake. DllMain is always called with DLL_PROCESS_ATTACH when you load it, and also it is called with DLL_THREAD_ATTACH.
 
За 0 Против
Пожалуйста, обратите внимание, что пользователь заблокирован
Alan Wake сказал(а):
Так функция CplApplet вызывается при DLL_PROCESS_ATTACH, а что не так? Когда передаётся управление на точку входа длл (а LoadLibrary её вызывает), вызывается CplApplet...
DildoFagins сказал(а):
I will be able to verify if you post the code here. In the example code on ired.team the CplApplet is called from DllMain, as it was already mentioned by Alan Wake. DllMain is always called with DLL_PROCESS_ATTACH when you load it, and also it is called with DLL_THREAD_ATTACH.
agree with both of you. may b i was just excited. Thanks for the help! DildoFagins i will PM you the code soon though i have shared all my findings here but still if i have anything else i will do)
 
За 0 Против
Пожалуйста, обратите внимание, что пользователь заблокирован
No thing strange if you called the library and the main function just run thats the normal , the strange happen if you load the library and get address and the exported function runed without call from the exe or dll main then this will be very strange i guess
 
За 0 Против
admin


Напишите ответ...
  • Вставить:
Прикрепить файлы
Верх