Shellcode reflective DLL injection (sRDI) is a technique that allows converting a given DLL into a position independent shellcode that can then be injected using your favourite shellcode injection and execution technique. In this lab I wanted to try this technique as I think it is an amazing technique to have in your arsenal.
In this lab, I'm playing with the amazing https://github.com/monoxgas/sRDI written by monoxgas from Silent Break Security.
Let's compile a simple x86 DLL - in my case, an odd DLL that pops 2 notepad processes when executed:
Convert the DLL into shellcode. We will get an array of shellcode bytes represented in decimal values:
$sc = ConvertTo-Shellcode \\VBOXSVR\Experiments\messagebox\messagebox\Debug\messagebox.dll
Let's convert them to hex:
$sc2 = $sc | % { write-output ([System.String]::Format('{0:X2}', $_)) }
Join them all and print to a text file:
$sc2 -join "" > shell.txt
Create a new binary file with the shellcode we got earlier:
In order to load and execute the shellcode, we will place it in the binary as a resource as described in my other lab Loading and Executing Shellcode From PE Resources:
Compile and run the binary. If the shellcode runs successfully, we should see two notepad.exe processes popup:
{% hint style="warning" %} The RWX memory blocks are not opsec safe, but this lab is not concerned about that. {% endhint %}
{% embed url="https://github.com/monoxgas/sRDI/tree/master/PowerShell" %}