moloch--
commented
3 years ago I think you should be able to use this via spawn-dll or sideload, the sRDI version can also be used via execute-shellcode
Closed timwhitez closed 2 years ago
moloch--
commented
3 years ago I think you should be able to use this via spawn-dll or sideload, the sRDI version can also be used via execute-shellcode
timwhitez
commented
3 years ago ok,thx
timwhitez
commented
3 years ago and what's the different between spawn-dll and sideload?
moloch--
commented
3 years ago spawn-dll is specific to Windows DLLs and loads the DLL into the same process as the implant using reflective DLL injection. sideload is able to load any shared library (i.e., .so, .dylib, and .dll) and loads the shared library using platform specific techniques into a new process.
Both commands have help for more details.
timwhitez
commented
3 years ago ok,thanks
rkervella
commented
3 years ago Actually spawn-dll also loads a DLL into a new process (notepad.exe by default), the difference is that it's mainly geared towards reflective DLLs (those using the RelfectiveLoader project).
For dumpert, I'd recommend using: sideload --entry-point Dump path/to/dumpert.dll
timwhitez
commented
3 years ago ok thanks i will try to read the source code
use same way as https://github.com/outflanknl/Dumpert to dump lsass for evasion.