search

BorjaMerino / Pazuzu

Pazuzu: Reflective DLL to run binaries from memory
210 stars 64 forks source link

Questions #1

Closed PowerPress closed 7 years ago

PowerPress commented 7 years ago

Awesome script, I do have a few questions though if you don't mind. Is the pazuzu.dll or the EXE that you are running from the share in your videos ever touching the disk?

How could you use this without having to depend on Meterpreter module or Empire? The reason I ask I know for the OSCP exam those tools are not allowed and I would love to know how you would do that if you couldnt use those and wanted to load an EXE such as Poison Ivy in your video.

BorjaMerino commented 7 years ago

Hi @PowerPress, the DLL generated (that embeds the exe) never touches the disk, that's the idea. It doesn't depend on Meterpreter. You just need to retrieve the DLL with the stager you want. In metasploit take a look at those in windows/dllinject/. In my video I used, for example, the reverse_winhttp. Try hard for you OSCP exam.

PowerPress commented 7 years ago

So in your last example would that also mean the exe such as poison ivy would also not touch the disk. Power shell looks like the only way to pull off reflective dll without using metasploit. Would it work with the fu rootkit if you wanted to hide from the blue team or is there a better way to handle that?

FYI the code you have been contributing is epic. Can't wait to see 64 capable pazuzu

Sent from my iPhone

On Oct 22, 2016, at 8:32 AM, Borja Merino notifications@github.com wrote:

Hi @PowerPress, the DLL generated (that embeds the exe) never touches the disk, that's the idea. It doesn't depend on Meterpreter. You just need to retrieve the DLL with the stager you want. In metasploit take a look at those in windows/dllinject/. In my video I used, for example, the reverse_winhttp. Try hard for you OSCP exam.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

BorjaMerino commented 7 years ago

@PowerPress yes, Poison Ivy was running from memory but note that Poison Ivy touches disk to carry out some of their actions; for instance, to keep persistence at reboot. That's was just an example. You can create your own binary/payload to work only in memory and just keep on disk the stager you choose. This way you only have to focus on making FUD the stager.