[feature] Eldritch sys.dll_inject

spellshift / realm

Realm is a cross platform Red Team engagement platform with a focus on automation and reliability.

https://docs.realm.pub/

GNU General Public License v3.0

409 stars 27 forks source link

[feature] Eldritch sys.dll_inject #49

Closed spac3commander closed 1 year ago

spac3commander commented 2 years ago

Is your feature request related to a problem? Please describe. Create the ability to inject dlls into a target process on Windows.

Describe the solution you'd like Add a basic CreateRemoteThread() dll inject function.

Describe alternatives you've considered No alternatives considered.

Additional context

hulto commented 1 year ago

In order to write tests for this function I need to create a test dll. I've created a dll that will read an environment variable LIBTESTFILE and then tries to create that file. My intention is to use the temp file library to get unique paths, export them to the LIBTESTFILE variablle, and then execute the dll_inject function with the test dll.

To pass the test the file must be created.

I see three options:

Store the source code and compiled test_dll in the realm repo.
Is there a way to build the DLL in line with this test specifically?
Write a custom wrapper so the CI runner compiles the test_dll before cargo test runs.

hulto commented 1 year ago

What process should we inject into for testing?

dll injection can be temperamental, what process are the most reliable to inject into? Is there a process we can create to be a reliable injection host?

hulto commented 1 year ago

Implementation ressearch:

DLL injection crate: https://github.com/OpenByteDev/dll-syringe
Create Remote Thread shellcode example: https://github.com/trickster0/OffensiveRust/blob/master/Process_Injection_CreateRemoteThread/src/main.rs
DLL Inject crate: https://github.com/C0D3-M4513R/inject-lib
Create Thread shellcode example: https://github.com/HuskyHacks/RustyProcessInjectors/blob/master/CreateThread/src/main.rs
DLL inject with createremote thread simple example: https://gitdab.com/LunarLambda/djin/src/branch/main/src/imp.rs

hulto commented 1 year ago

What process should we inject into for testing?

Went with notepad.exe or calc.exe so i can create them specifically to be injected into I'll have a unique process, control the env vars, and not worry about critical procsses.

Is there a way to build the DLL in line with this test specifically?

Looking into https://doc.rust-lang.org/cargo/reference/build-scripts.html