dR.fAn0 Posted November 22, 2012 Share Posted November 22, 2012 This is the hidden content, please Sign In or Sign Up Here is a little tool that could be for sure useful in many case, it simply a tiny loader that will automatically inject a DLL into a target process. Atm i only code one method called inject DLL from ADS (it works great) i test under COMODO and it bypass successfully ! Explication for ADS DLL Injection What is ADS (Alternate Data Stream) --------------------------------------------------------------- Alternate Data Stream is an exclusive Microsoft technology that is implemented since Windows 3.1 in 1993 to resolve some problems regarding “forks” especially with compatibility between a Windows Server and a Macintosh. It is a very poorly documented technology and also not very much used nowadays. Most of people never even heard about this “hidden” function inside Microsoft Windows File System. But in many cases it could in be a very very useful feature. ADS is implemented exclusively on NTFS file systems --------------------------------------------------------------- - Physical files are the common files you know (applications, images, music, etc.). Those files can be written/ read/modified from the explorer or related programs. - Alternate Data Stream files are normal files but they are fully hidden. They use another type of physical file (visible and existing file for explorer) as an index to be accessed/read/modified. ADS Files are ----------------- - 100% hidden from explorer and related software - Do not change the size of it parent file - Do not change the hash of parent file - But change the disk free/used space Injection Process -------------------- On loader load, the DLL will be extracted from ressource to the loader (himself) ADS then injected to the target process. [+] Detect if current drive working on NTFS filesystem, if no (in the case of most USB Key) the loader will be extracted to the temporary path then injected. [+] Detect if a process (durring scan) is working under a x32 or x64 environment, if it is a x64 process then it will be ignore to avoid injection fail, if no more process remaining then it will launch the rescue method (if checked) [+] Loader is very small (using pure API / Dyn call and encrypted) [+] Rescue injection, if used, if all process injection fails from the stub settings process list, it will find the first compatible process to be hosted. Loader size = 21 KiB (compressed = 14KiB) Support UPX compression when generated Coded using Delphi, pure API / Dyn calls and encrypted to be a bit evasive not for so long tho Today the 22/11/2012 it was Undetected by AV (i didn't scan on VirusTotal because i'm not a fagget) NOTICE I WILL RELEASE SOON MANY SOFTWARE USING THIS APPLICATION AS HOST AND AGAIN LOST OF EXAMPLES I WILL ALSO RELEASE A CONSOLE VERSION WITH AN EXAMPLE OF EDIT SERVER, THEN YOU WILL BE ABLE TO INCLUDE IN YOUR PROJECTS BUILDER THIS APPLICATION VERY EASILY . . . Download: This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts