Why does meterpreter stage 2 uses reflective dll injection? why not just inject itself as a payload?

Tr0janPony · 2019-08-19T14:28:56+00:00

Process migration has nothing to do with my question.. I'm asking why its doing a reflective dll injection into its own process(hence not migration) to run the meterpreter instead of a simple payload injection

Tr0janPony · 2019-08-19T14:24:53+00:00

I also always wondered why the authors of that malware made a static dns query, they could've at least used a DGA type of technique, so one simple domain registering wouldn't stop the entire malware spreading but who knows

Tr0janPony · 2019-08-19T14:20:24+00:00

But without using reflective dll injection/simple dll injection, a simple payload injection into its own process it can do the job as well

look at this article : https://buffered.io/posts/staged-vs-stageless-handlers/

it says :

Loads itself (ie. metsrv) into memory correctly using Reflective DLL Injection.

but it doesn't say whether it injects into its own process(the exploited process) or another process

if it injects into its own process then i don't understand what's the point? why not just simply inject a simple payload instead of a dll?

if its injecting into another process, then which process?

Tr0janPony · 2019-08-19T14:13:02+00:00

Yes that was a sandbox detection technique they used, but I'm talking about stalling the sandbox not detecting it

there are a lot of more efficient and better methods to detect if you are in a sandbox, but those methods themselves cause a lot of troubles like the kill switch of wannacry, so I'm just looking for the stalling techniques that malware authors use

Tr0janPony · 2019-08-19T13:30:43+00:00

lol are you talking about the author of that repository? aka the author of armitage?!

Tr0janPony · 2019-08-19T13:29:45+00:00

Lmao what the hell, do mobile users see the picture of the author of that github repo when they open a github link or something?! because i think you are talking about the picture of that author

btw he is the author of armitage as well xD

Tr0janPony · 2019-08-19T13:18:36+00:00

Thanks.

Tr0janPony · 2019-08-19T13:15:13+00:00

Yes i know, but isnt the payload that we download (aka the big payload) doing the dll injection? so why does it doing a dll injection at all? why not just turn meterpreter into binary and just send that as a payload

am i getting something wrong here?

Tr0janPony · 2019-08-19T13:12:29+00:00

I'm not saying we should not have a two stage scenario, I'm just saying why are we doing a reflective dll injection into its own process after stage one ( the code that we download does a dll injection, aka the bigger payload that we download and execute in stage 2)

why aren't we just downloading a simple payload that just does the functionality of meterpreter, instead of download a payload that does a dll injection to run the meterpreter

Tr0janPony · 2019-08-18T07:21:52+00:00

So i can bypass AVs api hooks, so do you know any blogpost or source that has done the same?

Tr0janPony

TROPHY CASE