Load Reflective DLL

The loadr command is used to load reflective DLLs into a remote process. Badger uses a custom loader to load the DLLs, so even if the DLL’s exported symbol/function name is wiped from the DLL, it will still be able to call the exported symbol by parsing the PE headers and calling the function pointer from the DLL, provided there is only 1 exported function in the DLL. This command also accepts command-line arguments that can be supplied to the reflective DLL.

The below example shows a reflective DLL named boxreflect.dll loaded with a command-line argument “test”. Once this DLL gets the argument, it returns “Returning this output” output in the badger’s console. This was injected to a newly created process named werfault.exe with PID 6872.

The loadr command by default executes whatever the first exported function it finds in the EAT. It can be be configured with PPID Spoofing, DLL Blocking (DLL Mitigation Policies), Dynamic Process Injection techniques and Child Processes.