loadr

The loadr command is used to load reflective DLLs into a remote process. Badger uses a custom loader to load the DLLs, so even if the DLL’s exported symbol/function name is wiped from the DLL, it will still be able to call the exported symbol by parsing the PE headers and calling the function pointer from the DLL, provided there is only 1 exported function in the DLL. This command also accepts commandline arguments that can be supplied to the reflective DLL.

In our example below, I created a reflectve DLL named boxreflect.dll and loaded that. This DLL accepted a commandline argument as “test”. Once this DLL get’s the argument, it returns “Returning this output” output in the badger’s console. This was injected to a newly created process named werfault.exe with PID 6872.

Reflective DLLs can also be loaded from the GUI by right clicking a badger and selecting Arsenal->Reflect.

This provides a graphical interface to load a DLL from a local path and an input to provide commandline arguments to the DLL.

Reflective DLLs are affected by Parent Process ID spoofing and Child Processes. You can set the target process to inject using the set_child command. Similarly the parent process Id can also be spoofed using the set_parent command.

Command Profiler allows a user to register custom commands for reflective DLLs. Below is an example of a custom command registration for a reflective DLL.

{
    "register_dll": {
        "boxreflect": {
            "file_path": "server_confs/boxreflect.dll",
            "description": "Loads a test reflective dll message box",
            "artifact": "WINAPI",
            "mainArgs": "NA",
            "optionalArg": "NA",
            "example": "boxcheck",
            "minimumArgCount": 1,
            "replace_str": {
                "boxit": "\\x00\\x00\\x00\\x00\\x00",
                "!This program cannot ": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00",
                "be run in DOS mode.": "\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"
            }
        }
    }
}

The register_dll should be the key for the DLL registration. Inside this json struct, you have to add a name that you want to assign to your command. We have used the keyword boxreflect for this example. This is basically the command that you would execute in your badger’s console to execute this registered DLL. Now this command will have another json struct which would contain the properties of this command. The properties are listed as below:

  • key: file_path
    • value: local path of the DLL to the server
  • key: description
    • value: the description for this command that you would see in the help section of the badger’s console
  • key: artifact
    • value: the artifact type, whether its WINAPI or just basicaly C code
  • key: mainArgs
    • value: the primary and compulsary argument that the DLL takes
  • key: optionalArg
    • value: the optional argument that the DLL takes
  • key: example
    • value: example of the command line arguments mentioned above
  • key: minimumArgCount
    • value: minimum number of arguments that the DLL requires to executed
  • key: replace_str
    • value: A json struct contain keys as the strings which need to be replaced, and value as the hex value which will replace the strings in the DLL when the DLL is copied to a remote process’s memory.

Once a command is registered, you can execute them directly from the badger’s console as can be seen in the figure below: