{"id":19390641,"url":"https://github.com/mandiant/duedlligence","last_synced_at":"2025-04-24T00:31:30.727Z","repository":{"id":65796866,"uuid":"212879910","full_name":"mandiant/DueDLLigence","owner":"mandiant","description":null,"archived":true,"fork":false,"pushed_at":"2023-06-02T14:24:43.000Z","size":532,"stargazers_count":468,"open_issues_count":1,"forks_count":89,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-03-11T18:52:33.156Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mandiant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-10-04T18:34:27.000Z","updated_at":"2025-03-10T23:52:22.000Z","dependencies_parsed_at":"2023-02-10T15:25:11.890Z","dependency_job_id":"df21aadd-2a00-4c43-a430-5269f43e1ff4","html_url":"https://github.com/mandiant/DueDLLigence","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FDueDLLigence","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FDueDLLigence/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FDueDLLigence/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2FDueDLLigence/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mandiant","download_url":"https://codeload.github.com/mandiant/DueDLLigence/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250539420,"owners_count":21447305,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T10:22:31.969Z","updated_at":"2025-04-24T00:31:27.904Z","avatar_url":"https://github.com/mandiant.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# DueDLLigence\n\nShellcode runner framework for application whitelisting bypasses and DLL side-loading. The shellcode included in this project spawns calc.exe.\n\nAuthors: Evan Pena (@evan_pena2003), Ruben Boonen (@FuzzySec), Casey Erikson (@EriksocSecurity), Brett Hawkins (@h4wkst3r)\n\nIf desired, change the injection type by modifying the following line to the appropriate injection type\n\u003cbr\u003e```public const ExecutionMethod method = ExecutionMethod.CreateThread;```\n\nBlog Post References:\n\u003cbr\u003ehttps://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html\n\u003cbr\u003ehttps://www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html\n\nRunning the DLL with the following legitimate exes \n\n## Application Whitelisting Bypasses. Lolbins\n\n### Control.exe\nExport: CPlApplet\nSyntax: Rename compiled “dll” extension to “cpl” and just double click it!\n\u003cbr\u003e```Control.exe [cplfile]```\n\u003cbr\u003e```Rundll32.exe Shell32.dll, Control_RunDLL [cplfile]```\n\n### Rasautou\nExport: powershell\n\u003cbr\u003e```rasautou –d {dllpayload} –p powershell –a a –e e```\n\n### Msiexec\nExport: DllUnregisterServer\n\u003cbr\u003e```msiexec /z {full path to msiexec.dll}```\n\n## DLL Side-Loading Binaries and Details\n### Tortoise SVN (SubWCRev.exe)\nExecutable: SubWCRev.exe\n\u003cbr\u003eFile Path: C:\\Program Files\\Tortoise SVN\\bin\n\u003cbr\u003eMD5 Hash: c422a95929dd627b4c2be52226287003\n\u003cbr\u003eDLL == \"crshhndl.dll\"; Arch == x64; OS == Win7 \u0026 10;\n\u003cbr\u003eExports: InitCrashHandler,SendReport,IsReadyToExit,SetCustomInfo,AddUserInfoToReport,RemoveUserInfoFromReport,AddFileToReport,RemoveFileFromReport,GetVersionFromApp,GetVersionFromFile\n\n### Dism Image Servicing Utility (Dism.exe)\nExecutable: Dism.exe\n\u003cbr\u003eFile Path: C:\\Windows\\System32\n\u003cbr\u003eMD5 Hash: 5e70ab0bf74bba785b83da53a3056a21\n\u003cbr\u003eDLL == \"DismCore.dll\"; Arch == x64; OS == Win7 \u0026 10;\n\u003cbr\u003eExport: DllGetClassObject\n\n### PotPlayerMini\nExecutable: PotPlayer.exe\n\u003cbr\u003eFile Path: {Installation Directory}\n\u003cbr\u003eMD5 Hash: f16903b2ff82689404f7d0820f461e5d\n\u003cbr\u003eDLL == \"PotPlayer.dll\"; Arch == x86;\n\u003cbr\u003eExports: PreprocessCmdLineExW,UninitPotPlayer,CreatePotPlayerExW,DestroyPotPlayer,SetPotPlayRegKeyW,RunPotPlayer\n\nCredit for the DueDLLigence name goes to Paul Sanders (@saul_panders)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fduedlligence","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmandiant%2Fduedlligence","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fduedlligence/lists"}