https://github.com/neyrian/dll-injector
A stealthy DLL injector for Windows 10/11, capable of injecting a specified DLL into a suspended process and evade detection
https://github.com/neyrian/dll-injector
c defense-evasion dll-injection dll-injector edr-evasion evasion suspend-process windows10 windows11
Last synced: 2 months ago
JSON representation
A stealthy DLL injector for Windows 10/11, capable of injecting a specified DLL into a suspended process and evade detection
- Host: GitHub
- URL: https://github.com/neyrian/dll-injector
- Owner: Neyrian
- License: gpl-3.0
- Created: 2025-02-14T11:08:23.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-04-17T07:09:45.000Z (about 1 year ago)
- Last Synced: 2025-06-13T16:06:44.742Z (about 1 year ago)
- Topics: c, defense-evasion, dll-injection, dll-injector, edr-evasion, evasion, suspend-process, windows10, windows11
- Language: C
- Homepage:
- Size: 69.3 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# π Advanced DLL Injector with EDR/AV/Sandbox Evasion
## π₯ Overview
This project implements a **stealthy DLL injector** for **Windows 10 and 11** with advanced evasion techniques. It includes mechanisms to **bypass EDR, AV, and sandbox detections** while using direct syscalls and obfuscation to reduce detection rates. The injector creates a suspended process, injects a DLL, and executes its entry point in a stealthy manner.
---
## π **Features**
β
**Stealthy Injection:** Creates a suspended process and injects a DLL without using common Windows API calls.
β
**EDR/AV/Sandbox Evasion:** Implements multiple checks to detect sandbox environments, VM detection, and EDR hooks.
β
**Direct Syscalls:** Uses Hell's Gate & SysWhispers to bypass API hooks in `ntdll.dll`.
β
**Avoid calling GetModuleHandle:** Uses `PEB walk` to retrieve functions in modules.
β
**Obfuscation:** Base64 encoding and decoding of DLL names, function names, and suspicious artifacts.
β
**Cryptography:** Implements its own cryptography functions, avoiding the usage of wincrypt
β
**Decoy Execution:** The injector executes a decoy function to mimic legitimate software behavior.
---
## π **Usage**
### **1οΈβ£ Compilation**
```info
Requirements:
- gcc-mingw-w64-x86-64-win32
- nasm
- make
```
Use **makefile** or manual compilation below
```bash
nasm -f win64 syscalls.asm -o syscalls.o
x86_64-w64-mingw32-gcc -o injector.exe dllinjector.c detector.h detector.c evasion.c evasion.h syscalls.o -Wno-array-bounds -Wall -lshlwapi -Wl,--section-alignment,4096 -Wl,--gc-sections -Wl,--strip-debug -Wl,--image-base,0x140000000 -O2
x86_64-w64-mingw32-objcopy --rename-section .CRT=.data injector.exe
x86_64-w64-mingw32-strip --strip-debug --strip-unneeded injector.exe
x86_64-w64-mingw32-gcc -shared -o malDLL.dll malDLL.c -Wl,--subsystem,windows -mwindows
```
### **2οΈβ£ Running the Injector**
```powershell
injector.exe C:\path\to\dll
```
> **Note**: Replace `C:\path\to\dll` with the actual path of your DLL (you can use the dll in this repo for testing)
---
## π **EDR, AV, and Sandbox Evasion**
### β
**EDR Detection (`detector.c`)**
- Scans `C:\Windows\System32\drivers\` for known **EDR & AV drivers** (Carbon Black, CrowdStrike, SentinelOne, etc.).
- If found, decoy is executed instead of the injection.
### β
**Anti-Sandbox Techniques**
- **Detects Virtual Machine Artifacts**:
- Checks for **VMware**, **VirtualBox**, and **Hyper-V files**.
- **Detects Sleep Patching**:
- Measures the **execution time** of `Sleep(10000)`.
- If altered, execution is stopped.
- **Detects Filename Hash Matching**:
- Checks if the **binary filename matches its MD5 hash** (common in packed malware).
- **Detects Sandbox DLLs**:
- Checks for the presence of sandbox's DLLs.
### β
**Anti-Debugger Techniques**
- **Detect if NtGlobalFlag is present in PEB.**
- **Detect debugger flags in HEAP**
---
## π **Project Structure**
```
π Project Folder
βββ detector.c # EDR/AV/Sandbox detection
βββ detector.h # Header file for detection functions
βββ dllinjector.c # Main DLL injector
βββ evasion.c # Evasion functions (syscalls, b64decode...) and decoy
βββ evasion.h # Header file for evasion functions and decoy
|ββ makefile # easy to compile
|ββ malDLL.c # Source DLL that can be used for testing
βββ README.md # This documentation
βββ syscalls.asm # Direct Syscalls Functions
```
---
## Modules Breakdown
### **1οΈβ£ dllinjector.c - Main DLL Injector**
- Creates a **suspended** process (`SearchProtocolHost.exe` or `explorer.exe`).
- Uses **direct syscalls** to allocate memory and write the DLL path.
- Executes the entry point of the injected DLL stealthily.
### **2οΈβ£ detector.c & detector.h - EDR/AV/Sandbox Detection**
- Detects **common AV/EDR drivers** in `C:\Windows\System32\drivers`.
- Checks for **sandbox-specific DLLs** like `cuckoomon.dll`, `VBox*.dll`, etc.
- Uses `NtQuerySystemInformation` to determine if the environment is a VM.
- Implements **cursor movement & sleep patching** to evade automated sandboxes.
### **3οΈβ£ evasion.c & evasion.h - Evasion Functions & Decoy Execution**
- Implements **Base64 encoding & decoding** to hide DLL and function names.
- **Legitimate Decoy Execution**: The injector executes a CPU-intensive function to simulate legitimate software behavior.
- Use PEB walk to retrieve function in modules without API.
### **4οΈβ£ syscalls.asm - Direct Syscalls for Hellβs Gate & SysWhispers**
- Implements **NtAllocateVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory** using direct syscalls.
- Dynamically resolves syscall numbers at runtime to avoid static detection.
---
## **Test**
- [x] Windows 10 (22H2)
- [x] Windows 11 (11 24H2)
---
## β οΈ **Legal Disclaimer**
> **This tool is for educational and research purposes only.**
> Do not use it for malicious activities. The author is not responsible for any misuse.
---
## π¬ **Contributing**
Feel free to **submit issues or pull requests** to improve the project.
---
## π **References**
- π **MITRE ATT&CK Framework**: [T1202 - Indirect Command Execution](https://attack.mitre.org/techniques/T1202/)
- π **AV & EDR Detection**: [Exe_Who GitHub](https://github.com/Nariod/exe_who)
- π **Pikabot Campaign TM**: [Trend Micro: Pikabot Spam Wave](https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html)
- π **Pikabot Campaign Mitre**: [MITRE ATT&CK: Pikabot Campaign (C0037)](https://attack.mitre.org/campaigns/C0037/)
---
π **Happy Coding!**