Scary-good stuff:

http://www.harmonysecurity.com/blog/2008/10/new-paper-reflective-dll-injection.html

Kayaker

this is quite old technique, and nothing spectacular in it imho, if they have published it a few years ago it would be good reading. There are also numoerous examples about pe mem execution dated 5-6 years ago, and there are also numerous codes of executing exe/dll from memory with manual loading

e.g.: http://www.woodmann.com/collaborative/tools/ManualMap

and I don't know if it's just me, but some of his ideas seem very similar to the ones I published here:

http://www.rootkit.com/newsread.php?newsid=360

That's not to say that any of my ideas were really unique at the time (although I did come up with them on my own, and at the time I couldn't find anyone else that had ever published code that did the type of manual mapping that my code did, however I do know that a few other people had done it in private).

I feel a little bit ripped off by this guy, but not totally, and he does credit this article which predates my own and discusses similar ideas:

http://www.nologin.org/Downloads/Papers/remote-library-injection.pdf

However, just in reading through his paper the choice of words and just general feel reminds me very much of my own, but I could very easily be mistaken.

EDIT: Just to be clear, all that i'm upset about is not being credited in his citations at the end. Of course, it is possible that he truly didn't read any of my work and i'm just reading too much into this and if that's the case then I sincerely apologize for my mistake.

Do you have some examples or links you could share? I knew about ManualMap but isn't there another that was released more recently?

Hi goggless99,

I'll outline some of them :
pemem by z0mbie in 29a zine
pemem by y0da (don't know where this can be found)
pe-mem by me (very very old code, dated when I started coding, don't know if it can be found in some webarchives... really have no idea),
there is http://deroko.phearless.org/dllbande.rar
there is then ReWolf's dllbundler source code
there is also my crakme at www.crackmes.de which uses manual loading (I will publish source if anyone is nterested) : http://www.crackmes.de/users/deroko/pemem/
there is also article at rootkit.com which demonstrates driver loading (hiding) using similar tech : http://www.rootkit.com/newsread.php?newsid=648 with source code in tasm
darawk's code

I really can't recall of any other atm
now simply if you want to inject it into another process, it's your choice, but tech is quite similar, write small loader which will remap dll in remote process, and that's it... nothing really specatucalr to be called research paper, as I told maybe 5-6 years ago, but now, definitely not

hi deroko! THERE is ... (;

some years ago there i had simple idea about easy loading DLL, but forget to say to you ~ all

idea was simple: pack DLL with ASPACK & very little job will require from your side: just VA to RVA mappinng;
even without this, if you remake packed file already VA to RVA.. (then again pack binary bcoz many nulls will there)

grIEt!?