Published on April 20th, 2016 📆 | 6425 Views ⚑0
Pazuzu — Run Binaries From Memory
Pazuzu is a Python script that allows you to embed a binary within a precompiled DLL which uses reflective DLL injection. The goal is that you can run your own binary directly from memory. This can be useful in various scenarios. For example, if you want to exploit a vulnerability and run your own executable instead of a third party reflective DLL. In this case you just have to choose the stager you like (reverse TCP, HTTP, HTTPS, etc.) and set the DLL generated by Pazuzu. Pazuzu will execute the binary within the address space of the vulnerable process as long as it has the .reloc section.
- Not all binaries can be run from memory. For example, applications which require .NET CLR (managed code) won’t be run. By now you can download and run .NET application from disk with the -d option (noisy option).
- If .reloc section is not present the script will use a “process hollowing” approach.
- Support for 32-bit for now.
Run Binaries From Memory: Pazuzu How-to
- The script Pazuzu.py accepts as input the binary you want to run from memory (parameter -f). Depending on the properties of the binary Pazuzu will choose one of the 3 DLL currently available. These DLL are:
- relocx86.dll: lets you run the binary inside the address space of the process. This option is the most favorable since the binary generates less “noise” in the system.
- dforkingx86.dll: the binary in this case also runs from memory but using “process hollowing”. This technique is the one used by the “execute” command with the -m flag in Meterpreter.
- download86.dll: this is the noisiest option since the binary will be downloaded and executed from disk.
- Pazuzu also provides some additional features. For example, the -x option will encrypt the section containing the binary by using a random RC4 key (which is stored in the DLL TimeStamp). In addition, after running it the PE header of the DLL and the binary section will be overwritten with zeros. More anti-forensic techniques will be added in future versions.
- With the -p option the resulting DLL will be patched with the bootstrap required to reach the export ReflectiveLoader (more info in www.shelliscoming.com). This option is useful to not depend on the Metasploit handler to inject the DLL. That is, if the DLL is already patched we can upload it to a Web server so that the stager could retrieve it from there (more anonymity).
Source && Download