## simple-loader.dll

This directory contains a boilerplate C++ code of an easily adjustable _malicious DLL_.

### How To Use It

1. Copy a DLL file and open that copy in Hex-Editor
2. Find long text sequence starting with `"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab [...]`
3. Overwrite it starting from its very beginning with your OS command, such as `notepad.exe`
4. Be sure to terminate your command with a NULL byte `0x00`
5. Save it
6. Rename its extension from DLL to `XLL` or `CPL` - run it by simply double-clicking :-)

Naturally this code serves a boilerplate purpose, so feel free to acommodate it however you like.
Perhaps your DLL could be launching shellcode instead? :-)

### Use Cases

The DLL exports functions that allow to use it as:

- CPL: Control Panel Applet:
  `control.exe simple-loader.cpl`

- XLL: Excel Add-In
- MS Teams version.dll DLL Proxy
- `rundll32.exe simple-loader.dll,Run ""`
- `regsvr32 /s /n simple-loader.dll`
- `odbcconf.exe /s /a { regsvr simple-loader.dll }`
- Payload for [DNSAdmins attack](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise)

### Two Versions

There are two versions of the compiled DLL:

- `bin\<arch>\Release` - exports all the functions mentioned **and** launches payload from `DllMain`
- `bin\<arch>\Release-NoDllMain` - exports all the functions mentioned **but not** launches payload from `DllMain` (empty body)

The former can be used wherever we need to run our malware as soon as DLL gets loaded in any process.

The latter in turn is used when our payload execution functionality might clash with **loader lock** causing our malware to freeze/hang. 
In that case we'd be better off not loading malware from `DllMain`.