#Create a fake dll with fake functions in memory

Don't be a skid

what's the use case here

in what way is that being a skid?

there are very few cases where someone who doesn't already know how to do this would want to do this, and the vast majority of those cases are cheats for videogames. being intentionally vague about your usecase doesn't help

I have a secondary dll i want to load that in turn loads another dll. but that other dll has very basic functionality and i just want to skip that loading step

video game cheating. no, that would be dll injection. i am not talking about that

and im affecting my own process, not another

and it's for educational purposes, too?

it is, it sounds like a fun idea and im trying to learn more about the internals how these types of things work

"these types of things" ?

the windows process

what's the actual usecase for doing this

said it up here

no, that's wishy-washy "I want to load a DLL"

What's the actual usecase

that is the usecase, im loading a dll, that dll trys to load another dll (ill call it dll2). i want to skip the loading part of dll2 and instead try to do it in memory

ok good luck then

and by that I mean bad luck cause you shouldn't be a skid

again in what way does that mean im a skid?

the thing you're asking to do is something that's 99% asked by skids, and you're being unusually defensive about why you're trying to do it

not a good look

i can go into detail if you want, but the details wont help

Give me like half an hour and I'll check

the details help us be sure we aren't helping skids

im loading the firefox's nss3.dll, the nss3.dll in turn loads the mozglue.dll, the only thing it uses the mozglue dll for is very basic, already implemented in the kernel functions (very basic functions like _strdup, realloc, malloc, and some more). I dont want to load the mozglue dll, i want to attempt to load nss3.dll without loading in mozglue (but instead fake loading it in and redirecting functions to the kernel32). I dont know enough about windows internals to trick my own process into thinking a dll is loaded in. thats why im asking for help. yes i know i can load the mozglue.dll in, i know it would be easier. but again, this is for my own learning, and i want to understand how someone would do it (fake a dll being loaded in).

Why nss3 specifically

its for the decryption of firefox's internal configs (such as the web history, or cookies)

and you want to do that why

as opposed to doing that normally through the firefox client

because its a learning project that i plan to upload on my github

you do understand why being so defensive about a program to decrypt private user info looks pretty sus, right?

im not defensive at all, am i not telling you everything i plan to do?

there are plenty of other things you could be doing to learn and experiment with dll loading

it took a lot to get it out

again, its not dll loading, its tricking my own process into think a dll is already loaded. loading a dll from memory is something thats been done a bunch of times. i havent seen this, but if you have, i will glady read up on it (if you have somewhere i can read up on)

because it doest need to? the basic premise is tricking the process that a dll is already loaded. as i said above, the details in what dll's and what the dll does, is irrelvant other than your own curiosities

The only place I'd be comfortable linking you to is the winapi docs page on LoadLibrary

this is exactly what I'm talking about. "I plan to decrypt private user info using a secondary unofficial route, but I super-super promise that it's only for 'educational purposes' and any specific info about why I chose to do this specifically instead of any number of much simpler demo projects is irrelevant"

No thanks, and I recommend nobody else touch this

you see that word, simpler. things dont always need to be simple. there are a million projects loading in the nss3 dll to decrypt firefoxs info. i want to try something different. and it is for a education project (weather you belive it or not) that i do plan to upload to my github, i upload anything i make (that i like) to my github.

ye defo malware I'm going back to bed

malware is a great way to learn about how these types of things work. i never use anything i make, but its nice knowledge. and it makes for cool projects (at least i personally like the projects ive made (on my github)). well gn, i guess this is going to go nowhere

Please don't write your malware in C#, that's absolute ass shit

Just compile your funny new C++ project as a DLL and export the same functions boom done have fun

the only reason i used c# is because it makes small file sizes (that being said its smaller being theres gigabytes of .net framework already on the machine lol)

WHAT

C# making smaller binaries than C++?

well depending on what you want to do

What do you want to do

And how'd you compile your C++ program lmao

There's a reason why people in embedded development don't use C# 🗿

if your going to do a printf, then yea c++ its going to be smaller

i dont plan to go into a coding job

its just a hobby

yea i already did that (execpt in c), i dont want to need to load it in

You will need to load it in?

wat

the dll

But the way you're approaching this isn't exactly what most red teams would do tbf

im not a red teamer, im someone who wants to try something different

(Or APTs)

im not some hacker, i just have ideas and they seem interesting (to me)

Yeah and I'm saying there are probably better ways to achieve the same goal

there prob are. but im looking to try something different

of course i could just compile the modifed dll, and load it in using loadlibrary

but then thats not my goal

I mean what you would do in reality is just copy the files over to some other machine (aka your c2) and then probably brute force the password on some funny GPU cluster

You can't skip the loading step, someone has to load your funny magic DLL

its not really skipping the loading step. its tricking the process into thinking its already loaded

So you want to skip mozglue and just load nss3 and make nss3 believe mozglue is there already, yeah?

basically yea

of course nss3 calls functions from mozglue so i would need to make the getProcAddress point to a different address

I think what you're looking for is hooking

So you could hook into the mozglue functions and execute your code before they run

its not really hooking because im not hooking into anything

im not capturing or modifying the input or output

Yeah, hooking would be the alternative

well that would mean mozglue is already loaded in. imagine i cant load mozglue in

You'd stop execution on FF some time before mozglue is loaded, load your mozglue wrapper (proxying through all calls to the actual mozglue except for the one you want to change), resume execution

this is so confusing

is nss3 calling loadlibrary for mozglue, or is it apart of it's link table thing

sorry import table

i think that's what it is

been so long since looking at PE

it loads it in as part of the import table, but if you do a loadlibrary on a different mozglue then it will ignore the one it really needs to load it. i basically want to trick the process into thinking mozglue is already loaded in (without accually loading it in)

quit being silly, don’t make malware

Pretty convinced it's not malware because even in C# that stuff is on GitHub already

Any respectable HF malware vendor would just copy paste and be done

maybe

but also it’s sus

fThis thread is riveting

Take it from experience, do not do ethical hacking or pentesting without an above board sponsorship.

Especially if you live in an under educated area, you don't want a Andy Griffith motherf**ker interpreting what you are doing.

Damn script kiddies

^^^^

Script kiddies lol

Aint seen that term since...2019