LibTPLoadLib

Using call gadgets to break the call stack signature used by Elastic on proxying a module load. Provided as a Crystal Palace shared library. Format inspired by @rasta-mouse's LibTP.

WARNING ⚠️ : This project is not usable as-is. The call gadget used for this PoC is no longer available in current versions of Windows. You'll have to find your own. Read the blogpost for more info.

How

1. Compile the project: make. The output is two Crystal Palace shared libraries: libtploadlib_vanilla.x64.zip (not using the gadget, for demonstration of the detection) and libtploadlib_gadget.x64.zip (using the gadget).

2. Compile the example COFF (that will just load wininet.dll using the shared library and print its address): cd example_print && make. The output will be a COFF file example_print.x64.o.

3. Link the whole thing using Crystal Palace to make PIC shellcode. Use the tradecraft garden's Simple PIC spec file, modifying it to merge in the libtploadlib zip wanted (mergelib "path/to/libtploadlib_XXX.x64.zip"): path/to/crystalpalace/link simplepic_modified/loader.spec example_print/example_print.x64.o out.bin.

4. For this PoC: download dsdmo.dll in version 10.0.26100.1882 and place it at C:\dsdmo_10.0.26100.1882.dll.

5. Run the shellcode using any loader.