Skip to content

DLL Agent

Jump to bottom Edit New page
Jimmy Mi edited this page Oct 21, 2024 · 10 revisions

How to

Build the Stub DLL

  1. Modify Source Code: Update ./cmd/agent/main.go to include the following lines:

    // everything else
import "C"

//export main
func main() {
// everything else
}

    This will export the main function, making it callable from outside the DLL.

  2. Set Up Environment: Ensure that you have both mingw and Go environments installed on your Windows machine.

  3. Build the DLL: Run the following command on your Windows host to compile the agent as a DLL:

    go build -buildmode=c-shared -ldflags='-s -w -H=windowsgui' -o emp3r0r.dll .\cmd\agent\

Patch the DLL with Agent Configuration

  1. Copy the DLL: Move the compiled emp3r0r.dll to the ~/.emp3r0r/stub-win-dll-amd64 directory on your server.

  2. Generate Agent: Open emp3r0r on your server, run the gen_agent command, and select option 3 to configure the agent for Windows.

  3. Deploy the DLL: Once the DLL is generated, copy it to your Windows target machine for use.

Test the DLL

You can test the DLL using a small tool that invokes functions from a DLL. Here’s an example:

package main

import (
	"flag"
	"fmt"
	"syscall"
)

func main() {
	dll_file := flag.String("dll", "", "Load this DLL file")
	func_name := flag.String("func", "", "Call this function")
	flag.Parse()
	dllPath := *dll_file
	procName := *func_name

	// Load the DLL
	dll, err := syscall.LoadLibrary(dllPath)
	if err != nil {
		fmt.Println("Error loading DLL:", err)
		return
	}
	defer syscall.FreeLibrary(dll)

	// Get the function address
	proc, err := syscall.GetProcAddress(dll, procName)
	if err != nil {
		fmt.Println("Error getting function address:", err)
		return
	}

	// Call the function
	_, _, _ = syscall.SyscallN(proc, 0, 0, 0, 0)
}

To build and run this tool:

  1. Enable Logging: In PowerShell, enable logging so you can confirm that the agent is running:

    $env:VERBOSE='true'

  2. Run the Tool: Use the following command to call the main function from your emp3r0r.dll:

    .\rundll.exe -func main -dll emp3r0r.dll

Alternatively, you can also invoke the DLL using rundll32.exe:

rundll32.exe emp3r0r.dll main

However, this might not provide visible output even if VERBOSE is set to true.

Add a custom footer
Add a custom sidebar
Clone this wiki locally