Write XLL Dropper in c++ , a red teams most used dropper , learn how to be like a red teams and APT groups by building your XLL Dropper
Before we dig deeper, what is the Hack Dropper, and what the Hack is the XLL Dropper what are the differences and when to use it and why to use it and not use an exe dropper
A Dropper is like a delivery vehicle that has a payload to drop when it arrives at the target location! We can take an example of Amazon delivery autopilot drones which carry multiple payloads and when they arrive at a location it drop,
The payload on the door of the house Same for the Dropper in malware the dropper can carry 1 payload or more for example an old Dropper may carry 1 video or photo and 1 rat and the hacker can create an icon from the image that the dropper carries and change
The icon of the exe to the new icon and spoof the extension of the exe to be dropper.png.exe and because windows default settings will not show the extension it will appear like this dropper.png
The correct extension will be hidden When the hacker sends it to the target and the target clicks on it in 1 click it will drop the image and run it and will drop the RAT and run it in 1 click the will fool the target he clicking on
The image because see they image show up in his windows But what he did not know was that the image may maybe in the temp folder
Xll is a file extension or plugin for excel files xll files are similar to dlls they are the same but the xll is not a normal executable file,
It is a plugin for excel files for example you can write a plugin for excel files and in the plugin, you can add functions to calculate or add a formula for you and in excel you can import the plugin or xll file and start using the functions that you create in the plugins.
There is 1 more difference between the dll and xll files in dll you can not click it to launch the only way to use it without loading it using exe using loadlibraryA is by using the Rundll32.exe it but with xll, you can 1 click to launch it and use it when you click on the xll file the Excel will launch and you can start using excel with xll loaded
But to make a 1 click xll dropper work there is a very important function we will use int WINAPI xlAutoOpen(void);
The functions take no arguments , For this function to be used correctly we need to export it from the xll file so the excel can use it and to make the xll file valid xll or the xll file will not opened using excel and will show an error
Same as the exe dropper but these days exe files and extension spoofing are very detected So as a solution Hackers and developers start using XLL files,
To deliver their payload because Excel files are widely used in companies almost every company uses Excel So how does the xll drooper work? When a target clicks an xll file the excel.exe will import the xll file and search for the function xlAutoOpen
If he finds it he triggers the function Inside the xlAutoOpen function the hacker does what a normal dropper does like dropping the excel file to the temp directory to fool the employee and drop the Rat and starting them both
The target will see the excel file show up on his window so and the Rat will run in the background so no suspicious
When to use Xll Dropper and when to use Exe Dropper? So what to use? it depends on what are you targeting Of course not all the targets will have excel installed so does the xll dropper worse The answer is yes if you are targeting a youtube channel , company employee You can use the xll dropper but if you are targeting random people you can use only Dropper as a PDF dropper by spoofing the extension and doing some icon changes which I don’t recommend
Now there are a few tools you need to download before we start coding
1 – Visual studio IDE 2 – Excel or Microsoft Office 3 – Putty to test the dropper you can use any other portable software 4 – Download Excel 2013 SDK from Microsoft.
The installation is very easy
Lets start writing the XLL Dropper by creating a new dll project
As an Option You can disable precompiled headers you can do that by opening the project properties C/C++ Precompiled headers Precompiled headers change use /Yu to not using precompiled headers
Now you can delete the line #include “pch.h” and remove the file from the project
Before we add the headers and libraries for the Excel SDK will start coding the dropper But first create a new excel file that will be used to trick the company employee Examble for simple invoice :
Dont use it in attacks this is just an example
Back to the visual studio and create resource items the visual studio will automatically generate 2 files resource.h , resource.rc open the resource header add the 4 four defines
#define EXCEL_FILE 105
#define EXCEL_INVOICE 106
#define EXE_FILE 107
#define PAYLOAD_FILE 108
For more information click here
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…
Embark on the journey of becoming a certified Red Team professional with our definitive guide.…
This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…
This took me like 4 days (+2 days for an update), but I got it…
MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…