ReflectiveDLLInjection

This is Stephen Fewer's ReflectiveDLLInjection project with minimal changes.

Project Files

🔬  changes.diff
📕  LICENSE.txt
🔮  loader.spec
🔨  Makefile
📃  ReflectiveDLLInjection.h
📃  ReflectiveLoader.c
📃  ReflectiveLoader.h

Notes

The purpose of this minimal port is to demonstrate a baseline, something others have worked directly with and from, working with Crystal Palace conventions.

changes.diff shows all of the changes:

  • The repository was stripped down to the ReflectiveLoader function code and its headers only
  • The ReflectiveDLLInjection library was updated to compile with MinGW32 and a Makefile was created
  • "Step 0" to find the appended DLL was replaced with Crystal Palace's linking convention

Conversation

  • Advanced Attack Detection (2017) by Will Burgess and Matt Watkins gives a time-capsule look at options to find payloads like Cobalt Strike's Beacon and the Metasploit Framework's Meterpreter in-memory by relying on tells related to reflective loading in the offense chain. Philosophically, what are we successfully chasing down in this type of exercise? Reflective Loading or the tool that uses it? Inviting security professionals to understand these techniques outside of the tools that use them is part of the purpose of this Tradecraft Garden project.
  • In-memory Evasion (2018) is my old introduction to Reflective Loading, then-common detection tricks, and evasion options. While the detections and evasion ideas have evolved significantly since this material, lectures 1-3 are a worthwhile introduction to what's going on, how this type of code is used in the context of Cobalt Strike and the Metasploit Framework, and what the quick-wins to push back on the then-vogue defense analytics looked like.
  • Writing a Windows Loader (2021) by Aaron Bray is a gentle introduction to what a Reflective Loader is doing. A good read to have an idea what's inside of a PE/COFF and what are the steps of loading a Windows DLL into memory.
  • A good exercise to understand this project is to refactor each of the steps into their own functions and replace uiValueA, uiValueB, etc. with descriptive variable names and proper types. This will make the code easier to modify and work with for future projects. Simple Loader is my take on this exercise.

License

This project is licensed under the BSD License.

© 2025 Adversary Fan Fiction Writers Guild