In my opinion, this is just another one of those Redteam rediscovered techniques that has been used by malware devs and the cheating community for ages and there's nothing really novel there.
Nevertheless, this sparked my curiosity as to what other dlls may be running on my system with RWX.
I wrote a quick script to find these on my system I wanted to share:
import os
import mmap
import pefile
# Function to check if a section has RWX permissions
def has_rwx_section(section):
# We shift section.Characteristics by 28 to keep the first nibble
first_byte = section.Characteristics >> 28
# We compare the first nibble to 0xE as from
# https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_section_header
# when we have R+W+X flags the value is 0xE
return first_byte == 0xE
# Get a list of all the DLLs on the system
dlls = []
for root, _, files in os.walk("C:\\Windows\\System32"):
for file in files:
if file.endswith(".dll"):
dlls.append(os.path.join(root, file))
# Initialize an empty list to store DLLs with RWX sections
rwxDlls = []
# Loop through each DLL and check for RWX sections
for dll in dlls:
try:
pe = pefile.PE(dll, fast_load=True)
for section in pe.sections:
if has_rwx_section(section):
rwxDlls.append(dll)
break
except pefile.PEFormatError:
print(f"Invalid PE format for {dll}")
continue
# Print the list of DLLs with RWX sections
print("The following DLLs, when mapped, have RWX sections:")
for dll in rwxDlls:
print(dll)