xyrella is a simple XLL builder without any remote injection functionality (it can unhook NTDLL, though). I sincerely believe that it makes things easier when you separate your intial access method and your injection/EDR bypass technique.
The approach is briefly discussed in https://tishina.in/initial-access/xll-delivery
xyrella currently only builds on Windows. (no longer true, cross-compiling is possible win MinGW)
nim should be reachable from $PATH.
> nimble install nimcrypto ptr_math winim
> pip install pycryptodome
From the execution standpoint, xyrella is just nim-fibers, compiled to a DLL. The usage is pretty straightforward:
_ _
| | |
_ _ _ _ ____ ____| | | ____
( \ / ) | | |/ ___) _ ) | |/ _ |
) X (| |_| | | ( (/ /| | ( ( | |
(_/ \_)\__ |_| \____)_|_|\_||_|
(____/ Nim XLL builder PoC v0.2.1
usage: build.py [-h] [-u STAGEURL] [-e] [-n] [-w] [-d DECOY] [-v] [-o OUTPUT] -s SHELLCODE
optional arguments:
-h, --help show this help message and exit
staging arguments:
-u STAGEURL, --stageurl STAGEURL
URL to stage from (if staged, optional)
stageless arguments:
-e, --encrypt encrypt shellcode (aes128-cbc)
compilation arguments:
-n, --skip-unhook do not do NTDLL unhooking
-w, --hidewindow hide excel window during execution
-d DECOY, --decoy DECOY
path to the decoy file to open on startup (optional)
-v, --verbose increase output verbosity
-o OUTPUT, --output OUTPUT
path to store the resulting .XLL file (optional)
required arguments:
-s SHELLCODE, --shellcode SHELLCODE
path to shellcode .bin (required)