DLL Wrapper

dll_wrapper is a Mythic wrapper payload that takes an existing Mythic payload built as raw shellcode and emits a native Windows DLL.

Build Options

• execute_in_dllmain: execute the wrapped shellcode from DllMain on DLL_PROCESS_ATTACH.
• export_names: one or more exported function names to execute the shellcode when execute_in_dllmain is disabled.
• execution_method: shellcode execution backend. Current backends are CreateThread (Execution), QueueUserAPC (Execution), and EarlyBird (Injection).
• target_process_path: Target Process Path used by injection backends to spawn a child process.
• architecture: compile an x64 or x86 DLL. The DLL architecture must match the wrapped shellcode.

How to install an agent in this format within Mythic

When it's time for you to test out your install or for another user to install your agent, it's pretty simple. Within Mythic you can run the mythic-cli binary to install this in one of three ways:

• sudo ./mythic-cli install github https://github.com/user/repo to install the main branch
• sudo ./mythic-cli install github https://github.com/user/repo branchname to install a specific branch of that repo
• sudo ./mythic-cli install folder /path/to/local/folder/cloned/from/github to install from an already cloned down version of an agent repo

Extending Execution Methods

Execution backends live in Payload_Type/dll_wrapper/dll_wrapper/agent_code/execution_methods/ and are selected by the Python builder in Payload_Type/dll_wrapper/dll_wrapper/builder.py.

To add a backend:

1. Add a C++ implementation in agent_code/execution_methods/.
2. Add its function declaration to agent_code/execution_methods.h.
3. Add a case to agent_code/execution_methods.cpp.
4. Add a UI choice to EXECUTION_METHODS in builder.py.