What is Module Stomping and how it enables red team trade-craft?
Learn what is Module Stomping or DLL Hollowing technique for code injection and how to use it for red team trade-craft.
Do you like to read?
What if I covertly insert a chapter in the book you are reading without changing the table of contents? Would you realize it wasn’t there? Maybe there was a misprint in the table of contents and that chapter was left out.
Module Stomping or DLL Hollowing technique works in a similar way to inject malicious code into a system while keeping everything looking legitimate.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
In this technique the red team operator loads a legitimate Dynamic Link Library (DLL) into a target process and then overwrites its entry point with malicious shellcode. This allows the red team operator to execute their payload within the context of the process without raising suspicion. Unlike traditional injection techniques, such as allocating new memory and executing code from there, module stomping avoids creating new memory regions marked as RWX (Read, Write, eXecutable), making it easier to evade endpoint detection tools.
At a high level here’s how this technique works
Open the target process using its process ID.
Allocate memory in the target process to store the path of the DLL to be injected.
Write the DLL path into the allocated memory of the target process.
Retrieve the address of the
LoadLibraryW
function from Kernel32.dll.Create a remote thread in the target process to execute
LoadLibraryW
, loading the specified DLL.Enumerate the modules in the target process to find the base address of the injected DLL.
Read the DOS and NT headers of the injected DLL to locate the Entry Point address.
Write the shellcode to the DLL's Entry Point address.
Execute the shellcode by creating a remote thread.
One of the biggest advantages of module stomping is its stealth. Traditional code injection techniques, such as allocating executable memory and writing shellcode into it, are easily detectable by modern security solutions. Many Endpoint Detection and Response (EDR) tools monitor for newly allocated memory with execution permissions, flagging it as suspicious. Module stomping, however, avoids this by modifying an existing memory region that already belongs to a legitimate DLL, reducing the likelihood of detection.
Additionally, since the malicious shellcode is executed within the context of a legitimate DLL, security solutions that rely on module integrity checks may overlook the attack. Some security tools flag DLLs that are loaded from unusual locations, such as writable directories, but module stomping bypasses this by working with system DLLs that are expected to be present in memory. Moreover, since the thread executing the shellcode is associated with a known Windows module, security analysts reviewing process behavior may not immediately recognize the suspicious activity.
Red Team Notes
Module stomping is a code injection technique that enables red team operators to execute malicious code by leveraging existing DLLs instead of allocating new memory. This technique has following advantages:
- Uses existing memory regions belonging to a legitimate DLL instead of allocating new memory regions with RWX permissions.
- Executes shellcode within the context of a legitimate DLL.
- Works with system DLLs that are expected to be present in memory.
- Associates the thread executing the shellcode with a known Windows module.
Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.
Further reading