[GH-ISSUE #436] pupy Explit & QuasarRAT C# ClassLibrary DLL INJECTION POSSIBLE? #222

New issue

Closed

opened 2026-02-27 15:49:26 +03:00 by kerem · 3 comments

kerem commented

2026-02-27 15:49:26 +03:00

Owner

Originally created by @kainpark7894 on GitHub (Mar 29, 2016).
Original GitHub issue: https://github.com/quasar/Quasar/issues/436

QuasarRAT C# ClassLibrary DLL INJECTION POSSIBLE?

Default -> C# Client.exe -> Bulid Client.bin PE File

My Class Library Compile DLL ->Explorer.exe and Anyway 32bit&64bit DLL injection No execute Code

Hide injection Client.Bin -> DLL comfile Possible?

ex) reflective dll injection

https://github.com/dismantl/ImprovedReflectiveDLLInjection

Originally created by @kainpark7894 on GitHub (Mar 29, 2016). Original GitHub issue: https://github.com/quasar/Quasar/issues/436 QuasarRAT C# ClassLibrary DLL INJECTION POSSIBLE? Default -> C# Client.exe -> Bulid Client.bin PE File My Class Library Compile DLL ->Explorer.exe and Anyway 32bit&64bit DLL injection No execute Code Hide injection Client.Bin -> DLL comfile Possible? ex) reflective dll injection https://github.com/dismantl/ImprovedReflectiveDLLInjection

kerem closed this issue

2026-02-27 15:49:26 +03:00

kerem commented

2026-02-27 15:49:27 +03:00

Author

Owner

@MK73DS commented on GitHub (Apr 21, 2016):

Does that mean that the client will launch as administrator when explorer.exe is launched ?

@MK73DS commented on GitHub (Apr 21, 2016): Does that mean that the client will launch as administrator when explorer.exe is launched ?

kerem commented

2026-02-27 15:49:27 +03:00

Author

Owner

@kainpark7894 commented on GitHub (Apr 23, 2016):

pe format file taskmgr.exe View No Hidden
but dll format file Reflective INJECTION Hide Code injection(explorer.exe,iexplorer.exe,etc system File)
C# file Reflective Injection impossible? or Hide Client.exe -> DLL Injection What support?

@kainpark7894 commented on GitHub (Apr 23, 2016): pe format file taskmgr.exe View No Hidden but dll format file Reflective INJECTION Hide Code injection(explorer.exe,iexplorer.exe,etc system File) C# file Reflective Injection impossible? or Hide Client.exe -> DLL Injection What support?

kerem commented

2026-02-27 15:49:27 +03:00

Author

Owner

@0xE232FE commented on GitHub (Aug 30, 2016):

What about System Integritychecks. Change explorer.exe and run the sfc /scannow command from commandprompt. The modified explorer.exe will be replaced over the original one.

If you want to gain Administration privilage try to figure out which Antivirus Programm the client uses and give him an Update. Remote Execute an Loader Programm that gain Administration privilage, Download the Latest version of the Virusscanner and Fake an important Update of the already installed Virusscanner. Once you have got Admin prviliage with your Loader you can modify the Privilage of Quasar at the same time. So the victim doesn't know whats going on ;-) and might give you admin privialge. Even if the client cancel the installtion after the admin priviallage you already modfied the privilage of Quasar and the Setup is only a side effect. ;-)

@0xE232FE commented on GitHub (Aug 30, 2016): What about System Integritychecks. Change explorer.exe and run the sfc /scannow command from commandprompt. The modified explorer.exe will be replaced over the original one. If you want to gain Administration privilage try to figure out which Antivirus Programm the client uses and give him an Update. Remote Execute an Loader Programm that gain Administration privilage, Download the Latest version of the Virusscanner and Fake an important Update of the already installed Virusscanner. Once you have got Admin prviliage with your Loader you can modify the Privilage of Quasar at the same time. So the victim doesn't know whats going on ;-) and might give you admin privialge. Even if the client cancel the installtion after the admin priviallage you already modfied the privilage of Quasar and the Setup is only a side effect. ;-)

kerem referenced this issue

2026-02-27 15:52:56 +03:00

[PR #222] [MERGED] Password Recovery #1053