This document contains a list of terms prefixed with "cyber". It includes over 300 terms related to cyber topics such as cybersecurity, cybercrime, cyberculture, cybertechnology, and more. Some examples included are cyberbullying, cyberterrorism, cyberpunk, cyberlaw, and cyberspace.

3. anticybersquatting
biocybernetic
biocybernetical
biocybernetics
cyber
cybera
cyberabad
cyberactive
cyberactivism
cyberactivist
cyberactivists
cyberactivities
cyberaddiction
cyberaffair
cyberaffairs
cyberage
cyberalert
cyberanarchy
cyberangel
cyberangels
cyberart
cyberartists
cyberarts
cyberathlete
cyberatlas
cyberattack
cyberattacks
cyberaudience
cyberbabble
cyberbabe
cyberbalkanization
cyberbalkans
cyberball
cyberbank
cyberbanking
cyberbanks
cyberbased
cyberbit
cyberblitz
cyberbodies
cyberbody
cyberbole
cyberbook
cyberbooks
cyberbotics
cyberbranding
cyberbucks
cyberbuddies
cyberbullied
cyberbullies
cyberbully
cyberbullying
cyberbusiness
cybercaf
cybercafe
cybercafes
cybercafs
cybercampus
cybercapitalism
cybercash
cybercast
cybercasting
cybercasts
cybercenter
cyberchair
cyberchase
cyberchat
cybercheating
cyberchondria
cyberchondriacs
cyberchurch
cyberchurches
cybercities
cybercitizen
cybercitizens
cybercitizenship
cybercity
cyberclass
cyberclasses
cyberclubs
cybercode
cybercoin
cybercom
cybercommerce
cybercommunication
cybercommunications
cybercommunities
cybercommunity
cybercop
cybercops
cybercorp
cybercounseling
cybercourt
cybercowboy
cybercowboys
cybercrime
cybercrimes
cybercriminal
cybercriminals
cybercritics
cybercrooks
cybercult
cybercultural
cyberculture
cybercultures
cyberdate
cyberdating
cyberdeck
cyberdefense
cyberdelic
cyberdemocracy
cyberdialogue
cyberdiet
cyberdiscourse
cyberdissident
cyberdissidents
cyberdog
cyberdrama
cyberdreams
cyberdrool
cyberduck
cyberdyne
cybereconomy
cybered
cyberedge
cybereditions
cybereducation
cyberelite
cyberella
cyberenthusiasts
cyberenvironment
cyberenvironments
cyberespace
cyberethics
cyberethnography
cyberevolution
cyberface
cyberfair
cyberfaith
cyberfans
cyberfantasies
cyberfantasy
cyberfeminism
cyberfeminisms
cyberfeminist
cyberfeminists
cyberfiction
cyberflesh
cyberflex
cyberforce
cyberforensics
cyberforum
cyberfraud
cyberfreaks
cyberfriend
cyberfriends
cyberfrontier
cyberfuture
cyberfutures
cybergames
cybergate
cybergeek
cybergeeks
cybergeneration
cybergenics
cybergeo
cybergeography
cyberghetto
cybergirl
cybergirls
cyberglove
cybergold
cybergossip
cybergrace
cybergrasp
cybergriping
cybergroup
cybergroups
cybergrrl
cyberguard
cyberguide
cyberguides
cybergurus
cyberharassment
cyberhate
cyberhenge
cyberhome
cyberhomes
cyberhood
cyberhound
cyberhunt
cyberhype
cyberia
cyberiad
cyberiada
cyberian
cyberians
cyberidentities
cyberidentity
cyberimperialism
cyberinfrastructure
cybering
cyberintelligence
cyberion
cyberized
cyberjack
cyberjaya
cyberjournal
cyberjournalist
cyberjunk
cyberjunkies
cyberkid
cyberkids
cyberkinetics
cyberkitchen
cyberknife
cyberlab
cyberland
cyberlanguage
cyberlaw
cyberlaws
cyberleaf
cyberlearning
cyberlibel
cyberlibertarian
cyberlibertarianism
cyberlibertarians
cyberlibrarian
cyberlibrary
cyberlife
cyberlines
cyberlink
cyberlinks
cyberliteracy
cyberliterature
cyberloafing
cyberlove
cyberlover
cyberlovers
cybermachines
cybermagazine
cybermall
cybermalls
cyberman
cybermaps
cybermarket
cybermarketing
cybermarketplace
cybermarkets
cybermation
cybermedia
cybermediaries
cybermediary
cybermediation
cybermedicine
cybermeetings
cybermen
cybermetrics
cybermind
cyberminds
cybermonde
cybermoney
cybermotion
cybern
cybernate
cybernated
cybernatic
cybernatics
cybernating
cybernation
cybernaut
cybernautic
cybernauts
cyberne
cybernectics
cybernerd
cybernesia
cybernet
cybernetes
cyberneti
cybernetic
cybernetica
cybernetical
cybernetically
cybernetician
cyberneticians
cyberneticism
cyberneticist
cyberneticists
cyberneticization
cyberneticized
cybernetics
cyberneticspart
cyberneticus
cybernetique
cybernetiques
cybernetisation
cybernetist
cybernetists
cybernetix
cybernetization
cybernets
cybernetwork
cybernetworks
cybernetyka
cybernetyki
cybernews
cybernex
cybernins
cyberniscus
cybernomics
cybernot
cybernotary
cyberntique
cyberntiques
cyberocracy
cyberonics
cyberoptics
cyberoptimists
cyberostracism
cyberotics
cyberpal
cyberpals
cyberpark
cyberpath
cyberpatrol
cyberpayments
cyberpet
cyberpets
cyberphobe
cyberphobes
cyberphobia
cyberphobic
cyberphysiologic
cyberpiracy
cyberpirate
cyberpirates
cyberpl
cyberplace
cyberplaces
cyberplanning
cyberplay
cyberplus
cyberpoetry
cyberpolice
cyberpolitics
cyberpolitik
cyberpom
cyberporn
cyberpornography
cyberport
cyberpower
cyberpredators
cyberpresence
cyberpromotions
cyberprotest
cyberpsychol
cyberpsychology
cyberpublics
cyberpunk
cyberpunkish
cyberpunks
cyberqueer
cyberrape
cyberrays
cyberreader
cyberreality
cyberregs
cyberrelationship
cyberrelationships
cyberrevolution
cyberrights
cyberromance
cybers
cybersabotage
cybersafe
cybersafety
cybersavvy
cybersawy
cyberscams
cyberscan
cyberscape
cyberscapes
cyberscene
cyberschool
cyberschoolbus
cyberschooling
cyberschools
cyberscience
cyberscope
cyberscrub
cybersearch
cybersecurity
cyberself
cyberselfish
cybersell
cyberselves
cybersemiotics
cybersettle
cybersex
cybersexual
cybersexualities
cybersexuality
cybershock
cybershop
cybershoppers
cybershopping
cybershops
cybershot
cybersickness
cybersight
cybersite
cybersites
cybersitter
cyberskeptic
cyberski
cyberskills
cyberskin
cyberslackers
cyberslacking
cyberslang
cybersleuth
cybersleuthing
cybersleuths
cybersmear
cybersmears
cybersmith
cybersmuggling
cybersmut
cybersoap
cybersocial
cybersocieties
cybersociety
cybersociology
cybersoft
cybersonic
cybersound
cybersource
cyberspace
cyberspaced
cyberspaces
cyberspacetime
cyberspacial
cyberspatial
cyberspazio
cyberspeak
cyberspeech
cyberspeed
cybersphere
cyberspies
cybersquatter
cybersquatters
cybersquatting
cyberstacks
cyberstalked
cyberstalker
cyberstalkers
cyberstalking
cyberstar
cyberstate
cyberstates
cyberstation
cyberstats
cyberstore
cyberstores
cyberstrategy
cyberstructure
cyberstudents
cyberstudies
cyberstudio
cyberstudy
cybersubject
cybersurf
cybersurfer
cybersurfers
cybersurfing
cybersurgery
cybersurveillance
cybersyn
cybersystem
cybersystems
cybert
cybertalk
cybertariat
cyberteam
cybertec
cybertech
cybertechnological
cybertechnologies
cybertechnology
cybertek
cyberterror
cyberterrorism
cyberterrorist
cyberterrorists
cybertext
cybertexts
cybertextual
cybertextuality
cybertheft
cybertheorist
cybertheorists
cybertheory
cybertherapy
cyberthief
cyberthieves
cyberthon
cyberthreat
cyberthreats
cyberthriller
cybertime
cybertimes
cybertipline
cybertools
cybertopia
cybertouch
cybertour
cybertown
cybertracker
cybertrader
cybertrail
cybertravel
cybertrends
cybertron
cybertronic
cybertronics
cybertrust
cybertype
cybertypes
cyberunion
cyberuniverse
cyberutopia
cyberutopians
cybervandalism
cybervandals
cyberversion
cyberview
cybervillage
cyberville
cyberviolence
cybervision
cyberwalk
cyberwar
cyberware
cyberwarfare
cyberwarrior
cyberwarriors
cyberwars
cyberwaves
cyberway
cyberweapons
cyberweb
cyberwire
cyberworks
cyberworld
cyberworlds
cyberwriting
cyberzine
cyberzines
cyberzone
cyberzoning
encyberpedia
frcyberg
mecyberna
mecybernaeans
mediacybernetics
myocybernetic
neurocybernetic
neurocybernetics
noncyber
noncybernetic
noncyberspace
ofcyberculture
postcybermodernpunkism
postcyberpunk
precybernetic
psychocybernetic
psychocybernetics
psycyber
scybert
sociocybernetic
sociocybernetics

12. Why I’m Here
• -CON worthy? (…but people talk about it and use it already, so…)
• Generate more interest on the topic (next<buzz>
generation interest)
• Recognize other’s hard-work (…not really my presentation thereof)

13. Background Worth Noting
• Principal Base64 Cryptographer (Application Security)
• Reviewing of the computer codes
• Enhanced vulnerability assessments (corporate pen-testing)
• Nerf phishing exercises
• SAASSY: Strategic Advanced Application & Software SecuritY… Yackers? …Yuppies?
• Previously worked for a company known as eEye
• Never done a -CON talk
• Implicit Disclaimer
• Talk or content thereof does not reflect that of mycurrent employer in any way, shape, or
form (even though they aren’t a security company) nor does it reflect that of past employers

14. A Talk Mostly About Other’s Work
• In memory techniques not necessarily “new”
• There is more out there than you may think (TLDR; search for it)
• Credit and recognition past due

15. Talking Mostly About Other’s Work
viz. Mostly Others Work
This Talk
• Libraries and loading thereof on Windows (in a nutshell)
• Memory-based library loading using a specific technique (with a specific project)
• Compare/contrast memory-based techniques (fromother projects or concepts, similar or not)
• Real-world cases of/for real-world uses (of the topic technique)
Not This Talk
• Memory-Based Library Loadingon other platforms (Mac, Linux, UNIX, …)
• Usage of all memory-based techniques (or my use thereof)
• Guaranteed evasions (using any of the techniques)

16. Library Loading on Windows
• Portable Executable (PE) format
• EXE, DLL, …
• EXE and DLL are similar
• Code, Data, Resources
• Loader to load ;-]

17. Dynamic-Link Library (DLL)
• Module with things for another module (application or DLL)
• Functions and data (things) can be internal or exported
• Types of dynamic linking
• Load-time (module linked with import library)
• Run-time (LoadLibrary, LoadLibraryEx)

18. Other Dynamic-Link Library (DLL) points
• Entry point is optional
• Loader search order (and hijacking thereof)
• MSDN has all the information things

19. Minimal PE File Format

20. “Tiny PE”
Creatingthe smallestpossiblePEexecutable
Alexander Sotirov
http://www.phreedom.org/research/tinype

23. “Corkami”
Reverse engineering&visual documentations
Ange Albertini
https://github.com/corkami https://www.patreon.com/corkami

24. So, um…
Thankfully for you and me this is not a technical talk on PE
• See other innumerable resources, like Corkami, RE sites, MSDN, …
Take-Aways
• DLL and EXE are similar, as is the loading process
• High-level familiarity is okay (so long as you don’t ignore the low-level)
• Low-level familiarity is ideal (so long as you don’t forget the big-picture)

25. Fun Fact It looks like you need90’s eraarticles…

26. Memory-Based Library Loading
• Emulating the Windows loader

27. “Blackbone”
WindowsMemoryHackingLibrary
DarthTon
https://github.com/DarthTon/

28. Blackbone
https://github.com/DarthTon/Blackbone/blob/master/README.md

29. Memory-Based Library Loading
• The topic-technique of this talk

30. “MemoryModule”
Libraryto loada DLL from memory
Joachim Bauch
https://github.com/fancycode/
http://web.archive.org/web/20050202213757/http://www.joachim-bauch.de:80/
<blink>
</blink>

31. A comment from Joachim Bauch:
“My first use case for MemoryModule was to "protect" some
proprietary C-Python modules (which are .DLL files on Windows).
I had a "loader” Python module that was initialized with license files
and then decrypted and loaded the actual modules from memory using
MemoryModule.
That's how the project started and it was interesting to find out how
loading libraries worked internally in Windows. I liked the code (and
hoped others might, too), so I decided to open source it.”

32. Highlights on MemoryModule
• 10+ years senior to functionally equivalent techniques (ca. 2004)
• Pre-dates other security-related research (and isn’t security research)
• The code is documented and cleanly written (see for yourself)

33. So, let’s talk Memory-Based Library Loading
with Joachim’s MemoryModule
https://github.com/fancycode/MemoryModule/tree/master/doc

34. So, what does it do?
• Emulates standard Windows API functions
• LoadLibrary
• LoadLibraryEx
• GetProcAddress
• FreeLibrary
• FindResource
• FindResourceEx
• SizeofResource
• LoadResource
• LoadString

35. So, it’s kind of like Windows API.
• MemoryModule resembles the Windows API
• MemoryLoadLibrary
• MemoryLoadLibraryEx
• MemoryGetProcAddress
• MemoryFreeLibrary
• MemoryFindResource
• MemoryFindResourceEx
• MemorySizeofResource
• MemoryLoadResource
• MemoryLoadString
• MemoryLoadStringEx

36. So how is it like Windows PE loader?
• TLDR; Joachim’s documentation

37. Hear the docs: “Loading the library
To emulate the PE loader,we must first understand,which steps are neccessary to load the file to memory and prepare the structures
so theycan be called from other programs.
When issuingthe API call LoadLibrary,Windows basicallyperforms these tasks:
1. Open the given file and check the DOS and PE headers.
2. Try to allocate a memory block of PEHeader.OptionalHeader.SizeOfImage bytes at position PEHeader.OptionalHeader.ImageBase.
3. Parse section headers and copy sections to their addresses. The destination address for each section, relative to the base of the allocated
memory block, is stored in the VirtualAddress attribute of the IMAGE_SECTION_HEADER structure.
4. If the allocated memory block differs from ImageBase, various references in the code and/or data sections must be adjusted. This is called Base
relocation.
5. The required imports for the library must be resolved by loading the corresponding libraries.
6. The memory regions of the different sections must be protected depending on the section's characteristics. Some sections are marked as
discardable and therefore can be safely freed at this point. These sections normally contain temporary data that is only needed during the
import, like the informations for the base relocation.
7. Now the library is loaded completely. It must be notified about this by calling the entry point using the flag DLL_PROCESS_ATTACH.
In the followingparagraphs,each step is described.”
https://github.com/fancycode/MemoryModule/tree/c4074afd3e0eb01dfb36e89a8d10ae0fe94434a4/doc#loa
ding-the-library

38. Loading the library: Headers
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L507

39. Loading the library: Sections Table
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L556

40. Loading the library: ‘Mapping’
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L579

41. Loading the library: Imports
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L401
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L649

42. Loading the library: Execution
https://github.com/fancycode/MemoryModule/blob/00bc61e8c71be6b74acf177c4cddb7a536851e54/MemoryModule.c#L653

43. CustomDoThingFunc

44. Great, thanks for reading the docs to me.
• How do I use it?

45. The How to Use in 1-slide Guide
• git clone https://github.com/fancycode/MemoryModule
MemoryModule-master
• Modify MemoryModule-master/CMakeList.txt PLATFORM variable for
target architecture (x86_64, i686, …)
• Use the example/DllLoader/DllLoader.cpp
• You can make modifications to Joachim’s example (remove test code, file name, perhaps add
a XOR decoder)
• Build
• Generate [commodity] payloads (perhaps XOR encode after)
• Configure endpoint security solution on target
• Copy the payload and payload loader to target
• Test

46. Modified example/DllLoader/DllLoader.cpp

47. So, if you didn’t know by now why should we
use a memory-based library loader?
<marquee><blink><b><i><u>
Evasion
</u></i></b></blink></marquee>

48. So, remember...
• Requisite library loading API functions without Windows API
• Resource loading API functions without Windows API
• Payloads with files or without files; doesn’t matter
So many uses! Use your imagination…

49. So, let’s compare the techniques.
• Isn’t this just DLL injection?
Semantically this not an “injection”, even though the loading process
may be functionally equivalent at points.
MemoryModule is loading the file directly into the same executables
memory space; not “remotely” as-it-were, and independent of the
Windows API.

50. “Pazuzu”
Reflective DLLto runbinariesfrommemory
Borja Merino
https://github.com/BorjaMerino
http://www.shelliscoming.com/2016/04/pazuzu-reflective-dll-to-run-binaries.html

51. “Xenos”
Windowsdll injector
DarthTon
https://github.com/DarthTon/

52. “ReflectiveDLLInjection”
Reflective DLLinjectionisalibraryinjectiontechnique inwhichthe conceptof
reflectiveprogrammingisemployedtoperformthe loadingof alibraryfrommemory
intoa hostprocess.
Stephen Fewer
https://github.com/stephenfewer/ReflectiveDLLInjection
&& || variousforksandusesof thislibrary(Metasploit,EmpireProject,…)

53. Fun Fact I see youwant toknow more about DLL injectionfromthe early 90’s …

54. “INJLIB”
Load Your 32-bitDLL intoAnotherProcess'sAddressSpace UsingINJLIB
Jeffrey Richter
https://github.com/JeffreyRichter
https://download.microsoft.com/download/0/6/7/0678184e-905e-4783-9511-d4dca1f492b4/MSJMAY94.exe
https://www.microsoft.com/msj/backissues86.aspx

55. So, let’s compare the techniques.
• Isn’t this just process hollowing?
MemoryModule is loading the file directly into the same executables
memory space without spawning another process.
However, imaginably MemoryModule technique could take advantage
in some form to load itself differently (i.e. evasion), or vice versa.

56. Fun Fact It sounds like you meant “Nebbett’s Shuttle”fromcomp.os.ms-windows.programmer.win32…
https://groups.google.com/forum/#!msg/comp.os.ms-windows.programmer.win32/Md3GKPc279A/Ax3bYgXhpD8J
https://www.blackhat.com/presentations/bh-usa-07/Harbour/Presentation/bh-usa-07-harbour.pdf
https://attack.mitre.org/wiki/Technique/T1093

57. “Nebbett’s Shuttle”
Gary Nebbett
https://www.linkedin.com/in/gary-nebbett-47b783b3
https://groups.google.com/d/msg/microsoft.public.win32.programmer.kernel/Sx4yufHDVdY/iI7dLlrFWPsJ
https://groups.google.com/forum/#!msg/comp.os.ms-windows.programmer.win32/Md3GKPc279A/Ax3bYgXhpD8J

58. So, contrasting other memory techniques.
• MemoryModule-technique is not DLL injection
• MemoryModule-technique is not Process Hollowing
• Other techniques similar in loading but differ in how they get there

59. So, let’s see it in the real-world.
• Who is doing MemoryModule type of memory-based library loading?
• People on source code sites
• People all about the games -sites
• People porting it into different languages
• Legitimate software uses it (e.g. Py2Exe)

60. But, more relevant to this talk.
• Security People

61. “ShellcodeMemoryModule”
MemoryLoadLibrary:FromC Programto Shellcode
Didier Stevens
https://blog.didierstevens.com/programs/shellcode
https://blog.didierstevens.com/2010/05/04/writing-win32-shellcode-with-a-c-compiler/
https://blog.didierstevens.com/2010/02/16/memoryloadlibrary-from-c-program-to-shellcode/
http://download.hakin9.org/en/hakin9_04_2010_EN.pdf(dead)

62. “Bypassing Sandboxes for Fun”
Hack.lu2014
Paul Jung
http://archive.hack.lu/2014/Bypasss_sandboxes_for_fun.pdf
https://github.com/Th4nat0s

63. “Ebowla”
FrameworkforMakingEnvironmental KeyedPayloads
Josh Pitts &
Travis Morrow
https://github.com/Genetic-Malware/Ebowla

64. Also, more relevant to this talk.
• Leaks (purportedly sourced from government agencies)

65. Fun Fact Did youknow there are …

66. “WIKILEAKS: EXCERPT MISSING,
CHILDREN MISSING,
ATTACHMENTS MISSING
(PATIENCE MISSING)”
In-memoryCode Execution(ICE)
Vault 7
http://www.wi_kileaks.org/ciav7p1/cms/index.html
/ciav7p1/cms/page_14587413.html
/ciav7p1/cms/page_14587427.htm
/ciav7p1/cms/files/ICE-Spec-v3-final-UNCLASSIFIED.pdF
/ciav7p1/cms/page_15729246.html

67. Also, more relevant to this talk.
• Malware

68. “Lamberts”
In-memoryCode Execution
Longhorn
http://adelmas.com/blog/longhorn.php(dead)
https://securelist.com/unraveling-the-lamberts-toolkit/77990/
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7

69. But, there’s more.
• Various forks of MemoryModule on Github

70. Various forks of MemoryModule on Github
As of 9/14/2017https://github.com/fancycode/MemoryModule/network/members

71. But, there’s probably more.
• No doubt there are others

72. Ok, let’s start wrapping this talk up.

73. “How can I do stuff with MemoryModule?”
• Fork the source and build
• See the examples in Joachim’s source
• See Pitts’s and Morrow’s EBOWLA framework
• See legit uses like Py2exe
• See indirect uses via Py2exe like Veil
• See other research like Jung, Stevens, DarthTon
• See source repository forks on Github
• See my rudimentary examples and ideas
• Try it with existing frameworks like Cobalt Strike
• Experiment with delivery methods and payloads
• Experiment with obscuring MemoryModule

74. And, there’s inevitably more uses.
• Code Protection
• Payload Delivery Experiments
• E-mails (remember Spam Mimic?)
• Steganography (think “PHP-enabled” avatars)
• Contribute to Frameworks (EBOWLA, MSF, CBS)

75. And, the obvious use case.
• Feigning the fudging of the fancy futuristic security solutions securing
of the digitals

76. So, someone should eventually research
• Computational expensiveness (hardware, ML models)
• Alternative MemoryModule loader implementations
• Other people, places, and things (malware, forks, sites, researchers)
• Dynamic detection (in-memory, computational expensiveness)

77. So, wrapping it all up.
• Emulating the Windows PE loader provides a unique method for employing memory-
based evasions
• MemoryModule by Joachim Bauch implements this technique, and has been around
since 2004 just for you, and for others too
• Other memory-based techniques exist and have been around longer than we may have
thought
• There’s a lot you can do either by contributing or tinkering
• There are a lot of smart and talented people, named or not, that I am honored to talk
about

78. Okay, that’s the talk.
(I’m done pushing buttons so it’s automatic slide advance from here on…)

79. Credits
• This entire talk was one built-in credit, thanks to everyone!
• Some images listed as public domain
• Unless otherwise noted by a URL or reference
• I can provide all references on request

80. Thanks (mostly for putting up with my nonsense)
God My wife - My family - My friends
“Ya’ll” “You’ns”
Those Not Named
Derbycon
(legacy…legacy…legacy…)

81. Okay, that’s the talk.
• Oh yeah, I have a Twitter.
• And a GitHub, too.

82. Anything else?