reflective DLL loader

Learning Sliver C2 (11) - SpawnDLL

15 minute read Published:

Deep-dive into the spwandll command Sliver provides for execution of so-called reflective DLLs. I show how to use the command and discuss some implementation details. The post mostly covers Sliver itself but also briefly touches upon the reflective loader, which is what makes a DLL reflective. At the end you can find the usual notes on detection.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (used here in version v1.5.34). For an overview: click here. Introduction With the execute-assembly (post 9) and sideload (post 10) commands we are able to run 3rd part tools written as .NET or native PE executables. This post now is about the command spawndll. At first glance it looks very similar to sideload since both commands execute Windows DLLs.