A simple, stealthy DLL that executes arbitrary shellcode when loaded by netsh.exe via the add helper command.
This project leverages the legitimate "Netsh Helper DLL" functionality in Windows to execute malicious code (shellcode) within the context of the trusted netsh.exe process. Ideal for evasion and lateral movement in Windows environments.
Mandatory Entry Point: The Windows netsh.exe utility requires helper DLLs to export a specific function called InitHelperDll (officially documented by Microsoft here ). Automatic Loading: When you run netsh add helper <path_to_dll>, netsh.exe loads the DLL and immediately calls its InitHelperDll function. Payload Execution: Inside InitHelperDll, this code: Allocates executable memory using VirtualAlloc. Copies an embedded shellcode buffer into this memory. Executes the shellcode synchronously in the main thread of the netsh.exe process.
Requires the MinGW-w64 compiler for Windows (x64 target).
x86_64-w64-mingw32-gcc -shared -o helper.dll main.c -lkernel32 -luser32
Note: You must replace the buf[] array in main.c with your actual shellcode (e.g., generated by msfvenom). 
Upload the compiled DLL (helper.dll) to the target machine. Execute the following command in a terminal with sufficient privileges (CMD, PowerShell, Evil-WinRM):
netsh add helper C:\Full\Path\helper.dllYour shellcode will execute immediately! If your shellcode is a reverse shell, you should receive a connection on your listener. The netsh add helper ... command will block/hang if the shellcode does not return (expected behavior for persistent shells).
Legitimate Mechanism: Exploits a documented, legitimate Windows feature (netsh helper). No New Processes: Executes within the trusted netsh.exe process, avoiding suspicious process creation. Evasion: Can bypass security controls monitoring for new process creation or injection into critical system processes. Simple & Effective: Straightforward loading and execution mechanism.
Architecture: Ensure you compile the DLL for the same architecture (x64) as the target system and its netsh.exe. Synchronous Execution: The shellcode runs synchronously. This means the netsh add helper command will not return control until the shellcode finishes or the process is killed. This is intentional to ensure the shellcode has time to execute fully. Shellcode Replacement: The example shellcode ("\d34d\beef") is invalid. You must replace it with your real payload.
This code is public domain. Use it responsibly and only in authorized environments.
- Official Microsoft Documentation: InitHelperDll function
- Inspiration : https://github.com/outflanknl/NetshHelperBeacon
This project is intended to:
- Help red teams understand modern C2 evasion techniques.
- Assist blue teams in developing better detection logic.
- Promote research into secure software design and defensive hardening.
- Demonstrate the importance of runtime analysis over static signatures.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
- https://deepwiki.com/grisuno/netsh_helper_dll
- https://deepwiki.com/grisuno/beacon
- https://github.com/grisuno/LazyOwn
- https://grisuno.github.io/LazyOwn/
- https://www.reddit.com/r/LazyOwn/
- https://github.com/grisuno/LazyOwnBT
- https://web.facebook.com/profile.php?id=61560596232150
- https://app.hackthebox.com/teams/overview/6429
- https://app.hackthebox.com/users/1998024
- https://patreon.com/LazyOwn
- https://deepwiki.com/grisuno/ebird3
- https://deepwiki.com/grisuno/hellbird
- https://github.com/grisuno/cgoblin
- https://github.com/grisuno/gomulti_loader
- https://github.com/grisuno/ShadowLink
- https://github.com/grisuno/OverRide
- https://github.com/grisuno/amsi
- https://medium.com/@lazyown.redteam
- https://discord.gg/V3usU8yH
- https://ko-fi.com/Y8Y2Z73AV
- https://medium.com/@lazyown.redteam/black-basalt-beacon-when-your-coff-loader-becomes-a-silent-operator-and-why-thats-by-design-not-4094c92a73a5
- https://github.com/grisuno/LazyOwn/archive/refs/tags/release/0.2.61.tar.gz
