Aurillium
commented
2 months ago Current plan
Use WCF to create a server and client in C#. The client leverages a new library (C++), which is dynamically linked to it and contains most of the current LunaLoader code. LunaLoader will statically link the same library (enabling it to be used on its own).
The clients and server will run as services on their respective computers. Individual injected programs will still act as their own servers (so the whole service isn't required for using LunaJuice, and LunaLoader can still access processes directly), but these will be used via the main service on each computer, or by LunaLoader. The main server will be able to interact with all clients and client programs (via client) and request an injection into any process on the host. Clients will be identified primarily by hostname and IP for easy integration with SIEM software.
WCF will handle security and make networking simpler, and C# will allow easier access to AD.
To increase efficiency and stability, a Windows service could be created which handles all LunaJuice instances on a machine, and can remotely inject into processes if a privileged user asks. This service could also behave like an EDR and do some basic monitoring with configurable rules to set up logging for suspicious activity even before it gets triggered by a SIEM. This way the SIEM handles complex tasks, whereas LunaJuice handles simple tasks and speeds up processing of important events (LunaJuice is a reflex, the SIEM is the brain).
Considerations