Shellcode Injection Techniques

A collection of C# shellcode injection techniques. All techniques use an AES encrypted meterpreter payload.

https://github.com/plackyhacker/Shellcode-Injection-Techniques

#inject #shellcode #csharp

jq + grep + fzf + curl = SharpCollection

https://github.com/Flangvik/SharpCollection

alias SharpCollection='print -z `curl -sSL "https://api.github.com/repos/Flangvik/SharpCollection/git/trees/master?recursive=1" | jq -r ".tree[].path" | grep \\.exe | while read line; do echo "curl -sSL https://github.com/Flangvik/SharpCollection/raw/master/$line >"; done | fzf --tac`'

#csharp #collection #tooling

SharpHookCheek

Most EDR's hook Nt and Zw APIs to determine if a running program has malicious intent. This C# based script returns a list of currently hooked APIs.

https://gist.github.com/sbasu7241/4c2640fb6dd5bfdcfac07b83f1648ee0

#edr #hooks #csharp #maldev

RemoteNET

This library lets you examine, create and interact with remote objects in other .NET processes.
It's like System.Runtime.Remoting except the other app doesn't need to be compiled (or consent) to support it.

Basically this library lets you mess with objects of any other .NET app without asking for permissions

https://github.com/theXappy/RemoteNET

#csharp #injection #pentest

EDR Parallel-asis through Analysis

New method for enumerating Syscalls numbers using the Parallel loader

Research:
https://www.mdsec.co.uk/2022/01/edr-parallel-asis-through-analysis/

C++ Code Snipped:
https://github.com/mdsecactivebreach/ParallelSyscalls

C# Code Snipped:
https://github.com/cube0x0/ParallelSyscalls

#edr #evasion #parallel #csharp

Process Ghosting

This article describes a new executable image tampering attack similar to, but distinct from, Doppelgänging and Herpaderping. With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF).

Research:
https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack

C# Code Snippet:
https://github.com/Wra7h/SharpGhosting

#edr #evasion #process #ghosting #csharp

Understanding Process Ghosting in detail

https://dosxuz.gitlab.io/post/processghosting/

#edr #evasion #process #ghosting #csharp

EDRChecker

Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.

C#
https://github.com/PwnDexter/SharpEDRChecker

PowerShell
https://github.com/PwnDexter/Invoke-EDRChecker

#edr #checker #csharp #powershell #tools

Unmanaged Code Execution with .NET Dynamic PInvoke

https://bohops.com/2022/04/02/unmanaged-code-execution-with-net-dynamic-pinvoke/

#edr #evasion #pinvoke #csharp #blog

AppRecoveryCallback Inject

Overwrite a process's recovery callback and invoke a crash to execute

https://github.com/Wra7h/ARCInject

#av #edr #evasion #inject #csharp

🐞 Malware Development for Dummies

In the age of EDR, red team operators cannot get away with using pre-compiled payloads anymore. As such, malware development is becoming a vital skill for any operator. Getting started with maldev may seem daunting, but is actually very easy. This workshop will show you all you need to get started!

Slides:
https://github.com/chvancooten/maldev-for-dummies/tree/main/Slides

Exercises:
https://github.com/chvancooten/maldev-for-dummies/tree/main/Exercises

#maldev #csharp #nim