Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs (hash).
I'm seeing failures when using the "--stomp-headers" arguments. I'm using the following command line: ExecuteAssembly --dotnetassembly /tmp/Seatbelt.exe --unlink-modules --etw --asmi --stomp-headers
Which results in something like this:
[] Tasked beacon to run: @Args
[] Tasked beacon to spawn x86 features to: %windir%\SysWOW64\ScriptRunner.exe
[] Tasked beacon to spawn x64 features to: %windir%\sysnative\ScriptRunner.exe
[] Tasked beacon to spawn .NET Assembly /tmp/Seatbelt.exe'
[+] host called home, sent: 85 bytes
[+] host called home, sent: 480116 bytes
[+] received output:
[]:-----------------------------------------
[i]: .NET Assembly Length: 548352 bytes
[+]: Parsing Arguments
: [i]: Args count: 1
[+]: Base64 Decoding & Decompressing .NET Assembly...
[+]: Base64 Decoding & Decompressing Done.
[]:-----------------------------------------
[+]: Patching ETW...
[+]: Retrieving EtwEvenWrite Address from NTDLL...
[+]: NTDLL.DLL Module Base Address: 0xfeea0000
[+]: EtwEvenWrite Export located at Address: 0xfeef2d50
[+]: Patching EtwEvenWrite 0xfeef2d50
[+]: ETW Patchine Done.
[]:-----------------------------------------
[+]: Enumerating Loaded CLR versions
[+]: Scanning for any loaded modules with the name 'clr', 'mscoree'...
[+] Unlinking CLR related modules from PEB
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
[i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
[i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll
[i]: Module C:\WINDOWS\SYSTEM32\ucrtbase_clr0400.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
[i]: Module C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll
[]:-----------------------------------------
[+]: Obtaining a handle of the current process: 820
[+]: Scanning for PE DOS Header 'MZ...' pattern...
[i]: 9 PE DOS Headers found.
[+]: Stomping 9 PE DOS headers:
[i]: Stomping MZ Header: 0xbfefeb80
[-]: Not a valid PE DOS Header
[i]: Stomping MZ Header: 0x10009ac0
[i]: Stomping MZ Header: 0x6a7a0009
[i]: Stomping MZ Header: 0x6a7c2ed9
[i]: Stomping MZ Header: 0x6a9e0000
[i]: Stomping MZ Header: 0x6aa03cd0
[i]: Stomping MZ Header: 0x6c50ccb0
[i]: Stomping MZ Header: 0x6c600000
[i]: Stomping MZ Header: 0x6cfd0080
[*]:-----------------------------------------
[!] pMethodInfo->Invoke_3(...) failed, hr = 80131604
[!]: Something went wrong.
If I leave out the --stomp-headers it all works flawlessly.
EDIT: If i switch to the PEB walking methods header stomping works fine
Executeassembly-main \ExecuteAssembly\x86-x64(PEB)\Lib\ libz32.lib "was created using a different compiler version from other objects, such as" Release\ gzutil.obj ";Use the same compiler to regenerate all objects and library ExecuteAssembly C:\Users\SundayRXWork\ ExecuteAssembly\x86-x64(PEB)\ExecuteAssembly\LINK 1