GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-) | |
These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs. | |
Basic gist after running PS script statements: | |
- Loads C# project from file or web URL | |
- Create various tmp files | |
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"] | |
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] |
//Unload .NET runtime modules (DLLs) with DInvoke [by @theWover] | |
//https://github.com/TheWover/DInvoke | |
/* | |
// License -> https://github.com/TheWover/DInvoke/blob/main/LICENSE | |
MIT License | |
Copyright (c) 2020 TheWover | |
Permission is hereby granted, free of charge, to any person obtaining a copy |
//A Quick POC for monitoring .NET Assembly Load Events with ETW | |
// References: | |
// - Microsoft CLR Provider: https://docs.microsoft.com/en-us/dotnet/framework/performance/clr-etw-providers | |
// - ETW Assembly Load Events: https://docs.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events | |
// - Source Code Sample: https://github.com/microsoft/perfview/blob/master/src/TraceEvent/Samples/31_KernelAndClrMonitor.cs | |
using Microsoft.Diagnostics.Tracing; | |
using Microsoft.Diagnostics.Tracing.Parsers; | |
using Microsoft.Diagnostics.Tracing.Session; | |
using System; |
Sub Workbook_Open() | |
RunMe | |
End Sub | |
Function RunMe() | |
Dim ScriptEngine | |
Set ScriptEngine = CreateObject("MSScriptControl.ScriptControl") | |
ScriptEngine.Language = "JScript" | |
ScriptEngine.Eval ("var shell = new ActiveXObject('WScript.Shell');shell.Popup('text');") | |
End Function |
#include "pch.h" | |
#define EXPORT extern "C" __declspec(dllexport) | |
EXPORT void HelloWorld() | |
{ | |
MessageBox(0, L"Hello World!", 0, 0); | |
} | |
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) | |
{ |
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<UsingTask TaskName="HelloWorld" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll"> | |
<Task> | |
<Code Type="Fragment" Language="cs"> | |
<![CDATA[Console.WriteLine(":-) CSHARP :-)");]]> | |
</Code> | |
</Task> | |
</UsingTask> | |
<Target Name="Build"> | |
<HelloWorld /> |
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > | |
<Target Name="Hello" > | |
<!-- Call ANY .NET API --> | |
<!-- | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause | |
041e868e-0c7d-48c6-965f-5fd576530e5b | |
0438c02b-eb9c-4e42-81ad-407f6cd6cde1 | |
078b1f7d-c34c-4b13-a7c3-9663901650f1 | |
0abb2961-2cc1-4f1d-be8e-9d330d06b77d | |
0d7237e6-930f-4682-ad0a-52ebffd3aee3 | |
0d972387-817b-46e7-913f-e9993ff401eb | |
0e770b12-7221-4a5d-86ee-77310a5506bb | |
0fa57208-5100-4cd6-955c-fe69f8898973 | |
1080a020-2b47-4da9-8095-dbc9cefffc04 | |
10cf2e12-1681-4c53-adc0-932c84832cd8 |
- Abandoned COM Discovery Script. | |
- Makes a few assumptions, needs refinement (e.g. doesn't account for all extensions) | |
function GetMissing($server){$clsids=@{};cd $env:windir'\system32\';$srv=gwmi Win32_COMSetting | ?{$_.$server -ne $null};$srv | ForEach {$clsids.add($_.ComponentId,$_.$server)};$clsids.Keys | foreach {$p=[Environment]::ExpandEnvironmentVariables($clsids[$_]);$p=$p.Replace('"','');if($p.Contains('.exe ')){$p=$p.Substring(0,$p.IndexOf('.exe'))+'.exe'};if($(test-path $p) -eq $False){$_+' | '+$server+' | '+$p}}};GetMissing('LocalServer');GetMissing('LocalServer32');GetMissing('InprocServer');GetMissing('InprocServer32') |