Sabotage Sec

Posts

Assembly Byte Embedding & Reflection

This is a follow up writing to my previous article on basics of reflection. It is very common to see an encoded/encrypted/archived payload stored within the malware stagers that gets deployed at runtime using reflection. The stored payload data will be an array of bytes representing the assembly in its raw form. Recall that an assembly can be either an executable[managed] or a DLL[managed] in .NET universe. Another important point to keep in mind is assembly loading is applicable only to managed assemblies discussed in the previous post.

In this article we will implement a very common deployment strategy devised by the malware authors to deploy final payload or stagers.

Takeaways

  • Understanding the concept of reflection helps in making custom tools for red teaming.
  • This helps in \”how to think like an adversary?\”
  • Proves how important it is for security professionals to do MA&RE [malware analysis & reverse engineering] to obtain threat intelligence in terms of TTPs [Tactics, Techniques, Procedures] to engineer better detection models.

objective

  • Convert a managed dll into byte array
  • Load the byte array [assembly] via reflection
  • Execute target method

Byte embedding

In this section, we will be using the same dll used in the previous post. To convert a file into byte data, we will be using Powershell for convivence.

PowerShell

#method 01
Get-Content -Path \'Path\\to\\your.dll\' -Encoding Byte >> bytes.txt
#method 02
[System.IO.File]::ReadAllBytes(\'Path\\to\\your.dll\') >> bytes.txt

Both methods produce same result. The \”byte.txt\” now contains the byte data, we need to do some processing on the obtained data before assigning it to a byte array in C# loader. We need to separate each byte with commas, one easy way to do it is this online tool! Paste the entire contents of the \”bytes.txt\” on to \”Text to edit:\” area, select custom radio button and insert comma in the field. Now you are ready to generate comma separated data.

C# Loader

Now we are good to code the same loader as in the previous post. Only difference is the way in which we are loading the assembly in here, yes as a byte array instead of pointing to dll itself in a directory using LoadFile() method. Here we will be using Load() method in Assembly type to load byte[ ].

byte[] bytes = {}; //insert comma separated data inside {}

This is how the array is going to look like if everything goes well 🙂 .

byte[] bytes = { 77, 90, 144, 0, 3, 0, 0, 0, 4, 0, 0, 0, 255, 255, 0, 0, 184, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 14, 31, 186, 14, 0, 180, 9, 205, 33, 184, 1, 76, 205, 33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46, 13, 13, 10, 36, 0, 0, 0, 0, 0, 0, 0, 80, 69, 0, 0, 76, 1, 3, 0, 151, 163, 217, 249, 0, 0, 0, 0, 0, 0, 0, 0, 224, 0, 34, 32, 11, 1, 48, 0, 0, 8, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 78, 38, 0, 0, 0, 32, 0, 0, 0, 64, 0, 0, 0, 0, 0, 16, 0, 32, 0, 0, 0, 2, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 3, 0, 96, 133, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 16, 0, 0, 16, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 250, 37, 0, 0, 79, 0, 0, 0, 0, 64, 0, 0, 244, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 96, 0, 0, 12, 0, 0, 0, 44, 37, 0, 0, 84, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 32, 0, 0, 72, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, 116, 101, 120, 116, 0, 0, 0, 84, 6, 0, 0, 0, 32, 0, 0, 0, 8, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 96, 46, 114, 115, 114, 99, 0, 0, 0, 244, 2, 0, 0, 0, 64, 0, 0, 0, 4, 0, 0, 0, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 64, 46, 114, 101, 108, 111, 99, 0, 0, 12, 0, 0, 0, 0, 96, 0, 0, 0, 2, 0, 0, 0, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 66, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, 38, 0, 0, 0, 0, 0, 0, 72, 0, 0, 0, 2, 0, 5, 0, 100, 32, 0, 0, 200, 4, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, 114, 1, 0, 0, 112, 40, 11, 0, 0, 10, 42, 30, 2, 40, 12, 0, 0, 10, 42, 66, 83, 74, 66, 1, 0, 1, 0, 0, 0, 0, 0, 12, 0, 0, 0, 118, 52, 46, 48, 46, 51, 48, 51, 49, 57, 0, 0, 0, 0, 5, 0, 108, 0, 0, 0, 140, 1, 0, 0, 35, 126, 0, 0, 248, 1, 0, 0, 228, 1, 0, 0, 35, 83, 116, 114, 105, 110, 103, 115, 0, 0, 0, 0, 220, 3, 0, 0, 32, 0, 0, 0, 35, 85, 83, 0, 252, 3, 0, 0, 16, 0, 0, 0, 35, 71, 85, 73, 68, 0, 0, 0, 12, 4, 0, 0, 188, 0, 0, 0, 35, 66, 108, 111, 98, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 1, 71, 20, 0, 0, 9, 0, 0, 0, 0, 250, 1, 51, 0, 22, 0, 0, 1, 0, 0, 0, 13, 0, 0, 0, 2, 0, 0, 0, 2, 0, 0, 0, 12, 0, 0, 0, 10, 0, 0, 0, 1, 0, 0, 0, 2, 0, 0, 0, 0, 0, 110, 1, 1, 0, 0, 0, 0, 0, 6, 0, 228, 0, 169, 1, 6, 0, 54, 1, 169, 1, 6, 0, 62, 0, 150, 1, 15, 0, 201, 1, 0, 0, 6, 0, 105, 0, 84, 1, 6, 0, 29, 1, 126, 1, 6, 0, 197, 0, 126, 1, 6, 0, 130, 0, 126, 1, 6, 0, 159, 0, 126, 1, 6, 0, 4, 1, 126, 1, 6, 0, 82, 0, 126, 1, 6, 0, 216, 1, 119, 1, 10, 0, 29, 0, 119, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 16, 0, 223, 1, 10, 0, 49, 0, 1, 0, 1, 0, 80, 32, 0, 0, 0, 0, 134, 0, 15, 0, 6, 0, 1, 0, 92, 32, 0, 0, 0, 0, 134, 24, 144, 1, 6, 0, 1, 0, 9, 0, 144, 1, 1, 0, 17, 0, 144, 1, 6, 0, 25, 0, 144, 1, 10, 0, 41, 0, 144, 1, 16, 0, 49, 0, 144, 1, 16, 0, 57, 0, 144, 1, 16, 0, 65, 0, 144, 1, 16, 0, 73, 0, 144, 1, 16, 0, 81, 0, 144, 1, 16, 0, 89, 0, 144, 1, 16, 0, 105, 0, 52, 0, 21, 0, 97, 0, 144, 1, 6, 0, 46, 0, 11, 0, 35, 0, 46, 0, 19, 0, 44, 0, 46, 0, 27, 0, 75, 0, 46, 0, 35, 0, 84, 0, 46, 0, 43, 0, 138, 0, 46, 0, 51, 0, 148, 0, 46, 0, 59, 0, 161, 0, 46, 0, 67, 0, 174, 0, 46, 0, 75, 0, 138, 0, 46, 0, 83, 0, 138, 0, 4, 128, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 0, 37, 0, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 26, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 60, 77, 111, 100, 117, 108, 101, 62, 0, 76, 105, 98, 84, 0, 77, 101, 116, 104, 111, 100, 0, 83, 121, 115, 116, 101, 109, 46, 67, 111, 110, 115, 111, 108, 101, 0, 83, 121, 115, 116, 101, 109, 46, 82, 117, 110, 116, 105, 109, 101, 0, 87, 114, 105, 116, 101, 76, 105, 110, 101, 0, 68, 101, 98, 117, 103, 103, 97, 98, 108, 101, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 84, 105, 116, 108, 101, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 84, 97, 114, 103, 101, 116, 70, 114, 97, 109, 101, 119, 111, 114, 107, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 70, 105, 108, 101, 86, 101, 114, 115, 105, 111, 110, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 73, 110, 102, 111, 114, 109, 97, 116, 105, 111, 110, 97, 108, 86, 101, 114, 115, 105, 111, 110, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 67, 111, 110, 102, 105, 103, 117, 114, 97, 116, 105, 111, 110, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 67, 111, 109, 112, 105, 108, 97, 116, 105, 111, 110, 82, 101, 108, 97, 120, 97, 116, 105, 111, 110, 115, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 80, 114, 111, 100, 117, 99, 116, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 65, 115, 115, 101, 109, 98, 108, 121, 67, 111, 109, 112, 97, 110, 121, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 82, 117, 110, 116, 105, 109, 101, 67, 111, 109, 112, 97, 116, 105, 98, 105, 108, 105, 116, 121, 65, 116, 116, 114, 105, 98, 117, 116, 101, 0, 83, 121, 115, 116, 101, 109, 46, 82, 117, 110, 116, 105, 109, 101, 46, 86, 101, 114, 115, 105, 111, 110, 105, 110, 103, 0, 76, 105, 98, 84, 46, 100, 108, 108, 0, 83, 121, 115, 116, 101, 109, 0, 83, 121, 115, 116, 101, 109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 0, 46, 99, 116, 111, 114, 0, 83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 0, 83, 121, 115, 116, 101, 109, 46, 82, 117, 110, 116, 105, 109, 101, 46, 67, 111, 109, 112, 105, 108, 101, 114, 83, 101, 114, 118, 105, 99, 101, 115, 0, 68, 101, 98, 117, 103, 103, 105, 110, 103, 77, 111, 100, 101, 115, 0, 79, 98, 106, 101, 99, 116, 0, 84, 101, 115, 116, 0, 0, 29, 77, 0, 101, 0, 116, 0, 104, 0, 111, 0, 100, 0, 32, 0, 73, 0, 110, 0, 118, 0, 111, 0, 107, 0, 101, 0, 100, 0, 0, 0, 144, 218, 74, 23, 168, 155, 195, 76, 159, 9, 238, 162, 39, 177, 15, 98, 0, 4, 32, 1, 1, 8, 3, 32, 0, 1, 5, 32, 1, 1, 17, 17, 4, 32, 1, 1, 14, 4, 0, 1, 1, 14, 8, 176, 63, 95, 127, 17, 213, 10, 58, 8, 1, 0, 8, 0, 0, 0, 0, 0, 30, 1, 0, 1, 0, 84, 2, 22, 87, 114, 97, 112, 78, 111, 110, 69, 120, 99, 101, 112, 116, 105, 111, 110, 84, 104, 114, 111, 119, 115, 1, 8, 1, 0, 2, 0, 0, 0, 0, 0, 53, 1, 0, 24, 46, 78, 69, 84, 67, 111, 114, 101, 65, 112, 112, 44, 86, 101, 114, 115, 105, 111, 110, 61, 118, 53, 46, 48, 1, 0, 84, 14, 20, 70, 114, 97, 109, 101, 119, 111, 114, 107, 68, 105, 115, 112, 108, 97, 121, 78, 97, 109, 101, 0, 9, 1, 0, 4, 76, 105, 98, 84, 0, 0, 12, 1, 0, 7, 82, 101, 108, 101, 97, 115, 101, 0, 0, 12, 1, 0, 7, 49, 46, 48, 46, 48, 46, 48, 0, 0, 10, 1, 0, 5, 49, 46, 48, 46, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 66, 132, 65, 243, 0, 1, 77, 80, 2, 0, 0, 0, 83, 0, 0, 0, 128, 37, 0, 0, 128, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 19, 0, 0, 0, 39, 0, 0, 0, 211, 37, 0, 0, 211, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 82, 83, 68, 83, 226, 253, 212, 114, 163, 93, 141, 70, 181, 167, 26, 34, 82, 78, 198, 105, 1, 0, 0, 0, 67, 58, 92, 85, 115, 101, 114, 115, 92, 65, 68, 75, 92, 115, 111, 117, 114, 99, 101, 92, 114, 101, 112, 111, 115, 92, 76, 105, 98, 84, 92, 111, 98, 106, 92, 82, 101, 108, 101, 97, 115, 101, 92, 110, 101, 116, 53, 46, 48, 92, 76, 105, 98, 84, 46, 112, 100, 98, 0, 83, 72, 65, 50, 53, 54, 0, 226, 253, 212, 114, 163, 93, 141, 70, 245, 167, 26, 34, 82, 78, 198, 105, 66, 132, 65, 115, 71, 126, 19, 224, 171, 7, 155, 149, 141, 220, 189, 74, 34, 38, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 60, 38, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 46, 38, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 95, 67, 111, 114, 68, 108, 108, 77, 97, 105, 110, 0, 109, 115, 99, 111, 114, 101, 101, 46, 100, 108, 108, 0, 0, 0, 0, 0, 0, 0, 255, 37, 0, 32, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 16, 0, 0, 0, 24, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 48, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 72, 0, 0, 0, 88, 64, 0, 0, 152, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 152, 2, 52, 0, 0, 0, 86, 0, 83, 0, 95, 0, 86, 0, 69, 0, 82, 0, 83, 0, 73, 0, 79, 0, 78, 0, 95, 0, 73, 0, 78, 0, 70, 0, 79, 0, 0, 0, 0, 0, 189, 4, 239, 254, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 63, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 68, 0, 0, 0, 1, 0, 86, 0, 97, 0, 114, 0, 70, 0, 105, 0, 108, 0, 101, 0, 73, 0, 110, 0, 102, 0, 111, 0, 0, 0, 0, 0, 36, 0, 4, 0, 0, 0, 84, 0, 114, 0, 97, 0, 110, 0, 115, 0, 108, 0, 97, 0, 116, 0, 105, 0, 111, 0, 110, 0, 0, 0, 0, 0, 0, 0, 176, 4, 248, 1, 0, 0, 1, 0, 83, 0, 116, 0, 114, 0, 105, 0, 110, 0, 103, 0, 70, 0, 105, 0, 108, 0, 101, 0, 73, 0, 110, 0, 102, 0, 111, 0, 0, 0, 212, 1, 0, 0, 1, 0, 48, 0, 48, 0, 48, 0, 48, 0, 48, 0, 52, 0, 98, 0, 48, 0, 0, 0, 42, 0, 5, 0, 1, 0, 67, 0, 111, 0, 109, 0, 112, 0, 97, 0, 110, 0, 121, 0, 78, 0, 97, 0, 109, 0, 101, 0, 0, 0, 0, 0, 76, 0, 105, 0, 98, 0, 84, 0, 0, 0, 0, 0, 50, 0, 5, 0, 1, 0, 70, 0, 105, 0, 108, 0, 101, 0, 68, 0, 101, 0, 115, 0, 99, 0, 114, 0, 105, 0, 112, 0, 116, 0, 105, 0, 111, 0, 110, 0, 0, 0, 0, 0, 76, 0, 105, 0, 98, 0, 84, 0, 0, 0, 0, 0, 48, 0, 8, 0, 1, 0, 70, 0, 105, 0, 108, 0, 101, 0, 86, 0, 101, 0, 114, 0, 115, 0, 105, 0, 111, 0, 110, 0, 0, 0, 0, 0, 49, 0, 46, 0, 48, 0, 46, 0, 48, 0, 46, 0, 48, 0, 0, 0, 50, 0, 9, 0, 1, 0, 73, 0, 110, 0, 116, 0, 101, 0, 114, 0, 110, 0, 97, 0, 108, 0, 78, 0, 97, 0, 109, 0, 101, 0, 0, 0, 76, 0, 105, 0, 98, 0, 84, 0, 46, 0, 100, 0, 108, 0, 108, 0, 0, 0, 0, 0, 40, 0, 2, 0, 1, 0, 76, 0, 101, 0, 103, 0, 97, 0, 108, 0, 67, 0, 111, 0, 112, 0, 121, 0, 114, 0, 105, 0, 103, 0, 104, 0, 116, 0, 0, 0, 32, 0, 0, 0, 58, 0, 9, 0, 1, 0, 79, 0, 114, 0, 105, 0, 103, 0, 105, 0, 110, 0, 97, 0, 108, 0, 70, 0, 105, 0, 108, 0, 101, 0, 110, 0, 97, 0, 109, 0, 101, 0, 0, 0, 76, 0, 105, 0, 98, 0, 84, 0, 46, 0, 100, 0, 108, 0, 108, 0, 0, 0, 0, 0, 42, 0, 5, 0, 1, 0, 80, 0, 114, 0, 111, 0, 100, 0, 117, 0, 99, 0, 116, 0, 78, 0, 97, 0, 109, 0, 101, 0, 0, 0, 0, 0, 76, 0, 105, 0, 98, 0, 84, 0, 0, 0, 0, 0, 48, 0, 6, 0, 1, 0, 80, 0, 114, 0, 111, 0, 100, 0, 117, 0, 99, 0, 116, 0, 86, 0, 101, 0, 114, 0, 115, 0, 105, 0, 111, 0, 110, 0, 0, 0, 49, 0, 46, 0, 48, 0, 46, 0, 48, 0, 0, 0, 56, 0, 8, 0, 1, 0, 65, 0, 115, 0, 115, 0, 101, 0, 109, 0, 98, 0, 108, 0, 121, 0, 32, 0, 86, 0, 101, 0, 114, 0, 115, 0, 105, 0, 111, 0, 110, 0, 0, 0, 49, 0, 46, 0, 48, 0, 46, 0, 48, 0, 46, 0, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 12, 0, 0, 0, 80, 54, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };

In retrospect above byte array is equivalent to corresponding dll code in C#.

using System;
namespace LibT
{
  public class Test
  {
   public void method()
   {
     Console.WriteLine(\"Method Invoked\");
   }
  }
}

Reflection

Since we have a byte array for holding our dll, we can load the byte assembly into memory using Load() method in the Assembly class defined inside the System.Reflection namespace.

Assembly assembly = Assembly.Load(bytes);

After assembly loading, you can use the same code used in the previous post to replicate the output. In the current dll, the namespace is changed to LibT, therefore make changes accordingly!!

Complete Code

using System;
using System.Reflection;
 
namespace Loader
{
    class Program
    {
        static void Main(string[] args)
        {
          byte[] bytes = { 77, 90, 144, 0, 3, 0, 0, 0, 4, 0, 0, 0, 
          255, 255, 0,..TRUNCATED...,0,0};
          
          Assembly assembly = Assembly.Load(bytes);
          Type t = asm.GetType(\"LibT.Test\"); //Obtaining type information at runtime using reflection
          object obj = Activator.CreateInstance(t); //Creating instance for the type t
          MethodInfo meth = t.GetMethod(\"Method\"); //Obtaining method information at runtime using reflection
          meth.Invoke(obj, null); //Calling invoke method on MethodInfo object meth to execute LibT.Test.Method()
        }
    }
}

Output

\"\"

In this post, we have seen a common deployment model used by malwares to execute payload in the memory at runtime to evade security detections. Reflection is a very interesting technique, powerful indeed, developers use it for testing and other deployment purposes, on the other side adversaries use it to deploy malware . We will see more advance tactics using reflection in coming posts!

Till then,
CHEERIOS 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *