-
Memory Hiding Technique Series: Gargoyle
introduction As reflective loading has become the staple vector for staging malware, adversaries rely on in-memory payloads for ensuring both operational security and evasion in the post exploitation phase and to counter such effort we have quite a few robust tools like Moneta and PE-sieve for scanning memories to catch active beacons/agents hidden inside running…
-
Tale of Hosting .NET in unmanaged code Part 0x3: HavocFramework
recap We are wrapping up the \”Tale of Hosting .Net\” series by covering the implementation details of InlineAssembly-Execute feature in C5pider. Here in this post we are reiterating everything we saw in the earlier posts part-2, so make sure you read it because going forward we do not go in depth rather we are going…
-
Tale of Hosting .NET in unmanaged code- PART/0x2 | InMemory Execution.
background In the previous post, we implemented a basic host program that could load up the CLR and execute an assembly. The issue with that approach is loading of the .NET assembly, we loaded the assembly from the disk and required passing of additional information like type and method name. In this post we will…