Inject .NET assemblies into an existing process

Overview

inject-assembly - Execute .NET in an Existing Process

This tool is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.

There are two components of inject-assembly:

  1. BOF initializer: A small program responsible for injecting the assembly loader into a remote process with any arguments passed. It uses BeaconInjectProcess to perform the injection, meaning this behavior can be customized in a Malleable C2 profile or with process injection BOFs (as of version 4.5).

  2. PIC assembly loader: The bulk of the project. The loader will initialize the .NET runtime, load the provided assembly, and execute the assembly. The loader will create a new AppDomain in the target process so that the loaded assembly can be totally unloaded when execution is complete.

Communication between the remote process and Beacon occurs through a named pipe. The Aggressor script generates a pipe name and then passes it to the BOF initializer.

Notable Features

  • Patches Environment.Exit() to prevent the remote process from exiting.
  • .NET assembly header stomping (MZ bytes, e_lfanew, DOS Header, Rich Text, PE Header).
  • Random pipe name generation based on SourcePoint.
  • No blocking of the Beacon, even if the assembly is loaded into the current process.

Usage

Download and load the inject-assembly.cna Aggressor script into Cobalt Strike. You can then execute assemblies using the following command:

inject-assembly pid assembly [args...]

Specify 0 as the PID to execute in the current Beacon process.

It is recommended to use another tool, like FindObjects-BOF, to locate a process that already loads the .NET runtime, but this is not a requirement for inject-assembly to function.

Warnings

  • Currently only supports x64 remote processes.
  • There are several checks throughout the program to reduce the likelihood of crashing the remote process, but it could still happen.
  • The default Cobalt Strike process injection may get you caught. Consider a custom injection BOF or UDRL IAT hook.
  • Some assemblies rely on Environment.Exit() to finish executing. This will prevent the loader's cleanup phase from occurring, but you can still disconnect the named pipe using jobkill.
  • Uncomment lines 3 or 4 of scmain.c to enable error or verbose modes, respectively. These are disabled by default to reduce the shellcode size.

References

This project would not have been possible without the following projects:

Other features and inspiration were taken from the following resources:

You might also like...
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file

Process Ghosting This is my implementation of the technique presented by Gabriel Landau: https://www.elastic.co/blog/process-ghosting-a-new-executable

C++ POC to write addintional credentials into LSASS process

LSASS_Injection_CreateProcessWithLogonW C++ POC to write addintional credentials into LSASS process Usage: LSASS_Injection_CreateProcessWithLogonW USE

GlueGD is a mod loader for Geometry Dash that does not require a modification to any existing Geometry Dash files or an external injector or launcher.

GlueGD is a mod loader for Geometry Dash that does not require a modification to any existing Geometry Dash files or an external injector or la

This repo does not contain any skins that work by themselves, but rather addons to already existing skins like CakeOS and Polybar
This repo does not contain any skins that work by themselves, but rather addons to already existing skins like CakeOS and Polybar

Rainmeter-addons ⚠ This repo does not contain any skins that work by themselves, but rather addons to already existing skins like CakeOS and Polybar E

Acrylic effect for all existing Win32 context menus
Acrylic effect for all existing Win32 context menus

AcrylicMenus This is a proof-of-concept tiny application that applies acrylic effect to almost all existing Win32 context menus on Windows 10 and Wind

Spin-off component from existing IBM/mcas open source project

PyMM PyMM is a python library that allows the storing and manipulation of existing heavily used types such as Numpy ndarray and PyTorch on Persistent

mold is a faster drop-in replacement for existing Unix linkers
mold is a faster drop-in replacement for existing Unix linkers

mold: A Modern Linker mold is a faster drop-in replacement for existing Unix linkers. It is several times faster than LLVM lld linker, the second-fast

x64 Windows kernel driver mapper, inject unsigned driver using anycall
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Code Injection, Inject malicious payload via pagetables pml4.
Code Injection, Inject malicious payload via pagetables pml4.

PageTableInjection Code Injection, Inject malicious payload via pagetables pml4. Introduction This is just a proof-of-concept of the page table inject

Comments
  • Console Windows Host - spawned every injection

    Console Windows Host - spawned every injection

    First off - great tool. Incredible contribution to the community. I just wanted to note that Console Windows Host (conhost.exe) spawns as a child process of whatever process is being injected.

    My brain is too small to resolve this issue myself. Sorry I'm dumb.

    opened by joshdodger197 2
  • still executing the assembly with -Help flag

    still executing the assembly with -Help flag

    1. i tested the self inject with 0 into explorer and i have seen cmd.exe poping as child process to execute the assembly while i have chosen 0. when the assembly finished the cmd.exe disseapeared.

    2. test with sharpview for example wih Get-computerName -Help flag the assembly carried on execution and showing the help, which is very weird. the help menu was there for extra flags to filter but the execution was there as if the -help flag was ignored.

    thx in advance

    opened by zufukatana 0
  • no output after execution

    no output after execution

    got no output after execution, tried to self inject and remote inject same thing. beacon acknolege the task but no output.

    i have also tried on different process elevated and non elevated. any help ? may I uncomment verbose and error to check ?? thx

    opened by ghost 10
Owner
Kyle Avery
Kyle Avery
Automatically inject a DLL into the selected process with VAC3 bypass.

FTP LOADER Automatically inject a DLL into the selected process with VAC3 bypass. This will only, most likely, work only with source engine games in s

null 18 Aug 26, 2021
CobaltStrike BOF - Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate)

Cobalt Strike BOF - Inject ETW Bypass Inject ETW Bypass into Remote Process via Syscalls (HellsGate|HalosGate) Running InjectEtwBypass BOF from Cobalt

Bobby Cooke 235 Nov 18, 2022
Inject code into remote python process.

python-inject Inject code into remote python process. Table of Contents About The Project Built With Getting Started Prerequisites Installation Usage

Sarnax 6 Jan 10, 2022
CredBandit - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel

CredBandit CredBandit is a proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process a

anthemtotheego 186 Nov 22, 2022
Inject dll to explorer.exe and hide file from process.

Hide-FS Inject dll to explorer.exe and hide file from process. Requierments: Microsoft Detours Library - https://github.com/microsoft/Detours Compile:

null 11 Nov 9, 2022
Lee Thomason 298 Nov 16, 2022
Inject a DLL into any program using this C++ program

DLL-Injection-Cpp Inject a DLL into any process using this C++ program Installation Go into a folder and open up Command Prompt. In command prompt run

n0 5 Sep 12, 2022
(FIXED) Since the one on github didn't work. (ALSO INCLUDES .DLL SO YOU CAN JUST INJECT INTO FORTNITE)

Marathon-Fortnite-Cheat-Fix-Leak Fortnite Marathon Cheat v18.20 FIXED [Leak] Getting started Open .sln with Visual Studio 2019 Compile batch build to

LUCIFER ® 2 Dec 13, 2021
Jaws is an invisible programming language! Inject invisible code into other languages and files! Created for security research -- see blog post

Jaws is an invisible interpreted programming language that was created for antivirus research. Since Jaws code is composed entirely of whitespace char

C.J. May 207 Oct 17, 2022
anthemtotheego 392 Dec 1, 2022