The Wiert Corner - irregular stream of stuffHInvoke and avoiding PInvoke | drakonia’s blog
On my research list [Wayback/Archive] HInvoke and avoiding PInvoke | drakonia’s blog.
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime.
The underlying code is at [Wayback/Archive] S4ntiagoP/donut: Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.
It is being used by [Wayback/Archive] Convert binary to a shellcode with donut and create a C# self injector from it via a combo of “Dynamic P/Invoke + H/Invoke” calls
Related are:
Via:
- [Wayback/Archive] sn🥶vvcr💥sh on Twitter: “[#Tooling ⚔️] Updated my SharpBin2SelfInject gist with the recent H/Invoke technique by @dr4k0nia for a stealthier GetModuleHandle / GetProcAddress resolution and invocation 🥷🏻 #maldev #dinvoke #hinvoke”
- [Wayback/Archive] yxel on Twitter: “@snovvcrash I would love to be the one that developed Hinvoke, but Im not :P Credit should go to @dr4k0nia I guess 🙃”
- [Wayback/Archive] sn🥶vvcr💥sh on Twitter: “@httpyxel @dr4k0nia Oh my God, my apologies @dr4k0nia. You both with @httpyxel presented cool stuff that I retweeted recently for later studying, so that confused me I guess 🤦🏻♂️”
- [Wayback/Archive] dr4k0nia on Twitter: “@snovvcrash @httpyxel All good thanks for correcting. Very nice to see people use my stuff :)”
- [Wayback/Archive] H/Invoke @dr4k0nia – Twitter Search / Twitter
- [Wayback/Archive] #hinvoke – Twitter Search / Twitter
- [Wayback/Archive] dr4k0nia (@dr4k0nia) / Twitter
- [Wayback/Archive] drakonia’s blog | Welcome to my blog! Im posting about reverse engineering and .NET Development, with a focus on obfuscation and analysis of said. Hope you enjoy ^^
- [Wayback/Archive] yxel (@httpyxel) / Twitter
- [Wayback/Archive] Florian Hansemann on Twitter: “RunPE: C# Reflective loader for unmanaged binaries #infosec #pentest #redteam”
- [Wayback/Archive] Ptrace Security GmbH on Twitter: “C# PoCs for investigation of Windows process execution techniques investigation
github.com/daem0nc0re/TangledWinExec#Pentesting #CyberSecurity”
–jeroen
#CyberSecurity #dinvoke #hinvoke #infosec #maldev #pentest #Pentesting #redteam
HInvoke and avoiding PInvoke
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime.