Recently, I was working on a project, and I was researching about some kind of executing “.exe” file contents, after taking it into a byte array, directly from my program, so that the “.exe” need not to be present in the disk. This led to the accidental discovery of this technique which led to the turning of this project idea into reality. But this technique has only one catch, that is it doesn’t work with native windows executables but only with dotnet assemblies.
See this snippet …
static void ExecExe(byte[] exe) {
Assembly assm = Assembly.Load(exe);
MethodInfo entryPoint = assm.EntryPoint;
if (entryPoint != null) {
// check if Main Method accepts parameters or not
if (entryPoint.GetParameters().Length == 0) {
// no parameters
entryPoint.Invoke(null, null);
} else {
// accepts parameters, invoke with an empty string array.
entryPoint.Invoke(null, new object[] { new string[] { } });
}
} else
Console.WriteLine("No entry point found in the exe file.");
}Here this function takes a byte array as an argument, which is supposed to be the contents of a dotnet assembly, as bytes. Now, this code just executes the Main function from that particular code.
This technique is actually well-known in the industry, and I didn’t know that, because of course, I discovered it accidentally. But I made a program out of it which fetches the contents of a dotnet assembly from a remote server and executes it on the system. Below is the github link.
The usage is pretty simple, and mentioned in the readme itself. I put the compiled exe to VirusTotal, and the result showed that only 9 AVs detected it, including Microsoft, though in my case, the windows 10 defender, though with the latest updates wasn’t able to detect it. I believe a certain amount of code obfuscation, maybe network traffic encryption, etc, will be able to bypass the AV solutions.
