ExecuteAssembly is an alternative of CS execute-assembly, built with C/C and it can be used to Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR Modules/AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs via superfasthash hashing algorithm.

TLDR (Features):

Usage:

Examples:

C2 Support:

Was created and tested mainly on cobalt strike, however it can be used with other C2 frameworks as well (MSF ..etc), just keep in mind that the reflective DLL DLLMAIN is expecting the one-liner payload as a parameter (lpReserved) in the following format (with no “.”);

Testing Notes:

TODO:

Known Issues:

Credits/References:

Download ExecuteAssembly

Leave a Reply

Your email address will not be published. Required fields are marked *