Tag: c#

Duplicating Handles in C#

Introduction Applications can open and maintain handles to Windows objects such as access tokens, processes, threads, files, named pipes and more. As a local admin (or with SeDebug privs), it’s possible to enumerate open handles across the entire OS and duplicate them for our own use. This is particularly useful when you want to obtain

Read more

ExternalC2.NET

Introduction This post will walk through how I created a library which implements Cobalt Strike’s External C2 Specification, introduces the ExternalC2.NET NuGet packages, and demonstrates how to use them in a custom third-party controller and client. External C2 Cobalt Strike has the ability to accept third-party command & control, allowing operators to go far beyond

Read more

Backdoor .NET assemblies with… dnSpy 🤔

Placing backdoors in legitimate applications is a good way to achieve persistence, data exfiltration, and if circumstances allow, privilege escalation. Backdooring .NET assemblies is surprisingly easy using an editor such as dnSpy. This post will run through a simplistic scenario where we backdoor a DLL used by a Blazor Server App. I thought this was

Read more

D/Invoke & GadgetToJScript

I’m sure the subject of combining D/Invoke with GadgetToJScript has been written about multiple times; but I wanted to throw my hat into the ring with this post. For those who don’t already know, D/Invoke provides (among other things) a means for dynamically invoking unmanaged APIs without using P/Invoke. GadgetToJScript is a spiritual successor to

Read more

.NET Reflection and Disposable AppDomains

Disclaimer: I didn’t come up with any of the methods or techniques described in this post. I merely glued other people’s work together – like Sharknado and Final Fantasy VIII’s Gunblade, only better. The premise of this post is to better conceal reflection and Assembly.Load() tradecraft in .NET Framework implants. Let’s first have a primer

Read more