heqnx - .:: go-assembly-ldr: Encrypted .NET Assembly Loaders ::.

.:: go-assembly-ldr: Encrypted .NET Assembly Loaders ::.

[ Introduction ]

go-assembly-ldr facilitates the creation of loaders that embed encrypted .NET
assemblies, which are decrypted and executed in memory at runtime. It supports
two encryption methods—RC4 for lightweight obfuscation and AES-256 for stronger
security. The tool also randomizes variable names in generated loaders, making
static analysis more difficult. With flexible output formats (PowerShell,
MSBuild, or InstallUtil), it caters to various execution contexts, such as
script-based or build-process exploitation.

The tool's source code is available at https://cgit.heqnx.com/go-assembly-ldr
and can be cloned with git clone https://cgit.heqnx.com/go-assembly-ldr.

[ Motivation and Objectives ]

go-assembly-ldr was created to provide offensive security operators with a tool
to build stealthy, encrypted .NET assembly loaders for red team engagements. In
environments where bypassing detection is key, executing payloads in memory
while evading static analysis is critical. This tool addresses the need for
flexible, obfuscated loaders that can deliver .NET assemblies in diverse
operational contexts without leaving too obvious traces on disk.

Objectives:

- Enable Stealth Execution: Generate loaders that decrypt and run .NET
  assemblies in memory, minimizing some forensic footprints
- Evade Detection: Use RC4 or AES-256 encryption and randomized variable names
  to somewhat thwart static analysis and AV detection, but high entropy leaves
  to be desired
- Support Versatile Delivery: Offer PowerShell, MSBuild, and InstallUtil loader
  formats to fit script-based, build-process, or executable-based attack
  vectors
- Simplify Payload Deployment: Streamline the process of embedding and
  executing encrypted .NET payloads for rapid, effective red team operations

[ Tool Usage ]

$ ./go-assembly-ldr-<platform>-<arch> -h
offensive security tool designed for generating encrypted and obfuscated loaders for .NET assemblies

author: heqnx - https://heqnx.com

usage of ./go-assembly-ldr-<platform>-<arch>:
  -dotnet-architecture string
        .net architecture for msbuild: x86|x64 (default "x64")
  -e string
        encryption type: rc4|aes (default "rc4")
  -f string
        input file path
  -key-len int
        length of encryption key (default 32)
  -obf-len int
        length of obfuscated strings (default 8)
  -t string
        loader type: powershell|msbuild|installutil (default "powershell")

[ Tool Output Example ]

- Generate a PowerShell loader with AES encryption:

$ ./build/go-assembly-ldr-linux-amd64 \
        -f Rubeus.exe \
        -t powershell \
        -e aes \
        -obf-len 10 \
        -key-len 32
[inf] created "Rubeus.exe_reflective.ps1" containing "Rubeus.exe"
[inf] call assembly method with [<namespace>.<class>]::<method>("arg1 arg2".Split())

- Generate an MSBuild loader with RC4 encryption:

$ ./build/go-assembly-ldr-linux-amd64 \
        -f Rubeus.exe \
        -t msbuild \
        -e rc4 \
        -obf-len 12 \
        -key-len 16 \
        -dotnet-architecture x86
[inf] created "Rubeus.exe_msbuild.csproj" containing "Rubeus.exe"
[inf] change "string[] <var> = new string[] { "" };" to add arguments

[ Payload Execution ]

The tool generates loaders that decrypt and execute .NET assemblies in memory,
leveraging .NET's Reflection.Assembly.Load for seamless execution. Each loader
type targets a specific execution context:PowerShell:

- Executes via powershell -ExecutionPolicy Bypass -File <file>.ps1. Suitable
  for script-based environments
- MSBuild: Executes via msbuild.exe <file>.csproj. Ideal for build process
  exploitation. Modify the string[] array to pass arguments
- InstallUtil: Compiles to a .NET executable with csc.exe and executes via
  InstallUtil.exe /U. Leverages the uninstall method for payload execution.

[ Technical Details ]

- Encryption: RC4 is a stream cipher for lightweight encryption; AES-256 (CBC
  mode, PKCS7 padding) offers stronger security. AES requires a 32-byte key,
  while RC4 supports variable key lengths.
- Obfuscation: Variable names are replaced with random strings of
  user-specified length, applied to templates using a regex-based substitution
  (<%=obf ... %>).
- Payload Handling: Assemblies are base64-encoded post-encryption, with
  decryption logic embedded in the loader. AES includes an initialization
  vector (IV) for secure decryption.
- Dependencies: Relies on Go's crypto/aes, crypto/rand, and standard libraries
  for encryption and file handling.