Kali Linux

Inject-Assembly : Inject .NET Assemblies Into An Existing Process

Inject-Assembly is an alternative to traditional fork and run execution for Cobalt Strike. The loader can be injected into any process, including the current Beacon. Long-running assemblies will continue to run and send output back to the Beacon, similar to the behavior of execute-assembly.

There are two components of inject-assembly:

  • BOF initializer: A small program responsible for injecting the assembly loader into a remote process with any arguments passed. It uses Beacon Inject Process to perform the injection, meaning this behavior can be customized in a Malleable C2 profile or with process injection BOFs (as of version 4.5).
  • PIC assembly loader: The bulk of the project. The loader will initialize the .NET runtime, load the provided assembly, and execute the assembly. The loader will create a new App Domain in the target process so that the loaded assembly can be totally unloaded when execution is complete.

Communication between the remote process and Beacon occurs through a named pipe. The Aggressor script generates a pipe name and then passes it to the BOF initializer.

Notable Features

  • Patches Environment.Exit() to prevent the remote process from exiting.
  • .NET assembly header stomping (MZ bytes, e_lfanew, DOS Header, Rich Text, PE Header).
  • Random pipe name generation based on SourcePoint.
  • No blocking of the Beacon, even if the assembly is loaded into the current process.

Usage

Download and load the inject-assembly.cna Aggressor script into Cobalt Strike. You can then execute assemblies using the following command:

inject-assembly pid assembly [args…]

Specify 0 as the PID to execute in the current Beacon process.

It is recommended to use another tool, like FindObjects-BOF, to locate a process that already loads the .NET runtime, but this is not a requirement for inject-assembly to function.

R K

Recent Posts

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

1 week ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

1 week ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

1 week ago

How to Bash Append to File: A Simple Guide for Beginners

If you are working with Linux or writing bash scripts, one of the most common…

1 week ago

Mastering the Bash Case Statement with Simple Examples

What is a bash case statement? A bash case statement is a way to control…

1 week ago

How to Check if a File Exists in Bash – Simply Explained

Why Do We Check Files in Bash? When writing a Bash script, you often work…

1 week ago