1 files changed, 88 insertions, 0 deletions
diff --git a/go-assembly-ldr-encrypted-net-assembly-loaders.nfo b/go-assembly-ldr-encrypted-net-assembly-loaders.nfo
new file mode 100644
index 0000000..5e603e2
--- /dev/null
+++ b/go-assembly-ldr-encrypted-net-assembly-loaders.nfo
@@ -0,0 +1,88 @@
+.:: go-assembly-ldr: Encrypted .NET Assembly Loaders ::.
+
+[ Introduction ]
+
+go-assembly-ldr facilitates the creation of loaders that embed encrypted .NET
+assemblies, which are decrypted and executed in memory at runtime. It supports
+two encryption methods—RC4 for lightweight obfuscation and AES-256 for stronger
+security. The tool also randomizes variable names in generated loaders, making
+static analysis more difficult. With flexible output formats (PowerShell,
+MSBuild, or InstallUtil), it caters to various execution contexts, such as
+script-based or build-process exploitation.
+
+The tool’s source code is available at https://cgit.heqnx.com/go-assembly-ldr
+and can be cloned with git clone https://cgit.heqnx.com/go-assembly-ldr.
+
+[ Tool Usage ]
+
+$ ./go-assembly-ldr-<platform>-<arch> -h
+offensive security tool designed for generating encrypted and obfuscated loaders for .NET assemblies
+
+author: heqnx - https://heqnx.com
+
+usage of ./go-assembly-ldr-<platform>-<arch>:
+  -dotnet-architecture string
+        .net architecture for msbuild: x86|x64 (default "x64")
+  -e string
+        encryption type: rc4|aes (default "rc4")
+  -f string
+        input file path
+  -key-len int
+        length of encryption key (default 32)
+  -obf-len int
+        length of obfuscated strings (default 8)
+  -t string
+        loader type: powershell|msbuild|installutil (default "powershell")
+
+[ Tool Output Example ]
+
+- Generate a PowerShell loader with AES encryption:
+
+$ ./build/go-assembly-ldr-linux-amd64 \
+        -f Rubeus.exe \
+        -t powershell \
+        -e aes \
+        -obf-len 10 \
+        -key-len 32
+[inf] created "Rubeus.exe_reflective.ps1" containing "Rubeus.exe"
+[inf] call assembly method with [<namespace>.<class>]::<method>("arg1 arg2".Split())
+
+- Generate an MSBuild loader with RC4 encryption:
+
+$ ./build/go-assembly-ldr-linux-amd64 \
+        -f Rubeus.exe \
+        -t msbuild \
+        -e rc4 \
+        -obf-len 12 \
+        -key-len 16 \
+        -dotnet-architecture x86
+[inf] created "Rubeus.exe_msbuild.csproj" containing "Rubeus.exe"
+[inf] change "string[] <var> = new string[] { "" };" to add arguments
+
+[ Payload Execution ]
+
+The tool generates loaders that decrypt and execute .NET assemblies in memory,
+leveraging .NET’s Reflection.Assembly.Load for seamless execution. Each loader
+type targets a specific execution context:PowerShell:
+
+- Executes via powershell -ExecutionPolicy Bypass -File <file>.ps1. Suitable
+  for script-based environments
+- MSBuild: Executes via msbuild.exe <file>.csproj. Ideal for build process
+  exploitation. Modify the string[] array to pass arguments
+- InstallUtil: Compiles to a .NET executable with csc.exe and executes via
+  InstallUtil.exe /U. Leverages the uninstall method for payload execution.
+
+[ Technical Details ]
+
+- Encryption: RC4 is a stream cipher for lightweight encryption; AES-256 (CBC
+  mode, PKCS7 padding) offers stronger security. AES requires a 32-byte key,
+  while RC4 supports variable key lengths.
+- Obfuscation: Variable names are replaced with random strings of
+  user-specified length, applied to templates using a regex-based substitution
+  (<%=obf ... %>).
+- Payload Handling: Assemblies are base64-encoded post-encryption, with
+  decryption logic embedded in the loader. AES includes an initialization
+  vector (IV) for secure decryption.
+- Dependencies: Relies on Go’s crypto/aes, crypto/rand, and standard libraries
+  for encryption and file handling.
+