From 303c8634d063779e2a87d77fcec8b7fdfb19db8e Mon Sep 17 00:00:00 2001 From: heqnx Date: Sun, 3 Aug 2025 15:10:25 +0300 Subject: added go-assembly-ldr --- go-assembly-ldr-encrypted-net-assembly-loaders.nfo | 88 ++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 go-assembly-ldr-encrypted-net-assembly-loaders.nfo diff --git a/go-assembly-ldr-encrypted-net-assembly-loaders.nfo b/go-assembly-ldr-encrypted-net-assembly-loaders.nfo new file mode 100644 index 0000000..5e603e2 --- /dev/null +++ b/go-assembly-ldr-encrypted-net-assembly-loaders.nfo @@ -0,0 +1,88 @@ +.:: go-assembly-ldr: Encrypted .NET Assembly Loaders ::. + +[ Introduction ] + +go-assembly-ldr facilitates the creation of loaders that embed encrypted .NET +assemblies, which are decrypted and executed in memory at runtime. It supports +two encryption methods—RC4 for lightweight obfuscation and AES-256 for stronger +security. The tool also randomizes variable names in generated loaders, making +static analysis more difficult. With flexible output formats (PowerShell, +MSBuild, or InstallUtil), it caters to various execution contexts, such as +script-based or build-process exploitation. + +The tool’s source code is available at https://cgit.heqnx.com/go-assembly-ldr +and can be cloned with git clone https://cgit.heqnx.com/go-assembly-ldr. + +[ Tool Usage ] + +$ ./go-assembly-ldr-- -h +offensive security tool designed for generating encrypted and obfuscated loaders for .NET assemblies + +author: heqnx - https://heqnx.com + +usage of ./go-assembly-ldr--: + -dotnet-architecture string + .net architecture for msbuild: x86|x64 (default "x64") + -e string + encryption type: rc4|aes (default "rc4") + -f string + input file path + -key-len int + length of encryption key (default 32) + -obf-len int + length of obfuscated strings (default 8) + -t string + loader type: powershell|msbuild|installutil (default "powershell") + +[ Tool Output Example ] + +- Generate a PowerShell loader with AES encryption: + +$ ./build/go-assembly-ldr-linux-amd64 \ + -f Rubeus.exe \ + -t powershell \ + -e aes \ + -obf-len 10 \ + -key-len 32 +[inf] created "Rubeus.exe_reflective.ps1" containing "Rubeus.exe" +[inf] call assembly method with [.]::("arg1 arg2".Split()) + +- Generate an MSBuild loader with RC4 encryption: + +$ ./build/go-assembly-ldr-linux-amd64 \ + -f Rubeus.exe \ + -t msbuild \ + -e rc4 \ + -obf-len 12 \ + -key-len 16 \ + -dotnet-architecture x86 +[inf] created "Rubeus.exe_msbuild.csproj" containing "Rubeus.exe" +[inf] change "string[] = new string[] { "" };" to add arguments + +[ Payload Execution ] + +The tool generates loaders that decrypt and execute .NET assemblies in memory, +leveraging .NET’s Reflection.Assembly.Load for seamless execution. Each loader +type targets a specific execution context:PowerShell: + +- Executes via powershell -ExecutionPolicy Bypass -File .ps1. Suitable + for script-based environments +- MSBuild: Executes via msbuild.exe .csproj. Ideal for build process + exploitation. Modify the string[] array to pass arguments +- InstallUtil: Compiles to a .NET executable with csc.exe and executes via + InstallUtil.exe /U. Leverages the uninstall method for payload execution. + +[ Technical Details ] + +- Encryption: RC4 is a stream cipher for lightweight encryption; AES-256 (CBC + mode, PKCS7 padding) offers stronger security. AES requires a 32-byte key, + while RC4 supports variable key lengths. +- Obfuscation: Variable names are replaced with random strings of + user-specified length, applied to templates using a regex-based substitution + (<%=obf ... %>). +- Payload Handling: Assemblies are base64-encoded post-encryption, with + decryption logic embedded in the loader. AES includes an initialization + vector (IV) for secure decryption. +- Dependencies: Relies on Go’s crypto/aes, crypto/rand, and standard libraries + for encryption and file handling. + -- cgit v1.2.3