New blog on using CLR customizations to improve the OPSEC of your .NET execution harness. This includes a novel AMSI bypass that identified by author in 2023. By taking control of CLR assembly loads, we can load assemblies from memory with no AMSI scan.
https://github.com/passthehashbrowns/Being-A-Good-CLR-Host
Related Works and Resources
HostingCLR - Original implementation of CLR hosting
InlineExecute-Assembly - Original implementation of executing .NET assemblies as a BOF
Dealing with Failure: Failure Escalation Policy in CLR Hosts – This is the only real example I could find of offensive tradecraft using CLR Customizations when I was initially doing this research.
Hosted Pumpkin – A GitHub repository containing a proof-of-concept for implementing several CLR Customizations.
Shellcode: Loading .NET Assemblies From Memory – Donut was a great deal of help in wrangling all of the relevant data structures and definitions in C.
Customizing the Microsoft .NET Framework Common Language Runtime by Steven Pratschner – This is the definitive text on CLR Customizations. Simply a must-read if you have any interest in this area.
#redteam #net #clr #dotnet
Proof-of-concept for the AMSI bypass and an implementation of a CLR memory manager is on GitHub. We can implement custom memory routines and track all allocations made by the CLR.
https://github.com/passthehashbrowns/Being-A-Good-CLR-Host
Related Works and Resources
HostingCLR - Original implementation of CLR hosting
InlineExecute-Assembly - Original implementation of executing .NET assemblies as a BOF
Dealing with Failure: Failure Escalation Policy in CLR Hosts – This is the only real example I could find of offensive tradecraft using CLR Customizations when I was initially doing this research.
Hosted Pumpkin – A GitHub repository containing a proof-of-concept for implementing several CLR Customizations.
Shellcode: Loading .NET Assemblies From Memory – Donut was a great deal of help in wrangling all of the relevant data structures and definitions in C.
Customizing the Microsoft .NET Framework Common Language Runtime by Steven Pratschner – This is the definitive text on CLR Customizations. Simply a must-read if you have any interest in this area.
#redteam #net #clr #dotnet
👾2
Forwarded from Order of Six Angles
fluxsec.red
Windows 11 Alternate Syscalls Deep Dive
A comprehensive technical walkthrough of Windows 11 Alternate Syscalls: allocating executable thunks, building the dispatch table, patching PspServiceDenoscriptorGroupTable, handling PspSyscallProviderServiceDispatchGeneric, and caching syscall arguments. Includes…
Feeling overwhelmed trying to learn security research? (Analyzing the PayloadRestrictions.dll Export Address Filtering)
#research #reverse #internals
Check out the "Process of Step-by-Step" by Yarden Shafir — a great resource that breaks it down clearly.
#research #reverse #internals
Windows Anti-Debug techniques - OpenProcess filtering
"OBREGISTERCALLBACKS AND COUNTERMEASURES"
Debugging AV
"OBREGISTERCALLBACKS AND COUNTERMEASURES"
XPN InfoSec Blog
@_xpn_ - Windows Anti-Debug techniques - OpenProcess filtering
This week I took a break from SYSTEM chasing to review some anti-debugging techniques. With quite a few Bug Bounty programs available relying on client-side applications, I thought I'd share one of the techniques used by numerous security products (and apparently…
Forwarded from Order of Six Angles
YouTube
Malware Loader Reverse Engineering with IDA Pro (Stream - 06/05/2025)
In this stream we reverse engineered a malware loader with IDA Pro, including its anti-analysis, persistence, COM UAC Bypass, command-line spoofing, C2, process injection, and TCP proxy functionality.
Learn how to reverse engineer malware: https://train…
Learn how to reverse engineer malware: https://train…
👾1
aiya-mmd-book.pdf
31.8 MB
AIYA MMD - means Attack and Introduction or (Android and IOS), start Your Adventure in Mobile Malware Development. also AIYA means AIYA Nurkhankyzy.
https://github.com/cocomelonc/bsprishtina-2024-maldev-workshop/
#mobile
👾4
Obfusk8: C++17-Based Obfuscation Library
#obf
Obfusk8 is a lightweight, header-only C++17 library designed to significantly enhance the obfuscation of your applications, making reverse engineering a substantially more challenging endeavor. It achieves this through a diverse set of compile-time and runtime techniques aimed at protecting your code's logic and data.
#obf
Spoofing Call Stacks To Confuse EDRs
#evasion
Call stacks are an understated yet often important source of telemetry for EDR products. They can provide vital context to an event and be an extremely powerful tool in determining false positives from true positives (especially for credential theft events such as handle access to lsass).
#evasion