MemoryShellCodeExploit (Source code published soon)

A POC using a dynamic compiler (CodeDOM) and TCPListener to run in memory and remotely malicius instructions

Basic Concept

Evade AV detection using dynamic compiler

Step 1 - The malware is executed by the victim

Step 2 - His load C# instructions from (in string format in this exemple):

• tcp/ip
• http rest
• Unamaged ressources / Managed Ressources

Step 3 - The malware compile these instructions in memory and evade most AV.

• To compile he can use:
• Roslyn (+4.0 Framework)
• CodeDOM (+2.0 Framework)
• Mono

Proof Of Concept

Run a shellcode msgbox over network from a file appenrently trusted. In my case i have used :

• A TCP Listener on port 444 (Often open in compagny) on the attacker computer
• The C# CodeDOM compiler for most compatibility
• Differents unsafe C# instructions to loading the msgbox shellcode

Detections Ratio

• First try 1/37 (Avira threats found)

• Second try 0/37 (No threats found

• Note: To bypass Avira i have make differents manipulation (Merge assembly, and export sensible code to a library)

Use Case (Same concept)

• Execute a RunPe fully in memory to run a knowed malware
• Use this network implement to run c# remotely
• Make differents variant of malwares (signature, and polymorph)

Librarys

I used Protocol Buffer for serialize/deserialize data sended over network. I used System.CodeDom.Compiler to compile C# instructions. I used System.Reflection Namespace to run compiled assembly in memory and evade AV.

Authors

• **Quentin Martinez - Initial work

License

This project is licensed under the MIT License - see the LICENSE.md file for details