When developing malware/red teaming tools, it’s often needed to dynamically execute code inside a program. For example executing python code inside a python file. The reason that it’s needed is for evasion, is because when the code is being loaded like that, it resides in memory so AV/EDR has more overhead when examining the process. Plus it can be encrypted/encoded and decrypted/decoded and then executed for more evasion.
C/C++
We say C/C++ but it’s about loading compiled programs that are in standard PE format. There are already many programs written to reflectively load C/C++ EXEs/DLLs. The first PoC was written by Stephen Fewers to reflectively load DLLs: https://github.com/stephenfewer/ReflectiveDLLInjection
Other PoCs are mostly based on Stephen Fewer’s work. What we’ll discuss in this section is what reflective loading is about. It’s about creating the PE’s structure in memory which includes imports, exports, sections and so on and then linked together and executed in the process’s memory. It’s identical to the way Windows itself loads executables but instead of relying on Windows to execute it for us, we implement it on our own.
Python
To dynamically execute python code inside python there are two ways:
- eval
- exec
Furthermore python version 2 can also be executed in C# using IronPython.
For python we are going to load this file:
Eval
Eval has two methods when loading python files:
- Eval: one line can be executed
- Exec: multiline can be executed
Exec
Exec can be used to dynamically load python files:
Python in C#
Python2 code can be loaded in C# using IronPython to be dynamically executed:
And when executed:
PHP
PHP code can be executed in two ways:
- Include: to execute PHP files
- Eval: to execute PHP code
Include
To execute a PHP file one simply needs to include it:
Eval
To execute PHP code eval can be used:
Javascript
Javascript code can dynamically be executed inside Javascript using the eval method which is considered dangerous a function and rarely used:
Ruby
To load Ruby there are two ways::
- Load
- Require
Both of these methods execute Ruby files.
Load
Require
Perl
In Perl language there are also two ways to execute Perl files:
- Eval
- Do
Eval
To load a perl file using eval it first needs to be loaded and read, and then executed:
Do
Using the do method, Perl files can be loaded using only one line:
PowerShell
PowerShell code can be executed using iex and in C# using the powershell engine.
IEX
One only needs to pass the powershell code to IEX to be executed:
PowerShell in C#
To load PowerShell code/file inside C#, its DLL, System.Management.Automation, has to included and its engine created:
C#
C# executable file can be executed inside C# using assembly loader and C# code itself in PowerShell using Add-Type.
Assembly Load
To load the C# executable using assembly loader, it needs to be read and then an instance of the class should be created, then the method that needs to be executed should be found and invoked:
C# in PowerShell
The C# file that’ll be used:
And to load the C# file in PowerShell:
Bonus
Executing JScript in PowerShell
JScript/VisualBasic can be used using PowerShell. This enables malware authors to evade more security measures because they are not frequently used nowadays:
When executed:
Loader with Encoder
As a bonus for reading till now, we’ll be writing a loader in python and also implement an encoder/decoder to encode the python file, and then decode it when loading it giving us more a more sense of evasion:
And this is just a dirty simple Python code prepared for this article, there are many ways to improve it further to be a capable Python loader.