Loaders Unleashed

Loaders Unleashed

Read In This Article

When developing malware/red teaming tools, it’s often needed to dynamically execute code inside a program. For example executing python code inside a python file. The reason that it’s needed is for evasion, is because when the code is being loaded like that, it resides in memory so AV/EDR has more overhead when examining the process. Plus it can be encrypted/encoded and decrypted/decoded and then executed for more evasion.

C/C++

We say C/C++ but it’s about loading compiled programs that are in standard PE format. There are already many programs written to reflectively load C/C++ EXEs/DLLs. The first PoC was written by Stephen Fewers to reflectively load DLLs: https://github.com/stephenfewer/ReflectiveDLLInjection

Other PoCs are mostly based on Stephen Fewer’s work. What we’ll discuss in this section is what reflective loading is about. It’s about creating the PE’s structure in memory which includes imports, exports, sections and so on and then linked together and executed in the process’s memory. It’s identical to the way Windows itself loads executables but instead of relying on Windows to execute it for us, we implement it on our own.

Python

To dynamically execute python code inside python there are two ways:

  •  eval
  •  exec

Furthermore python version 2 can also be executed in C# using IronPython.

For python we are going to load this file:

Eval

Eval has two methods when loading python files:

  • Eval: one line can be executed
  • Exec: multiline can be executed

Exec

Exec can be used to dynamically load python files:

Python in C#

Python2 code can be loaded in C# using IronPython to be dynamically executed:

And when executed:

PHP

PHP code can be executed in two ways:

  •  Include: to execute PHP files
  •  Eval: to execute PHP code

Include

To execute a PHP file one simply needs to include it:

Eval

To execute PHP code eval can be used:

Javascript

Javascript code can dynamically be executed inside Javascript using the eval method which is considered dangerous a function and rarely used:

Ruby

To load Ruby there are two ways::

  •  Load
  •  Require

Both of these methods execute Ruby files.

Load

Require

Perl

In Perl language there are also two ways to execute Perl files:

  •  Eval
  •  Do

Eval

To load a perl file using eval it first needs to be loaded and read, and then executed:

Do

Using the do method, Perl files can be loaded using only one line:

PowerShell

PowerShell code can be executed using iex and in C# using the powershell engine.

IEX

One only needs to pass the powershell code to IEX to be executed:

PowerShell in C#

To load PowerShell code/file inside C#, its DLL, System.Management.Automation, has to included and its engine created:

C#

C# executable file can be executed inside C# using assembly loader and C# code itself in PowerShell using Add-Type.

Assembly Load

To load the C# executable using assembly loader, it needs to be read and then an instance of the class should be created, then the method that needs to be executed should be found and invoked:

C# in PowerShell

The C# file that’ll be used:

And to load the C# file in PowerShell:

Bonus

Executing JScript in PowerShell

JScript/VisualBasic can be used using PowerShell. This enables malware authors to evade more security measures because they are not frequently used nowadays:

When executed:

Loader with Encoder

As a bonus for reading till now, we’ll be writing a loader in python and also implement an encoder/decoder to encode the python file, and then decode it when loading it giving us more a more sense of evasion:

And this is just a dirty simple Python code prepared for this article, there are many ways to improve it further to be a capable Python loader.

Security Researchers

Amirhossein Gholizadeh

Free Consultation

For a Free Consultation And Analysis Of Your Business, Please Fill Out The Opposite Form, Our Team Will Contact You As Soon As Possible.