Cannot use invoke-assembly with agent in an ADS #44
Description
Hi,
In first, thank you for your amazing work!
I'm trying to load & execute this little C# program (tried compilation with .NET framework 4.6, 4.7.2, 4.8:
using System;
namespace ConsoleApp1{
public class Program{
public static void Main(string[] args){
Console.WriteLine("begin");
System.Net.Dns.GetHostEntry("localhost");
Console.WriteLine("end");
}
}
}Use of load-assembly/invoke-assembly works with a "normal" agent path, like C:\users\vagrant\Desktop\agent.exe
But if the agent is stored as an Alternate Data Stream (ADS) like "C:\Users\vagrant\Desktop\desktop.ini:-", it doesn't work has expected.
If i comment the line System.Net.Dns.GetHostEntry("localhost"); it works, but if i stay it uncommented, it doesn't.
I've looked with processhacker, Assemblies depedencies doesn't seem to be loaded into process.
I've got this error message on merlin-cli console:
MethodInfo::Invoke_3 method returned an error:
Le fichier spécifié est introuvable (The specified file could not be found)
If i try to load & execute Rubeus 3.5 as in your example from official doc, i've a more specific error:
There was an error calling the startCLRfunction:
the ICLRRuntimeInfo::GetInterface method returned an error:
La clé de recherche requise n'a pas été trouvée dans aucun contexte d'activation actif. (The required search key was not found in any active activation context.)
I don't know if it's really a bug or a limitation from ADS usage. Have you already experimented it ? Any idea? Thanks