Map in current PowerShell Instance Memory .NET Assemblies from remote web server.
When Assembly is mapped, you can invoke it's main with a command line argument.
The advantage of this technique is to avoid having assemblies written on disk. Everything happens in memory.
I'm using this script during my penetration tests / labs right after getting an initial shell on Windows to load other .NET Tools (Ex: ShapHound, ShapUp etc..)
As promised, we will adapt our previous code grab an exported function directly from memory.
Serious advantage of this technique:
- We don't have to use
CreateToolHelp32Snapshotanymore to enumerate modules and catch target module base address.
- We don't need to parse PE Header from disk anymore, we will parse PE Header directly from memory.
LoadLibraryAPI to load desired DLL in memory. An alternative of
LoadLibrarywould be to create our own PE Loader. We will cover that subject in a near future.