Monday, June 12, 2017

Attacking the CLR - AppDomainManager Injection

I have been interested in attacking CLR to be able to manipulate .NET apps, like PowerShell.
For example using .NET profilers here:

Recently I was reading this article about the CLR and execution events:

http://mattwarren.org/2017/02/07/The-68-things-the-CLR-does-before-executing-a-single-line-of-your-code/

One of the interesting things I stumbled on was this reference to CLR tuning:

https://github.com/dotnet/coreclr/blob/master/Documentation/project-docs/clr-configuration-knobs.md

Of particular interest I saw these environment variables that can be set. You can also set these in an app.config file.




AppDomain Managers are interesting in that they setup the environment, before your .NET app runs.

I'll keep this short.  You can manipulate the runtime, by getting your code to execute prior to the application.

Here's some code.



This also can work against PowerShell.exe too.  ;-)


I leave it to you to explore whats possible here.

Have fun, keep asking questions!





Cheers,

Casey
@subTee

4 comments:

  1. I can't swipe the code area because the website redirect me to another blog post

    ReplyDelete
  2. According to this: https://msdn.microsoft.com/en-us/library/system.appdomainmanager(v=vs.110).aspx

    >Implementing the AppDomainManager class enables a hosting application to participate in the creation of new application domains. To replace the default AppDomainManager, identify the assembly and type of the replacement AppDomainManager in the APPDOMAIN_MANAGER_ASM and APPDOMAIN_MANAGER_TYPE environment variables, or use the and elements in your configuration file. The assembly must be fully trusted and be contained in the global assembly cache or the directory of the starting application. The type and assembly names must be fully qualified in the environment variables.

    So if you manage to drop an assembly in the same directory as a .NET app like Powershell and can set a particular environment variable, then you can execute arbitrary code in your assembly when the user runs the app? That's not cool...

    ReplyDelete