SharpC2 icon indicating copy to clipboard operation
SharpC2 copied to clipboard
verified publisher icon rasta-mouse

Drone DLL Processor Error on attempting to load

Open mellonaut opened this issue 2 years ago • 1 comments

Exe and ps1 are working fine, but when I generated a payload for a DLL and try loading it with Assembly.Load

Unhandled Exception: System.BadImageFormatException: Could not load file or assembly 'drone, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. This assembly was compiled for a different processor. at System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, Boolean fSkipIntegrityCheck, SecurityContextSource securityContextSource) at System.Reflection.Assembly.Load(Byte[] rawAssembly) at AssemblyLoader.Program.Main()

If target X86 with my assembly loader and recompile i get the same error, if I specify x64 I get this one:

Unhandled Exception: System.IO.FileLoadException: Could not load file or assembly 'drone, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Attempt to load an unverifiable executable with fixups (IAT with more than 2 sections or a TLS section.) (Exception from HRESULT: 0x80131019) ---> System.IO.FileLoadException: Attempt to load an unverifiable executable with fixups (IAT with more than 2 sections or a TLS section.) (Exception from HRESULT: 0x80131019) --- End of inner exception stack trace --- at System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, Boolean fSkipIntegrityCheck, SecurityContextSource securityContextSource) at System.Reflection.Assembly.Load(Byte[] rawAssembly) at AssemblyLoader.Program.Main()

Any help would be appreciated

mellonaut avatar Jul 30 '23 09:07 mellonaut

Looking at how the DLL is built in

https://github.com/rasta-mouse/SharpC2/blob/main/TeamServer/Services/PayloadService.cs#L238

it looks like DLL payloads are meant for use via their 'unmanaged exports' feature (i.e. invoked via rundll32 - but I've never gotten that to work). I definitely get the same error as you using Assembly.Load(byte[]).

If you really want to load the DLL, I think there are 2 options:

  1. Use Assembly.LoadFrom(string assemblyFile) - for some reason I don't pretend to understand, this works for this type of DLL. While this is normally used to load from disk (which you probably want to avoid) , it can also be used to load a remote assembly via URL if you configure <loadFromRemoteSources> in the corresponding app config file - see https://learn.microsoft.com/en-us/dotnet/api/system.reflection.assembly.loadfrom?view=netframework-4.8.1#system-reflection-assembly-loadfrom(system-string)
  2. If you really want to load from a byte array, build the .exe as per usual and extract the embedded drone.dll using something like dotPeek or dnSpy. This will be a 'normal' .NET DLL which is acceptable to Assembly.Load(byte[])

HTH

tbaker57 avatar Aug 29 '23 04:08 tbaker57