Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drone DLL Processor Error on attempting to load #24

Open
mellonaut opened this issue Jul 30, 2023 · 1 comment
Open

Drone DLL Processor Error on attempting to load #24

mellonaut opened this issue Jul 30, 2023 · 1 comment

Comments

@mellonaut
Copy link

Exe and ps1 are working fine, but when I generated a payload for a DLL and try loading it with Assembly.Load

Unhandled Exception: System.BadImageFormatException: Could not load file or assembly 'drone, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null'. This assembly was compiled for a different processor.
at System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, Boolean fSkipIntegrityCheck, SecurityContextSource securityContextSource)
at System.Reflection.Assembly.Load(Byte[] rawAssembly)
at AssemblyLoader.Program.Main()

If target X86 with my assembly loader and recompile i get the same error, if I specify x64 I get this one:

Unhandled Exception: System.IO.FileLoadException: Could not load file or assembly 'drone, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Attempt to load an unverifiable executable with fixups (IAT with more than 2 sections or a TLS section.) (Exception from HRESULT: 0x80131019) ---> System.IO.FileLoadException: Attempt to load an unverifiable executable with fixups (IAT with more than 2 sections or a TLS section.) (Exception from HRESULT: 0x80131019)
--- End of inner exception stack trace ---
at System.Reflection.RuntimeAssembly.nLoadImage(Byte[] rawAssembly, Byte[] rawSymbolStore, Evidence evidence, StackCrawlMark& stackMark, Boolean fIntrospection, Boolean fSkipIntegrityCheck, SecurityContextSource securityContextSource)
at System.Reflection.Assembly.Load(Byte[] rawAssembly)
at AssemblyLoader.Program.Main()

Any help would be appreciated
@tbaker57
Copy link

Looking at how the DLL is built in

https://github.com/rasta-mouse/SharpC2/blob/main/TeamServer/Services/PayloadService.cs#L238

it looks like DLL payloads are meant for use via their 'unmanaged exports' feature (i.e. invoked via rundll32 - but I've never gotten that to work). I definitely get the same error as you using Assembly.Load(byte[]).

If you really want to load the DLL, I think there are 2 options:

  1. Use Assembly.LoadFrom(string assemblyFile) - for some reason I don't pretend to understand, this works for this type of DLL. While this is normally used to load from disk (which you probably want to avoid) , it can also be used to load a remote assembly via URL if you configure <loadFromRemoteSources> in the corresponding app config file - see https://learn.microsoft.com/en-us/dotnet/api/system.reflection.assembly.loadfrom?view=netframework-4.8.1#system-reflection-assembly-loadfrom(system-string)
  2. If you really want to load from a byte array, build the .exe as per usual and extract the embedded drone.dll using something like dotPeek or dnSpy. This will be a 'normal' .NET DLL which is acceptable to Assembly.Load(byte[])

HTH

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tbaker57 @mellonaut