Code Monkey home page Code Monkey logo

sharpdllloader's Introduction

SharpDllLoader

A simple C# executable that invokes an arbitrary method of an arbitrary C# DLL. The project is useful to analyze malicious C# DLL through the popular tool dnSpy. dnSpy does not allow to native debug a DLL because of the absence of a standard entrypoint. So you can debug the SharpDllLoader executable with proper parameters to jump into the specified method of the DLL that you want dynamically analyze.

Update v2.0

The tool now supports Static Methods and Class Constructors.

Usage

Import the executable SharpDllLoader.exe in dnSpy and click on Start. Fill the form with the right parameters.

The supported parameters are:

-d DLL_PATH [-n NAMESPACE] -c DLL_CLASS [--cargs "ARG1 ARG2"] -m METHOD [--margs "ARG1 ARG2"] [-s]

The parameters delimited by [] are optional.

Parameters description:

-d Filepath to the DLL you want to debug.

-n Namespace containing the class you want to debug.

-c Name of the class you want to debug.

--cargs Class Constructor arguments (the tool supports only int and strings arguments).

-m Name of the method you want to debug.

--margs Method arguments (the tool supports only int and strings arguments).

-s Static flag; you have to use it if you want to debug a Static Method.

Example of usage

Analyzing a malware you are faced with a DLL written in C# easily inspectable using some common tools like dnSpy. You know that the malware invokes (i.e. through a previous Powershell stage) the method Bypass of the class Amsi, but you're not able to debug the method to undestand what it does. So, open SharpDllLoader.exe in your dnSpy instance, insert the correct parameters into Arguments field and select Stop At: Entrypoint.

This is the entrypoint of the exe.

Set a breakpoint on the illustrated instruction, or step over using F10 until you reach this instruction. Then click F11 to step into the invocation.

F11 again

Now click F10

And again F10 until you reach the return instruction (illustrated). Then F11

The same story: click F10 until the return instruction, then F11

Finally you are in the desired method, you can proceed with debug as you know how.

sharpdllloader's People

Contributors

hexfati avatar pawlos avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

pawlos cloutain ohyeah521 justinzhou y11en dantee296 0x7fffffffffffffff asdlei99 hackingump anhnh121 cygnosic lmartire bronxc l1183479157 littlecodepig yanshu911 zha0 xlfj5211 chronoss3 zhouzu kmdivi 5l1v3r1 azha0 dump-guy clannadpy schrodyn m5050 wholetthedog-out haelent p25072004 burningcyclebike coders-vechai gmg2719 amorfiti benalewis

sharpdllloader's Issues

Handling "-" namespaces

Hi,

How is possible to handle the "-" namespace ? (e.g. -n "-" )

It is common in packed malware and currently it is mis-parsed as "parameter name"

Exception:System.IO.FileLoadException

hello:
There was an error debugging the DLL:
Message:
Mixed model assembly is aimed at "v2.0.50727" version of the runtime of the generated, in the absence of other configuration information, unable to load the assembly in the 4.0 runtime

However, there are configuration files(filename.config) in the same directory:

System.BadImageFormatException Error

Hello,
I am trying to use your interesting tool to investigate DLL behavior, but when I run SharpDllLoader.exe by specifying parameters in this way d "C:\Users\malicious.dll" -c <Class> -m <Method> -a "arg1 arg2 arg3" I obtain the following error

An unhandled exception occurred in SharpDllLoader.exe (2360)

Exception: System.BadImageFormatException

Message: The file or assembly "malicious.dll" or one of its dependencies could not be loaded. it is not a valid Win32 application. (Exception from HRESULT: 0x800700C1)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.