In-Memory Managed Dll Loading With PowerShell

Download: Out-CompressedDll

The .NET framework has a very handy method which loads a managed executable as a byte array – [System.Reflection.Assembly]::Load(byte[] rawAssembly). From the perspective of a malicious script, this is very convenient because it allows for a dll to be self-contained within the script body. What’s not as convenient is the size required to store the raw dll as a byte array in the script. To alleviate the size dilemma, I’ve written a PowerShell script that reads in a managed dll, compresses it, base64-encodes it, and outputs generated code that you can simply paste into any script that requires the dll.

function Out-CompressedDll
{
    [CmdletBinding()] Param (
        [Parameter(Mandatory = $True)]
        [String]
        $FilePath
    )

    $Path = Resolve-Path $FilePath

    if (! [IO.File]::Exists($Path))
    {
        Throw "$Path does not exist."
    }

    $FileBytes = [System.IO.File]::ReadAllBytes($Path)

    if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ')
    {
        Throw "$Path is not a valid executable."
    }

    $Length = $FileBytes.Length
    $CompressedStream = New-Object IO.MemoryStream
    $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
    $DeflateStream.Write($FileBytes, 0, $FileBytes.Length)
    $DeflateStream.Dispose()
    $CompressedFileBytes = $CompressedStream.ToArray()
    $CompressedStream.Dispose()
    $EncodedCompressedFile = [Convert]::ToBase64String($CompressedFileBytes)

    Write-Verbose "Compression ratio: $(($EncodedCompressedFile.Length/$FileBytes.Length).ToString('#%'))"

    $Output = @"
`$EncodedCompressedFile = @'
$EncodedCompressedFile
'@
`$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
`$UncompressedFileBytes = New-Object Byte[]($Length)
`$DeflatedStream.Read(`$UncompressedFileBytes, 0, $Length) | Out-Null
[Reflection.Assembly]::Load(`$UncompressedFileBytes)
"@

    Write-Output $Output
}

As an example, I’ll compile the following code and run it through the script:

using System;

public class Test
{
   public static string DoStuff()
   {
      return "Thank you for loading me in memory!";
   }
}

PS C:\> csc /target:library test.cs
Microsoft (R) Visual C# Compiler version 4.0.30319.17929
for Microsoft (R) .NET Framework 4.5
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\> Out-CompressedDll .\test.dll | Out-File LoadDll.ps1

I then add the following to the generated script to run the DoStuff method: [Test]::DoStuff()

This results in the following script:

$EncodedCompressedFile = @'
7VXPbxtFFP527aZOSq2UoJIKqaxxKkUFLUaxVBChuIndNCg/rNgNCIGatbNxFta71u64xEigXkBw41QhwQFxR+KARFXEH8Ch/wFI5cYBqVfEgfSb2fWP2BbtiQqpz5n35r158+Z7b99M1t/+AgkASY7DQ+AWIirgwXSDI/3s7TR+mLyTuaWt3clU953QaAV+I7CaRt3yPF8YNdsI2p7heEZxs2I0/V3bPHlyai6OUS4Ba1oCry7eLnfj3oWeOaGdiEBNRLaNLJnRAzat5nrkAvSlAqVH0wQKn0hX+deXPaHor+eASpzwl/qYJHeAJx6iFiNEfKkBNUX9yoBuCvtAUFYTka9KYOh8mnfMIAzqiLEVcKQmXaK5YAa269djrDtxrKkRv6VhmLlsJK+oLcfQ4qGfca/2MDmOoZmcBn45uf8UAvLW1POYOH9Wn2eiU+exVHljSYujS6zX82bOXMgtvPSKtByDS/4rR/ZjYqLbN3JeEYHjNULp8Qdta9J2tYK8Hn3L7MrV1SJlkbqU2SXXr8V4ZCorT+mYlMrf5xZwOsotEZdIH5hrA0MWL5ITmEeG/F28Rv4ROXo+mvpNY0Zhl/OyIe038aLa31Dap7MXkKZ2ChfwJM5AapOKm6zVM+QzmMPTSN4YruZXGOhsdd5sd7q47u+2XfsihB0Kc9d1UeUEzbDuB65TQ6UTCruJzdp7dl2g6FdEe28PZl34QbxmbrU94TRtc9lvthzXDip2cN2p2yEigyUc39uyXetAzcJLgp+h1hY24o3SjUs1x3VEp78qAQErVezDgof32ccd+GhT7lEGlC6lhV04XG9Qb8Iml1o0byq/Dusu6bfStze3v/t9+afsL6U/M/d2kPrxw3e2z+Tvfs4vl04Y0JKGpqUSx7V0Sotv3Vn5Mar66TcDq7Xhe6WDut2SWVT3A/+DUIOR7Vf1YvdtGUO57LDl2rIfFF133XK8qNq2rcov6fAc40yPBPnfkKbAz0av6BG77PfcGLsk+Xa8VWBLDrxfi3qefJtv6zXyErY4W8UmNqivkl/mXNLPyXv/jHttXo/lmGdR3XGNUS32yGV2jcuOWWXvyO6SNKd2Vbkq+y/kugVBP59aRN8nv9ZkjArtQdyFo5EOlE+u98ujJmuAF4hI6/kXOULUVZzWkXMMVbPUgO82R0Dvvk+Ot78/wDMm6S8xCOXrEbvLelnqXkBZQ3KTt8dF1HXzCs8aVxrKe5nRW7w9ElGDt1DEWBZV7M3Y7sSxu9i8fz0jr/Ioc69Pa5v5ipFshnN5We25RI9Q3ekaY3WI5EH7HtN/SEb0f7i88KiBPKZHQfcB
'@
$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String($EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
$UncompressedFileBytes = New-Object Byte[](3072)
$DeflatedStream.Read($UncompressedFileBytes, 0, 3072) | Out-Null
[Reflection.Assembly]::Load($UncompressedFileBytes)

[Test]::DoStuff()

And that's all there is to it!

Note that this technique will only load MSIL-based dlls. It will not load native or  IJW ('it just works' - mixed-mode) dlls.