Monday, June 12, 2017

Attacking the CLR - AppDomainManager Injection

I have been interested in attacking CLR to be able to manipulate .NET apps, like PowerShell.
For example using .NET profilers here:

Recently I was reading this article about the CLR and execution events:

http://mattwarren.org/2017/02/07/The-68-things-the-CLR-does-before-executing-a-single-line-of-your-code/

One of the interesting things I stumbled on was this reference to CLR tuning:

https://github.com/dotnet/coreclr/blob/master/Documentation/project-docs/clr-configuration-knobs.md

Of particular interest I saw these environment variables that can be set. You can also set these in an app.config file.




AppDomain Managers are interesting in that they setup the environment, before your .NET app runs.

I'll keep this short.  You can manipulate the runtime, by getting your code to execute prior to the application.

Here's some code.



This also can work against PowerShell.exe too.  ;-)


I leave it to you to explore whats possible here.

Have fun, keep asking questions!





Cheers,

Casey
@subTee