In Memory Execution Of .NET Assembly

Analyzing a Formbook VBS dropper [1] has been a nice introduction to .NET in memory execution. The technique is used for the simplicity it provides in executing .NET assemblies in memory achieving at the same time defence evasion. The payload itself does not have necessarily be present on the disk.

In the following sections

Creating a .NET Assembly on Windows

The following code snippet is a baseline to create a .NET Assembly.

using System;

namespace TestNamespace
    public class TestClass
        public static void testMethod()
            Console.WriteLine("Hello World");

        public static void Main(string[] args)
            // empty

To compile the above into an executable, on a Windows platform do:

csc.exe <filename>

To compile the above into a DLL, on a Windows platform do:

csc.exe /target:library <filename>

Load and Execute the .NET Assembly in Memory

This section provides a PowerShell script taken from the FormBook delivery [1].

In order for the script to successfully execute the provided Assembly, the .NET Assembly has to be in HEX encoded format. CyberChef is

function decoder {

    $inpairs = $encoded -split '(..)' | ? {$_}
    foreach ($inbytes in $inpairs)

[string]$encodedAssembly = '<HEX encoded .NET Assembly>'

[Byte[]]$netinbytes = decoder $encodedAssembly

$e = [System.Appdomain].GetMethod("get_CurrentDomain")

$f = $e.Invoke($null,$null)

$silentload = $f.Load($netinbytes)


The above PowerShell script once executed, decodes the provided .NET from hex to binary representation, loads it in memory and executes the method testMethod and prints the string Hello World

More specifically, once loaded in memory we can “pivot” to the appropriate method with the [TestNamespace.TestClass]::testMethod() which follows the notation [namespace.class]::method()