[]()

A .NET [malware]( “malware” ) loader, using API-Hashing and [dynamic]( “dynamic” ) invoking to evade static analysis

## How does it work?

NixImports uses my managed API-Hashing implementation HInvoke, to dynamically resolve most of it’s called functions at runtime. To resolve the functions HInvoke requires two hashes the typeHash and the methodHash. These hashes represent the type name and the methods FullName, on runtime HInvoke parses the entire mscorlib to find the matching type and method. Due to this process, HInvoke does not leave any import references to the methods called trough it.

Another interesting feature of NixImports is that it avoids calling known methods as much as possible, whenever applicable NixImports uses internal methods instead of their wrappers. By using internal methods only we can evade basic hooks and monitoring employed by some security tools.

For a more detailed explanation checkout [my blog post]( “my blog post” ).

You can generate hashes for HInvoke using [this tool]( “this tool” )

## How to use

NixImports only requires a filepath to the .NET [binary]( “binary” ) you want to pack with it.

NixImports.exe

It will automatically generate a new executable called Loader.exe in it’s root folder. The loader executable will contain your encoded [payload]( “payload” ) and the stub code required to run it.

## Tips for Defenders

If youre interested in [detection engineering]( “detection engineering” ) and possible detection of NixImports, checkout [the last section of my blog post]( “the last section of my blog post” )

Or [click here]( “click here” ) for a basic yara rule covering NixImports.

**[Download NixImports]( “Download NixImports” )**Read More