This project is heavily based on DllFromMemory.Net and DInvoke project.
Some enhancements are applied:
-
Extra indirection layer is added when calling native APIs. (No single P/Invoke usages)
-
No
nameof()
usages. All strings and type names are able to be obfuscated.
-
Load DLLs in-memory without leaving the file artifacts to the disk.
-
Instead of manually extracting the native DLL to the disk and then invoking them, load them directly from byte array or resource and use!
-
Manual map core Win32 libraries to bypass API hooking and evade AV/EDR.
-
-
Use Win32 or your own DLL's native methods in C# without P/Invoke or
LoadLibrary
andGetProcAddress
-
Make your program easy-to-obfuscate while using native method calls. (The obfuscator's String Encryption will make your protection stronger)
- You can store your own native DLL to the program resource, and then load it in-memory on runtime. (The obfuscator's Resource Encryption will also help you in this case)
-
-
Add this project to your repository using command:
git submodule add https://github.com/hsheric0210/StealthModule.NET
-
Add the reference to desired StealthModule project file (e.g.
StealthModule.csproj
) to your own project. (Project > Add Reference > Projects;Alt+P R
> Projects)
-
Build this project to obtain StealthModule.dll (you must build in both 32-bit, 64-bit version)
-
Add reference to each 32-bit and 64-bit StealthModule.dll
StealthModule.NET is based on DllFromMemory.Net commit 7b1773c8035429e6fb1ab4b8fd0a52d2a4810efc. https://github.com/schellingb/DLLFromMemory-net
DLLFromMemory.Net is based on Memory Module.net 0.2 Copyright (C) 2012 - 2018 by Andreas Kanzler https://github.com/Scavanger/MemoryModule.net
Memory Module.net is based on Memory DLL loading code Version 0.0.4 Copyright (C) 2004 - 2015 by Joachim Bauch https://github.com/fancycode/MemoryModule
Resolver.cs
is based on DInvoke Generic.cs
DLL Manual Mapping utility parts are based on DLLFromMemory-net DLLFromMemory.cs