Dotnet Reflection

The sharpreflect command is used to inject and execute a C-sharp executable into a remote process. Badger uses a custom reflective loader to load the CLR and dotnet PE. This command also accepts command-line arguments that can be supplied to the dotnet executable. Below is an example of the Seatbelt utility injected into a newly created process named werfault.exe with PID 7172.

The sharpreflect command can be configured to use PPID spoofing, custom Child Processes and Dynamic Process Injection techniques.

The sharpreflect command comes with built-in loaders which patch ETW and AMSI.