xpn
/ env_var_spoofing_poc.cpp
Created
June 6, 2020 21:25
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <fcntl.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <stdlib.h> | |
| #include "memdump.h" | |
| #define DUMP_COUNT 50 | |
| // Headers which we will need to use throughout our session |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| typedef unsigned int DWORD; | |
| typedef unsigned char BYTE; | |
| typedef unsigned char * PBYTE; | |
| typedef DWORD HRESULT; | |
| typedef unsigned short USHORT; | |
| typedef unsigned int ULONG; | |
| typedef unsigned char UCHAR; | |
| typedef bool BOOL; | |
| static const DWORD kCurrentMajorVersion = 2; |
xpn
/ dotnet_injectbundle.cpp
Created
September 13, 2020 22:30
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compile with g++ dotnet_injectbundle.cpp -o dotnet_injectbundle | |
| #include <stdio.h> | |
| #include <fcntl.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <stdlib.h> | |
| #include <mach-o/dyld.h> | |
| #include "main.h" |
xpn
/ dotnet_inject.cpp
Created
September 13, 2020 22:51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compile with g++ dotnet_injectbundle.cpp -o dotnet_injectbundle | |
| #include <stdio.h> | |
| #include <fcntl.h> | |
| #include <string.h> | |
| #include <unistd.h> | |
| #include <stdlib.h> | |
| #include "main.h" | |
| // libcorclr.dll signature for finding hlpDynamicFuncTable |
xpn
/ ExecStubOverwrite.cs
Created
May 3, 2021 22:56
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace NautilusProject | |
| { | |
| public class ExecStubOverwrite | |
| { | |
| public static void Execute(byte[] shellcode) | |
| { | |
| // mov rax, 0x4141414141414141 |
xpn
/ ExecStubOverwriteWithoutPInvoke.cs
Created
May 3, 2021 22:58
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| namespace NautilusProject | |
| { | |
| public class ExecStubOverwriteWithoutPInvoke | |
| { | |
| public static void Execute(byte[] shellcode) | |
| { |
xpn
/ ExecNativeSlot.cs
Created
May 3, 2021 23:06
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| namespace NautilusProject | |
| { | |
| public class ExecNativeSlot | |
| { | |
| public static void Execute() | |
| { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| namespace NautilusProject | |
| { | |
| public class ReadGadget | |
| { | |
| public static IntPtr ReadMemory(IntPtr addr) | |
| { |
xpn
/ WriteGadget.cs
Created
May 3, 2021 23:09
https://blog.xpnsec.com/weird-ways-to-execute-dotnet/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| namespace NautilusProject | |
| { | |
| public class WriteGadget | |
| { |