Registration Code (Part 1): w%kQ6
Registration Code (Part 2): b<#$1[*(cw~
In order to register on this forum, you must use the codes above. Combine them into one code (copy paste).

Executing Shellcode In C#

Personal posts regarding my releases and research on various topics.
Post Reply
User avatar
atom0s
Site Admin
Posts: 382
Joined: Sun Jan 04, 2015 11:23 pm
Location: 127.0.0.1
Contact:

Executing Shellcode In C#

Post by atom0s » Sun Apr 30, 2017 11:54 pm

This was a topic that was brought up on Tuts4You here:
https://forum.tuts4you.com/topic/39503- ... -peb-in-c/

I Google'd around and could not find a single instance of doing this in C# within the parameters given by the poster so I took to some ideas in mind of how I could allocate memory without any imports.

Some ideas that came to mind were:
- Marshal.AllocHGlobal
- Marshal.AllocCoTaskMem
- MemoryStream

Sadly, all three of these options only allocate the memory that have protection flags of PAGE_READ and PAGE_WRITE with no ability to execute.

Next, I thought of memory mapped files, these are a way to share memory between processes. This API allows you to specify the access type of the file, including execution permissions. C# has this built-in via the 'System.IO.MemoryMappedFiles' namespace within the System.Core.dll module.

Using this namespace, we can create a mapped file in memory, write our shellcode to it, create a function delegate to the function and invoke it. Here's an example of doing this, getting the PEB of the process (32bit):
  1. /**
  2.  * C# Shellcode Example
  3.  * (c) 2017 atom0s [atom0s@live.com]
  4.  *
  5.  * Demonstrates how to invoke shellcode within C# using a memory mapped file.
  6.  */
  7.  
  8. namespace ShellcodeExample
  9. {
  10.     using System;
  11.     using System.IO.MemoryMappedFiles;
  12.     using System.Runtime.InteropServices;
  13.  
  14.     class Program
  15.     {
  16.         /// <summary>
  17.         /// Function delegate to invoke the shellcode.
  18.         /// </summary>
  19.         /// <returns></returns>
  20.         private delegate IntPtr GetPebDelegate();
  21.  
  22.         /// <summary>
  23.         /// Shellcode function used to obtain the PEB of the process.
  24.         /// </summary>
  25.         /// <returns></returns>
  26.         private unsafe static IntPtr GetPeb()
  27.         {
  28.             var shellcode = new byte[]
  29.                 {
  30.                     0x64, 0xA1, 0x30, 0x00, 0x00, 0x00,         // mov eax, dword ptr fs:[30]
  31.                     0xC3                                        // ret
  32.                 };
  33.  
  34.             MemoryMappedFile mmf = null;
  35.             MemoryMappedViewAccessor mmva = null;
  36.  
  37.             try
  38.             {
  39.                 // Create a read/write/executable memory mapped file to hold our shellcode..
  40.                 mmf = MemoryMappedFile.CreateNew("__shellcode", shellcode.Length, MemoryMappedFileAccess.ReadWriteExecute);
  41.  
  42.                 // Create a memory mapped view accessor with read/write/execute permissions..
  43.                 mmva = mmf.CreateViewAccessor(0, shellcode.Length, MemoryMappedFileAccess.ReadWriteExecute);
  44.  
  45.                 // Write the shellcode to the MMF..
  46.                 mmva.WriteArray(0, shellcode, 0, shellcode.Length);
  47.  
  48.                 // Obtain a pointer to our MMF..
  49.                 var pointer = (byte*)0;
  50.                 mmva.SafeMemoryMappedViewHandle.AcquirePointer(ref pointer);
  51.  
  52.                 // Create a function delegate to the shellcode in our MMF..
  53.                 var func = (GetPebDelegate)Marshal.GetDelegateForFunctionPointer(new IntPtr(pointer), typeof(GetPebDelegate));
  54.  
  55.                 // Invoke the shellcode..
  56.                 return func();
  57.             }
  58.             catch
  59.             {
  60.                 return IntPtr.Zero;
  61.             }
  62.             finally
  63.             {
  64.                 mmva?.Dispose();
  65.                 mmf?.Dispose();
  66.             }
  67.         }
  68.  
  69.         /// <summary>
  70.         /// Entry point.
  71.         /// </summary>
  72.         /// <param name="args"></param>
  73.         static void Main(string[] args)
  74.         {
  75.             var peb = GetPeb();
  76.             Console.WriteLine("PEB is located at: {0:X8}", peb.ToInt32());
  77.         }
  78.     }
  79. }
Thanks to evlncrn8 for his adjustments to the shellcode itself to trim things down.
Derp~
Need a great web host? Check out: AnHonestHost.com


Donations can be made via Paypal:
https://www.paypal.com/cgi-bin/webscr?c ... Q2GRT6KUJN
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest