C# port of @mattifestation Invoke-ShellcodeMSIL.ps1
Taken from matts Exploit-Monday post:
While investigating MSIL opcodes a while back, I uncovered a useful opcode - Cpblk. Cpblk is the MSIL equivalent of a memcpy. After writing a .NET method that utilized Cpblk, I immediately thought of a practical use - overwrite a JITed .NET method with shellcode. That way, I could execute shellcode directly without needing to call any Win32 functions. I wrote Invoke-ShellcodeMSIL as an implementation of my idea.
- One that would act as a dummy method that we will JIT to later replace with out own shellcode.
- Another method that would act as the memcopy function, we use this one to copy the shellcode to a pointer to the dummy method.
- The last dyn method is used to retrieve the address of the first method to later memcopy our shellcode there.
- Create a dummy method that will just XOR 2 values.
- Define the second dyn method that will act as a memcopy, using the Cpblk opcode.
- Run the dummy method a bunch of times to force JIT compilation.
- Use a third dyn method to get the address of the dummy method.
- Use our second dyn method to copy the final shellcode to the address retrieved in the last step.
- Run the dummy method again to execute our shellcode
- Profit!
- https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1
- http://www.exploit-monday.com/2013/04/MSILbasedShellcodeExec.html
- http://www.phrack.org/papers/dotnet_instrumentation.
- https://docs.microsoft.com/en-us/dotnet/api/system.reflection.emit.opcodes?view=netframework-4.8