coldfusion39 / netstub

Create a C++ PE which loads an XTEA-crypted .NET PE shellcode in memory.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Create C++ Stubs for .NET executables

Motivation

Simple Xtea Crypter shows how to cypher a PE file with Xtea and running it from memory in a C++ compiled program. However, this did not appear to work for .NET executables.

Steps with references

  1. Grabbed and used Simple Xtea Crypter code to create a Xtea cyphered PE shellcode. You can simply "gcc xtea -o xtea.exe" it. Then you drag your .NET PE into it, and shellcode.h will appear.

Now, if you follow the steps described in that project with its runPE, it will just not work. Instead:

  1. Grabbed, slightly modified, and used this code about loading assembly code into a .NET environment with C++, and put the pieces together. Ah well, it did not work and I debugged to figure out that "SAFEARRAY *psaStaticMethodArgs = SafeArrayCreateVector(VT_VARIANT, 0, 0);" was creating wrong arguments for the .NET application (which in my case was a QuasaRAT executable, which expects some args in its Main). So I researched how to construct correctly these argv and argc (found it in a web which I do not remember) and included it.

  2. Make sure you compile netstub.cpp with x86 or x64 depending on the .NET PE. Ah yes, and I used MVS 2017, this would not work with gcc.

Jean 09/2018

About

Create a C++ PE which loads an XTEA-crypted .NET PE shellcode in memory.


Languages

Language:C++ 88.9%Language:C 11.1%