Each CSharp file contains code to execute shellcode using native Windows callbacks. I tried to use much less common callback techniques that weren't typically documented online as far as I could tell. This way they should be more evasive.
NOTE: The shellcode samples used in every C# file will execute Windows 64-bit Calculator.exe
NOTE 2: I've also included the C/C++ code samples from VX-Underground which some of these were based off of
The C# malware samples contain the following execution flows:
- Base64 decode 64-bit shellcode
- XOR decrypt shellcode
- Allocate memory with VirtualAlloc()
- Copy shellcode to memory with Marshal.Copy()
- Execute shellcode with callback function
For each code sample, any decrypting/decoding routines could be changed to fit your needs. Also, use D/Invoke, obfuscation, junk code, etc!
It's also possible to replace the some functions in the code with alternatives such as:
- Use RtlMoveMemory() instead of Marshal.Copy()
- WriteProcessMemory() instead of Marshal.Copy()
- Use the managed function Marshal.AllocHGlobal() to allocate space instead of VirtualAlloc()
Compiling intructions with csc.exe:
// Compile EXE
csc.exe /target:exe /out:TestExecutable.exe CSharp-Callback_[FILENAME].cs
// Compile DLL
csc.exe /target:library /out:TestLibrary.dll CSharp-Callback_[FILENAME].cs
Enjoy the CSharp samples and good luck! Please povide any feedback if you'd like additional callback functions to be implemented.
Blog post: https://wsummerhill.github.io/malware/2022/12/09/CSharp-Alt-Shellcode-Callbacks.html
Thanks to DamonMohammadbagher/NativePayload_CBT for the inspiration.
Thanks to VX Underground for the Windows malware templates in C.