27 Sep 2010 @ 11:37 AM 

We have seen dynamic IL compilation in managed environment and shellcode execution in unmanaged environment like C. What I present here is shellcode execution from C#. This particular trick uses CallWindowProc which were used by earlier VB6 programmers for inlining ASM in to the code or used LoadLibrary/GetModuleHandle and CallWindowProc for dynamic method invocation. There are couple of extra steps to work it in a managed environment, mainly due to Garbage Collector and *managed* nature.

namespace Shell
{
    class x86Shell
    {
        [DllImport("user32")]
        private static extern int CallWindowProc
            (IntPtr lpPrevWndFunc, int hWnd, int Msg, int wParam, int lParam);

        public unsafe int Add(int a, int b)
        {
            // 8B45 0C         MOV EAX,DWORD PTR SS:[EBP+C]
            // 8B5D 10         MOV EBX,DWORD PTR SS:[EBP+10]
            // 03C3            ADD EAX,EBX
            // C2 1000         RET 10

            // 4 parameter can be passed to CallWindowProc and can be adressed from 0x0C, 0x10, 0x14 and 0x18
            byte[] shellCode = { 0x8B, 0x45, 0x0C, 0x8B, 0x5D, 0x10, 0x03, 0xC3, 0xC2, 0x10, 0x00 };
            fixed (byte* bytePointer = shellCode)
            {
                IntPtr pointer = (IntPtr)bytePointer;
                return CallWindowProc(pointer, a, b, 0, 0);
            }

        }
    }
}

Compile with /unsafe enabled. Well, the question remains… What is the use of these kinda techniques? may be some malware writers will use it(if malwares are coded in a managed language 😛 ) or some .NET obfuscator/protectors can use it to make reverse engineering a little harder(though they have to have both x86 and x64 version of the code)

Posted By: Dan
Last Edit: 27 Sep 2010 @ 11:46 AM

EmailPermalink
Tags
Categories: C#, Shellcode


 

Responses to this post » (7 Total)

 
  1. Rewetuete says:

    How to set the variables a and b ?

  2. MAK says:

    Attempted to read or write protected memory. This is often an indication that other memory is corrupt

Post a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


 Last 50 Posts
Change Theme...
  • Users » 1
  • Posts/Pages » 15
  • Comments » 39
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LightLight

About



    No Child Pages.