XOR Payload Encryptor for .NET and Payload Runner with Built-in XOR Decryptor
This code is an example for running shell code on a Windows system via .NET assembly. It consists of 2 projects:
- XOR encryptor that can be used on any file, but was written to as an example to encrypt Cobalt Strike payloads.
- Example code intended for running XOR encrypted Cobalt Strike beacon payloads. It contains a XOR decryptor which decrypts the payload before running.
- Where traditional ShellCode Injection typically opens an already running process and uses CreateRemoteThread, the method in this example
instead, uses CreateThread to create a new thread within the ShellCodeRunner process itself.
The ShellCodeRunner executes the following steps:- Allocate a chunk of memory in the calling process (VirtualAlloc) with RW memory protection
- Copy the shellcode payload to the newly allocated section (Marshal.Copy)
- Change memory protection to RX (VirtualProtect)
- Create a new thread in the calling process to execute the shellcode (CreateThread).
- Wait for beacon to call to exit (WaitForSingleObject)
This example code was made entirely possible by @djhohnstein
He is a MOUNTAIN of knowledge and I learned a LOT!