• Stars
    star
    416
  • Rank 104,068 (Top 3 %)
  • Language
    C#
  • License
    BSD 3-Clause "New...
  • Created over 3 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

C# Reflective loader for unmanaged binaries.

RunPE

C# reflective loader for unmanaged binaries.

Usage

Usage: RunPE.exe <file-to-run> <args-to-file-to-run>
        e.g. RunPE.exe C:\Windows\System32\net.exe localgroup administrators

Alternative usage: RunPE.exe ---f <file-to-pretend-to-be> ---b <base64 blob of file bytes> ---a <base64 blob of args>
        e.g: RunPE.exe ---f C:\Windows\System32\svchost.exe ---b <net.exe, base64 encoded> ---a <localgroup administrators, base64 encoded>

Build configuration options

Edit the compilation symbols to quickly adjust the program flow: (Right click the project in Visual Studio -> Properties -> Build -> Conditional Compilation Symbols)

  • DEBUG (automatically added in Debug release mode) -> Very verbose logging
  • BREAK_TO_ATTACH -> Print "Press Enter to continue..." and await input so can attach debugger

PE Compilation Limitations

Executables launched by RunPE must be statically linked in order for StdOut and StdErr redirection to work correctly. To change this setting in Visual Studio:

  • Open the project's properties
  • Navigate to Configuration Properties -> C/C++ -> Code Generation
  • Change the value of Runtime Library to either Multi-threaded (/MT) or Multi-threaded Debug (/MTd)
  • Recompile the project

Argument Limitiations

Executables that do not use the Window's API CommandLineToArgvW in order to parse arguments will not be passed appropriately through RunPE. When running PE's that the operator has control over compilation, it is suggested to add support for parsing arguments using this API.

For example, the following code will work when the program is run independently, but will fail when passed to RunPE since "foo" has been shifted to argv[2]:

if (argv[1] == "foo") {
    bar();
}

Example for refactoring argv to CommandLineArgvW:

#include <stdio.h>
#include <Windows.h>

int main(int argc, char* argv[]) {
	int nArgs;
	LPWSTR *szArglist;
	
	szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);

	for (int i = 0; i < nArgs; i++) {
		printf("argv[%d]: %ws\n", i, szArglist[i]);
	}

	return 0;
}

More Repositories

1

PoshC2

A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
PowerShell
1,767
star
2

xss_payloads

Exploitation for XSS
PHP
697
star
3

PoshC2_Old

Powershell C2 Server and Implants
PowerShell
574
star
4

SharpSocks

Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
C#
472
star
5

SharpWSUS

C#
429
star
6

SimplePELoader

In-Memory PE Loader
C++
366
star
7

Prowl

Python
275
star
8

ETWHash

C# POC to extract NetNTLMv1/v2 hashes from ETW provider
C#
248
star
9

MalSCCM

C#
241
star
10

scrounger

Mobile application testing toolkit
Python
237
star
11

ShellcodeMutator

Python
232
star
12

Aladdin

C#
212
star
13

Tartarus-TpAllocInject

C++
172
star
14

RunOF

C#
138
star
15

Invoke-PowerThIEf

The PowerThIEf, an Internet Explorer Post Exploitation library
PowerShell
130
star
16

DLLInjection

DLL Injection Library & Tools
C++
70
star
17

SharpConflux

C#
63
star
18

zeropress

A dumb script for finding dumb coding errors in WordPress plugins
Python
55
star
19

CVE-2024-20356

This is a proof of concept for CVE-2024-20356, a Command Injection vulnerability in Cisco's CIMC.
Python
47
star
20

CVE-2024-25153

Proof-of-concept exploit for CVE-2024-25153.
Python
43
star
21

defensive-scripts

Defence Against the Dark Arts
34
star
22

InlineFunctionHooking

Windows Inline function hooking library targeted at MSVC
C
28
star
23

pwnlyoffice

Exploit ONLYOFFICE Implementations
JavaScript
24
star
24

PoshC2_IOCs

A list of IOCs applicable to PoshC2
YARA
23
star
25

SyscallsExtractor

C#
23
star
26

logparser

SQL scripts for querying event logs
21
star
27

yasha

Python
18
star
28

metasploit-modules

Modules created by Nettitude for Metasploit
Ruby
12
star
29

hyperv-driver-thread-detection-poc

hyperv-driver-thread-detection-poc
C#
11
star
30

PoshC2_Shellcode

Supporting projects for PoshC2
C
11
star
31

CVE-2022-23253-PoC

CVE-2022-23253 PoC
Python
5
star
32

PoshC2_Linux_Implant

C
4
star
33

PBind

PBind payloads for PoshC2
C#
2
star
34

secure-development-training

PHP
2
star
35

PoshC2_Core

C#
1
star
36

FComm

FComm payloads for PoshC2
C#
1
star