Binaries not working

[rcaroncd]

Hello,

I am testing the tool but I have detected several failures:

1. There are two projects in the solution: GadgetToJScript and
   TestAssembly . When I compile the solution, both projects are compiled, GadgetToJScript compiles correctly but TestAssembly gives me the following error: "The program does not contain any static 'Main' method suitable for an entry point". If I modify the Main by setting the method to "public static void Main(string[] args)" then it compiles correctly.
2. When I proceed to generate an executable in vbs or vba format (for example), using the command: ".GadgetToJScript.exe -w vbs -a C:\IEUser\Documents\dummy.exe -o C:\IEUser\Documents\evil", the vbs is generated correctly, but when I run it it doesn't work as expected. Next I provide the code of the dummy.exe (this is a dummy program that simply writes a file to a path that can be written by any user to verify that it is running):

using System;
using System.IO;

namespace Dummy
{
    public class Program
    {
        public static void Main(string[] args)
        {
            File.WriteAllText(@"C:\Windows\Tasks\dummy.log","Executed from Dummy");
        }
    }
}

Thinking that it could be a problem with my dummy.exe file, I also tried the TestAssembly (compiled with the changes I mentioned above) but it didn't work either, i.e. Msgbox wasn't shown. I have done the same procedure with vbs and vba (to see different formats), but neither of them has worked. I have also thought that it could be because of architecture issue, but I have compiled the GadgetToJScript in 64 bits version and in 32 bits version and it still doesn't work.

I am using Visual Studio 2019, and Windows 10 Professional, with the Windows Defender disabled.

I hope you can help me solve it, the tool seems very powerful and I look forward to using it.

Best regards

[med0x2e]

Hello,

1. The Main method is required for the TestAssembly because the build "output" was set to "Exe", i've changed that to "Library" instead, you can do the same or download the updated version (fixed few mins ago.)

2. Your class is missing the default public constructor which is required for triggering your c# code execution from WSH (JS/VBS), VBA ..etc, you don't need the "Main" method when you set the build "output" to "Library" (previous step), update it to;

using System;
using System.IO;

namespace Dummy
{
    public class Program
    {
        public Program()
        {
            File.WriteAllText(@"C:\Windows\Tasks\dummy.log","Executed from Dummy");
        }
    }
}

3. Lastly, the command used for generating your VBS is missing the "-b/-bypass" switch which is required for G2JS version built with .NET framework 4.x, you need to specify the "-b/--bypass" switch or use the G2JS version built with .NET Framework 3.5 instead which requires the -r (RegFree) if your WSH scripts are meant to run on .NET4.8+ Envs (check the README for more details about differences and requirements when using .NET3.5 or .NET4.x for building G2JS).

Let me know if you still have the same issues.

[rcaroncd]

Hello,

When switching from EXE to DLL, the TestAssembly is correctly compiled and loaded well with GadgetToJScript in VBS, VBA and JS formats. When I generate a payload in HTA format, it doesn't work: I don't get the Msgbox execution (and the way to generate it is the same as the previous formats, only that it changes to hta) this is the command I use to generate the HTA:

GadgetToJScript.exe -w hta -b -a C:\IEUser\Documents\TestAssembly.dll -o C:\IEUser\Documents\evil

On the other hand, I have modified my dummy executable, in the way you have proposed and it works correctly in VBS, VBA and JS (in HTA it is the same as with TestAssembly). Then, I'm seeing that generating the NET Assemblies as a DLL works all right, I still have to try with EXEs.

Let's see if we can solve the HTA one and then they would all be verified.

Greetings and thanks

[med0x2e]

The HTA works just fine for me, if you can share the generated HTA here, i can have a look at it.

Can you also please provide more information about the .NET version and arch (x86,x64) used to build both TestAssembly and G2JS.

[rcaroncd]

Hello,

I'm using .NET Framework 4.6.1 (64 bits) in both projects. I share the HTA obtained.

evil.hta.zip

[med0x2e]

Hello,

Didn't get a chance to get back to you sooner (busy times).

This is a common behavior for generated JS scripts as well, I'm assuming that your Win Machine/VM is by default using the 32-bit HTA handler which corresponds to "C:\Windows\SysWOW64\mshta.exe" for running the HTA, you can confirm that by querying HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafile\Shell\Open\Command registry key.

You can either set the previous registry key to the 64-bit HTA handler "C:\Windows\System32\mshta.exe" or run the HTA using the following command:
cmd.exe /c C:\Windows\System32\mshta.exe C:\Users\[PATH_TO_HTA]\evil.hta

Just for ref; same thing applies to other WSH scripts, just check which default handler is in use (32-bit or 64-bit version of cscript.exe)

[rcaroncd]

Hello,

Right, you were right about the 32-bit mshta, it was being used by default, when I switched to 64-bit it worked. Everything works perfectly, thank you very much and congratulations for the tool!

[med0x2e]

Great,

Will close this issue for now, feel free to re-open it if you got any more questions.