MSBuild is the build platform for Microsoft and Visual Studio, it is also can be utilized to build applications in some environments where Visual Studio is not installed, so it trusted by some antivirus software.
MSBuild can compile xml files in specific formats, so, to run our shellcode via MSBuild , we need a xml file like this.
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
The shellcode which contained by this xml file will run calc.exe.
but sometimes when we try to execute our shellcode via MSBuild directly , it will be detected and blocked like this (blocked by Windows Defender).
so how can we use MSBuild functions to run our shellcode without MSBuild to bypass the antivirus software ?
We need the following files to accomplish our attack.
you can get these files from the link above. Now let’s prepare the files we need.
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe /reference:"Microsoft.Build.Framework.dll";"Microsoft.Build.Tasks.v4.0.dll";"Microsoft.Build.Utilities.v4.0.dll" /target:library IEShim.cs
Then you will get a library file called IEShim.dll which used to create the Internet Explorer process in a suspended state .and to perform the injection of the shellcode into the address space of this process. The shellcode is expected to be Base64 encoded.
Using “VirtualAllocEx” to allocate memory within the virtual address space of “iexplore.exe” and the “WriteProcessMemory” to write the shellcode into the allocated space. You can also use your own way to inject your shellcode.
Here is an example.
Replace the shellcode in msbuildapicaller.csproj with your base64 encoded x64 shellcode and replace AssemblyFile variable with the location of IEShim.dll like this.
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe /reference:"Microsoft.Build.Framework.dll";"Microsoft.Build.dll";"Microsoft.Build.Engine.dll";"Microsoft.Build.Utilities.v4.0.dll";"System.Runtime.dll" /target:exe msbuildapicaller.cs
here we go.