Today we're going to take a look at adding some improvements to our .NET executable from last week. First, we are going to make it stageless by embedding the payload PowerShell executes into the exe file. Then, we'll add a custom application manifest to control what process integrity level our program runs at. If you haven't seen part 1 yet, you can find that here or if you just need the code from part one, that's here.

Stageless Payload

Instead of telling PowerShell to download and execute our payload, we are instead going to write it to a file and then have PowerShell read and execute it from there.

"WAIT WHAT? We're dropping things to disk?!"

Yes but... we'll encrpyt* it, and lots of apps write things to disk, so it's not going to be suspicious on it's own.

*It's not real encryption, but it'll be good enough for us.

We're going to xor each byte of our payload and then base64 encode it. Xor-ing is going to be our "encryption" which will be easy to reverse in PowerShell, and base64 encoding is just so we can have normal characters to paste into our program. I made a PowerShell script that does this for us: