Skip to content
/ VisualSploit Public

Inject shellcode into .csproj files via MSBuild inline tasks. Fileless execution on project load.

License

MIT license
7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Meltedd/VisualSploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
Core
Core
 
 
Crypto
Crypto
 
 
Templates
Templates
 
 
.gitignore
.gitignore
 
 
Injector.cs
Injector.cs
 
 
LICENSE
LICENSE
 
 
Program.cs
Program.cs
 
 
README.md
README.md
 
 
VisualSploit.csproj
VisualSploit.csproj
 
 

Repository files navigation

VisualSploit

MSBuild inline task injection for fileless code execution via .csproj/.vbproj poisoning.

Technique

Injects inline tasks into MSBuild project files using RoslynCodeTaskFactory. When loaded in Visual Studio, InitialTargets="BeforeBuild" executes before any user interaction.

The tool modifies the project XML:

<Project InitialTargets="BeforeBuild" ...>
  <UsingTask TaskName="InlineCode" TaskFactory="RoslynCodeTaskFactory" ...>
    <Task>
      <Code Type="Fragment" Language="cs"><![CDATA[
        // Payload code compiled and executed at runtime
      ]]></Code>
    </Task>
  </UsingTask>
  <Target Name="BeforeBuild">
    <InlineCode/>
  </Target>
</Project>

Roslyn compiles the C# at runtime. MSBuild.exe is a signed Microsoft binary that can bypass application whitelisting (AppLocker, WDAC).

Usage

visualsploit <project> <shellcode> [options]
Option Description
-o, --output <path> Output path (default: in-place with .bak)
--no-backup Skip backup
-m, --methods <list> Obfuscation: xor, junk
-e, --encrypt Encrypted payload loader
-r, --rounds <n> XOR rounds 1-5 (default: 3)
-s, --seed <n> RNG seed for reproducibility

Examples

# Basic injection
visualsploit target.csproj payload.bin

# With XOR obfuscation and junk code
visualsploit target.csproj payload.bin -m xor,junk

# Encrypted loader
visualsploit target.csproj payload.bin -e

# Full obfuscation with fixed seed
visualsploit target.csproj payload.bin -m xor,junk -e -s 12345

Shellcode formats: raw binary, hex (0xfc,0x48,...), or plain hex (fc4883e4f0)

Obfuscation

xor - Multi-round XOR encryption with 32-byte keys.

junk - Injects dead code (environment reads, math ops, string transforms).

naming - Randomized, pronounceable identifier generation to evade signature-based detection (Applied automatically).

dynamic imports - Runtime API resolution using stack-strings and GetDelegateForFunctionPointer hide imports from static analysis (Encrypted mode only).

Encrypted Loader

Adds runtime decryption and compilation:

  1. Inner payload code is AES-256-CBC encrypted at build time
  2. Encrypted payload embedded as base64 in project file
  3. At runtime, derives decryption key via PBKDF2 (100k iterations, SHA1)
  4. Decrypts and compiles via CSharpCodeProvider
  5. Invokes via reflection

Sets COMPlus_EnableDiagnostics=0 and COMPlus_ETWEnabled=0 to disable .NET ETW telemetry.

Build

dotnet build -c Release
dotnet publish -c Release -r win-x64 --self-contained

Requires .NET 9.0 SDK.

Structure

├── Core/        # Config, shellcode parsing, obfuscation helpers, utilities
├── Templates/   # Code generation (loader, stager, msbuild)
├── Crypto/      # Encryption (AES, XOR)
├── Injector.cs
└── Program.cs

License

MIT

About

Inject shellcode into .csproj files via MSBuild inline tasks. Fileless execution on project load.

Topics

csharp msbuild injection shellcode red-team lolbas

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

1 watching

Forks

1 fork
Report repository

Packages

No packages published

Languages