close
Skip to main content
BERJAYA

r/VisualStudio

Feed About
Best
Open sort options
Change post view
Don’t miss your chance to get iPhone 16e on us with this Cricket Deal Drop.
media poster
cricketwireless.com
Shop Now
VisualSploit, weaponizing MSBuild project files
u/0xmaxhax
VisualSploit, weaponizing MSBuild project files
Miscellaneous

TL;DR

Opening an untrusted Visual Studio project can run arbitrary code on your machine, even if you never hit build. Don't blindly open random VS projects you downloaded off the internet or cloned from github, same as you wouldn't run a random executable file. In order to vet one before opening it in VS, check the .csproj/.vbproj and any Directory.Build.props/targets for an InitialTargets attribute on Project or a UsingTask with RoslynCodeTaskFactory (see what a malicious project looks like here: https://github.com/Meltedd/VisualSploit#how-it-works).

---

VisualSploit is a small cli tool I built demonstrating how an attacker can trivially backdoor VS project files with custom shellcode. The project came out of my research and interest in supply chain attacks (especially with their growing relevance), but the technique itself isn't novel. RoslynCodeTaskFactory plus InitialTargets has been written about since subTee, but I think there needs to be more awareness on the nature of visual studio projects along with the various vectors by which supply chain attacks can initiate.

Given any .csproj, .vbproj, Directory.Build.props, or Directory.Build.targets along with a shellcode blob, it injects an inline task that runs the shellcode every time the project is built, restored, or even just opened in Visual Studio. Visual Studio runs design-time builds for IntelliSense the moment you open a folder, and Microsoft treats those as full execution. Files coming through git clone don't carry Mark of the Web, so the "trust this project" prompt that fires for normal downloads never shows up. And Directory.Build.props is imported automatically by every project beneath it, so a single injected file at the repo root reaches the whole subtree the moment the folder opens.

Bottom line, know what you're running, and know how to validate it's not doing anything malicious. Anyways, thanks for reading, and hopefully some people find this as interesting (and alarming) as I do :)

Github: https://github.com/Meltedd/VisualSploit

What autocomplete extension are you using instead of GitHub Copilot?
u/WickedGangBelow
What autocomplete extension are you using instead of GitHub Copilot?
Visual Studio 2022

Edit: I'm sorry this seemed like an AI prompt I was trying to be succinct but I meant no ill will

Note: This is not for Visual Studio Code this is Visual Studio

I'm interested in hearing directly from developers what has worked best for them as an alternative for the GitHub Copilot autocompletion feature. I'd rather know what has been best in practice than get a suggestion from an AI agent. We are a development team looking into AI autocompletion options for Visual Studio 2022. Up until now we've been using GitHub Copilot but are considering a pivot.

I would like to just know what's available for consideration so that we consider all options. This would be used for work-related development purposes.

Thanks!