gremlinbeet

//
// onexit.h
//
// Defines ON_EXIT macro to create finalizer objects.
// These objects execute specified code when they go out of scope.
// 
// Useful when you can't be bothered writing RAII wrappers for every little thing in 3rd-party code,
// but still want to reduce cognitive load by not tracking stuff you might need to cleanup.
//
// Usage example:

smx-smx

XZ Backdoor symbol deobfuscation. Updated as i make progress

rbmm

void RemapSelfInternal(PVOID ImageBase, PVOID TempBase, ULONG SizeOfImage, HANDLE hSection)
{
	if (UnmapViewOfFile(ImageBase))
	{
		PVOID BaseAddress = ImageBase;
		SIZE_T ViewSize = SizeOfImage;

    // for x64 only, because we not pass address of ZwMapViewOfSection
		if (0 <= ZwMapViewOfSection(hSection, NtCurrentProcess(), &BaseAddress, 
			0, 0, 0, &ViewSize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE) && ImageBase == BaseAddress)

rbmm

BOOL UnhookNT()
{
	BOOL fOk = FALSE;

	if (HMODULE hmod = GetModuleHandleW(L"ntdll"))
	{
		if (PIMAGE_NT_HEADERS pinth = RtlImageNtHeader(hmod))
		{

			PVOID BaseAddress = (PBYTE)hmod + pinth->OptionalHeader.BaseOfCode;

rbmm

#include "stdafx.h"

_NT_BEGIN

NTSTATUS CreatePlaceHolder(PCWSTR lpFileName, ULONG SizeOfImage)
{
	struct SEF : IMAGE_DOS_HEADER, IMAGE_NT_HEADERS, IMAGE_SECTION_HEADER
	{
	} y {};

monoxgas

using NtApiDotNet;
using NtApiDotNet.Ndr.Marshal;
using NtApiDotNet.Win32;
using NtApiDotNet.Win32.Rpc.Transport;
using NtApiDotNet.Win32.Security.Authentication;
using NtApiDotNet.Win32.Security.Authentication.Kerberos;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
using NtApiDotNet.Win32.Security.Authentication.Logon;
using System;

antonioCoco

// TcbElevation - Authors: @splinter_code and @decoder_it

#define SECURITY_WIN32
#include <windows.h>
#include <sspi.h>
#include <stdio.h>

#pragma comment(lib, "Secur32.lib")

void EnableTcbPrivilege(BOOL enforceCheck);

gladiatx0r

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

• Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
• Relaying that machine authentication to LDAPS for configuring RBCD
• RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

GavinRay97

# Requirements:
#   clang - The classes/structs you want to dump must be used in code at least once, not just defined.
#   MSVC  - The classes/structs you want to dump must have "MEOW" in the name for "reportSingleClass" to work.
# Usage:
#   $ make dump_vtables file=test.cpp
dump_vtables:
  clang -cc1 -fdump-record-layouts -emit-llvm  $(file) > clang-vtable-layout-$(file).txt
  clang -cc1 -fdump-vtable-layouts -emit-llvm  $(file) > clang-record-layout-$(file).txt
  g++ -fdump-lang-class=$(file).txt $(file)
  cl.exe $(file) /d1reportSingleClassLayoutMEOW > msvc-single-class-vtable-layout-$(file).txt

monoxgas

#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>

BOOL PatchTheRet(HMODULE realModule) {

	// Get primary module info