Skip to content

Instantly share code, notes, and snippets.

View RCStep's full-sized avatar

Ryan Stephenson RCStep

100 followers · 19 following
View GitHub Profile
@0xa-saline
0xa-saline / process-hollowing.cs
Created March 12, 2021 16:03 — forked from med0x2e/process-hollowing.cs
Process Hollowing (slightly updated to work with G2JS) - credits for the initial code go to @smgorelik and @ambray
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;
namespace Hollowing
{
public class Loader
{
public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");
@0xa-saline
0xa-saline / invokeInMemLinux.go
Created February 28, 2021 10:45 — forked from capnspacehook/invokeInMemLinux.go
Executes a binary or file in memory on a Linux system. Uses the memfd_create(2) syscall. Credits and idea from: https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
package main
import (
"io/ioutil"
"os"
"os/exec"
"strconv"
"syscall"
@CCob
CCob / rc4.cna
Created January 28, 2021 20:09
Aggressor Script for RC4 encryption
#RC4 encryption implementation using Java Crypto API
#Author: @_EthicalChaos_
import javax.crypto.spec.*;
import java.security.*;
import javax.crypto.*;
# $1 = plaintext, $2 = key
sub encryptRC4{
@ajpc500
ajpc500 / binToUUIDs.py
Created January 24, 2021 18:00
Convert shellcode file to UUIDs
from uuid import UUID
import os
import sys
# Usage: python3 binToUUIDs.py shellcode.bin [--print]
print("""
____ _ _______ _ _ _ _ _____ _____
| _ \(_) |__ __| | | | | | | |_ _| __ \
| |_) |_ _ __ | | ___ | | | | | | | | | | | | |___
@theevilbit
theevilbit / divide_and_conquer.c
Created January 17, 2021 15:11
Divide and Conquer NextGen AV bypass
/*
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
*/
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include "Commctrl.h"
#include <string>
@MHaggis
MHaggis / Beacon.csv
Created December 23, 2020 14:12
Extraction of Spawnto's in public CobaltStrike servers, related to https://twitter.com/M_haggis/status/1341746928665542659?s=20, https://twitter.com/MichalKoczwara/status/1341659356866240517
spawnto count
WUAUCLT.exe 1
WerFault.exe 3
batchexe 2
cmstp.exe 1
compact.exe 1
dllhost.exe 3
eventvwr.exe 1
gpresult.exe 2
gpupdate.exe 16
@mubix
mubix / Get-CSharp.ps1
Created November 30, 2020 05:13
Powershell Get-CSharp
function Get-CSharpProcess {
$proclist = Get-Process
foreach($proc in $proclist) {
foreach($mod in $proc.Modules)
{
if($mod.ModuleName -imatch "mscoree")
{
Write-Output(".NET Found in:`t" + $proc.Name)
}
}
@rvrsh3ll
rvrsh3ll / DInjectQueuerAPC.cs
Created November 20, 2020 15:10 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@0xa-saline
0xa-saline / DInjectQueuerAPC.cs
Created November 14, 2020 07:45 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@jfmaes
jfmaes / DInjectQueuerAPC.cs
Created November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program