Skip to content

Instantly share code, notes, and snippets.

View Und3rf10w's full-sized avatar

Und3rf10w

669 followers · 66 following
View GitHub Profile
@sum-catnip
sum-catnip / inject.rs
Created February 18, 2020 16:41
rust simple dll injection
use std::io;
use std::ptr;
use std::mem;
use std::io::Error;
use std::io::ErrorKind;
use std::path::Path;
use std::ffi::CString;
use winapi::um::winnt::HANDLE;
use winapi::um::memoryapi as wmem;
@djhohnstein
djhohnstein / _notes.md
Created March 12, 2020 02:34
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@matterpreter
matterpreter / IRP Structure
Last active August 9, 2022 18:38
(Semi)Full IRP Structure in Win10 1903
0: kd> dt -b nt!_IRP
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 AllocationProcessorNumber : Uint2B
+0x006 Reserved : Uint2B
+0x008 MdlAddress : Ptr64
+0x010 Flags : Uint4B
+0x018 AssociatedIrp : <anonymous-tag>
+0x000 MasterIrp : Ptr64
+0x000 IrpCount : Int4B
@farzinenddo
farzinenddo / Powerless.cpp
Created March 23, 2020 18:44
Running Powershell with CLR in native runtime.
#include <metahost.h>
#pragma comment(lib, "mscoree.lib")
int main(int argc, wchar_t* argv[])
{
HRESULT hr;
ICLRMetaHost *pMetaHost = NULL;
ICLRRuntimeInfo *pRuntimeInfo = NULL;
ICLRRuntimeHost *pClrRuntimeHost = NULL;
@0xffhh
0xffhh / gist:c65f44be31ea49d5feaf22b00a96912b
Last active March 25, 2020 15:31
sub IsSafe {
#http://sleep.dashnine.org/manual/index.html
local('$pos');
@badchars = @(";", "&", '$', "'");
foreach $index => $value (@badchars)
{
$pos = indexOf($1, $value);
if (-isnumber $pos)
{
println("Invalid char detected");
@byt3bl33d3r
byt3bl33d3r / msol_spray.py
Last active September 10, 2024 20:01
Fully async python port of @dafthacks MSOLSpray (https://github.com/dafthack/MSOLSpray)
#! /usr/bin/env python3
#
# Requires Python 3.7+ & aiohttp (speedups recommended)
# pip3 install aiohttp[speedups]
#
import sys
import asyncio
import aiohttp
@JohnLaTwC
JohnLaTwC / template_injection.yara
Created May 8, 2020 17:16
Word OXML Template Injection
rule gen_injected_template_Word
{
meta:
description = "Detects injected templates in DOCX"
author = "John Lambert @JohnLaTwC"
date = "2020-05-03"
hash1 = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
hash2 = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
hash3 = "ed4835e5fd10bbd2be04c5ea9eb2b8e750aff2ef235de6e0f18d369469f69c83"
file_protocol_hash1 = "ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08 (settings.xml.rels)"
@jthuraisamy
jthuraisamy / loaded_psp_drivers.cpp
Last active October 15, 2023 03:01
Loaded Security Product Drivers
#include <Windows.h>
#include <ImageHlp.h>
#include <strsafe.h>
#include "loaded_psp_drivers.h"
#include <set>
#include <string>
#include <algorithm>
#pragma comment(lib, "crypt32.lib")
@Flangvik
Flangvik / MuteSysmon.cs
Created July 14, 2020 15:01
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Text;
namespace MuteSysmon
{
class Program
@wdormann
wdormann / privileged.py
Last active April 30, 2021 13:07
List privileged services that don't come with Windows 10 - deprecated
# DON'T USE THIS VERSION!
# Try https://gist.github.com/wdormann/89ed779933fe205fb52ecf3eacf5ff40 instead
import os
import subprocess
# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
svcinfo = {}
FNULL = open(os.devnull, 'w')