Skip to content

Instantly share code, notes, and snippets.

View Und3rf10w's full-sized avatar

Und3rf10w

668 followers · 66 following
View GitHub Profile
@jthuraisamy
jthuraisamy / loaded_psp_drivers.cpp
Last active October 15, 2023 03:01
Loaded Security Product Drivers
#include <Windows.h>
#include <ImageHlp.h>
#include <strsafe.h>
#include "loaded_psp_drivers.h"
#include <set>
#include <string>
#include <algorithm>
#pragma comment(lib, "crypt32.lib")
@JohnLaTwC
JohnLaTwC / template_injection.yara
Created May 8, 2020 17:16
Word OXML Template Injection
rule gen_injected_template_Word
{
meta:
description = "Detects injected templates in DOCX"
author = "John Lambert @JohnLaTwC"
date = "2020-05-03"
hash1 = "a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063"
hash2 = "a275dfa95393148bb9e0ddf5346f9fedcc9c87fa2ec3ce1ec875843664c37c89"
hash3 = "ed4835e5fd10bbd2be04c5ea9eb2b8e750aff2ef235de6e0f18d369469f69c83"
file_protocol_hash1 = "ac6c1df3895af63b864bb33bf30cb31059e247443ddb8f23517849362ec94f08 (settings.xml.rels)"
@byt3bl33d3r
byt3bl33d3r / msol_spray.py
Last active September 10, 2024 20:01
Fully async python port of @dafthacks MSOLSpray (https://github.com/dafthack/MSOLSpray)
#! /usr/bin/env python3
#
# Requires Python 3.7+ & aiohttp (speedups recommended)
# pip3 install aiohttp[speedups]
#
import sys
import asyncio
import aiohttp
@0xffhh
0xffhh / gist:c65f44be31ea49d5feaf22b00a96912b
Last active March 25, 2020 15:31
sub IsSafe {
#http://sleep.dashnine.org/manual/index.html
local('$pos');
@badchars = @(";", "&", '$', "'");
foreach $index => $value (@badchars)
{
$pos = indexOf($1, $value);
if (-isnumber $pos)
{
println("Invalid char detected");
@farzinenddo
farzinenddo / Powerless.cpp
Created March 23, 2020 18:44
Running Powershell with CLR in native runtime.
#include <metahost.h>
#pragma comment(lib, "mscoree.lib")
int main(int argc, wchar_t* argv[])
{
HRESULT hr;
ICLRMetaHost *pMetaHost = NULL;
ICLRRuntimeInfo *pRuntimeInfo = NULL;
ICLRRuntimeHost *pClrRuntimeHost = NULL;
@matterpreter
matterpreter / IRP Structure
Last active August 9, 2022 18:38
(Semi)Full IRP Structure in Win10 1903
0: kd> dt -b nt!_IRP
+0x000 Type : Int2B
+0x002 Size : Uint2B
+0x004 AllocationProcessorNumber : Uint2B
+0x006 Reserved : Uint2B
+0x008 MdlAddress : Ptr64
+0x010 Flags : Uint4B
+0x018 AssociatedIrp : <anonymous-tag>
+0x000 MasterIrp : Ptr64
+0x000 IrpCount : Int4B
@djhohnstein
djhohnstein / _notes.md
Created March 12, 2020 02:34
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@sum-catnip
sum-catnip / inject.rs
Created February 18, 2020 16:41
rust simple dll injection
use std::io;
use std::ptr;
use std::mem;
use std::io::Error;
use std::io::ErrorKind;
use std::path::Path;
use std::ffi::CString;
use winapi::um::winnt::HANDLE;
use winapi::um::memoryapi as wmem;
@TheWover
TheWover / Find-Assemblies.ps1
Last active June 6, 2022 17:53
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
Param([parameter(Mandatory=$true,
HelpMessage="Directory to search for .NET Assemblies in.")]
$Directory,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to search recursively.")]
[switch]$Recurse = $false,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to include DLLs in the search.")]
[switch]$DLLs = $false,
[parameter(Mandatory=$false,
@rasta-mouse
rasta-mouse / PPID Spoof & BlockDLLs
Last active April 1, 2025 22:39
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{