GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Coldfusion coldfusion39
coldfusion39
/ Entry.c
Created
May 5, 2023 01:07
— forked from realoriginal/Entry.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| D_SEC( A ) NTSTATUS NTAPI Entry( _In_ PVOID Parameter ) | |
| { | |
| PARSED_BUF Psr; | |
| UINT32 Wrt = 0; | |
| PARG Arg = NULL; | |
| LPWSTR Nps = NULL; | |
| HANDLE Pip = NULL; |
coldfusion39
/ sleep.c
Created
June 29, 2022 20:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*! | |
| * | |
| * ROGUE | |
| * | |
| * GuidePoint Security LLC | |
| * | |
| * Threat and Attack Simulation | |
| * | |
| !*/ |
coldfusion39
/ mscorlib_load_assembly.vba
Created
January 4, 2021 14:20
— forked from monoxgas/mscorlib_load_assembly.vba
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb | |
| Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long | |
| Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr) | |
| Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr | |
| #If Win64 Then | |
| Const LS As LongPtr = 8& | |
| #Else | |
| Const LS As LongPtr = 4& |
coldfusion39
/ aepinjection.cpp
Created
July 6, 2020 19:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <winternl.h> | |
| #include <stdio.h> | |
| #pragma comment(lib, "ntdll") | |
| int main() { | |
| STARTUPINFOA si; | |
| si = {}; | |
| PROCESS_INFORMATION pi = {}; |
coldfusion39
/ WoW64_call.cpp
Created
June 18, 2020 11:34
— forked from Cr4sh/WoW64_call.cpp
WoW64 Heaven's Gate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #define DB(_val_) __asm __emit (_val_) | |
| #define INVALID_SYSCALL (DWORD)(-1) | |
| // code selectors | |
| #define CS_32 0x23 | |
| #define CS_64 0x33 |
coldfusion39
/ _Instructions_Reproduce.md
Created
April 29, 2020 20:46
GhostLoader - AppDomainManager - Injection - 攻壳机动队
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Windows\\System32\\Tasks'; | |
| //new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_ASM') = "mydll, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" | |
| //new ActiveXObject('WScript.Shell').Environment('Process')('APPDOMAIN_MANAGER_TYPE') = "MyAppDomainManager"; | |
| new ActiveXObject('WScript.Shell').Environment('Process')('COMPLUS_Version') = 'v4.0.30319'; | |
| var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?><assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"> <dependency><dependentAssembly> <assemblyIdentity name="tasks" version="0.0.0.0"/> </dependentAssembly> </dependency> <assemblyIdentity name="tasks" type="win32" version="0.0.0.0" /><description>Built with love by Casey Smith @subTee </description><clrClass name="MyDLL.Operations" clsid="{31D2B969-7608-426E-9D8E-A09FC9A5ACDC}" progid="MyDLL.Operations" ru |
coldfusion39
/ main.cpp
Created
February 20, 2020 15:23
— forked from monoxgas/main.cpp
Adapative DLL Hijacking - Stability Hooking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| DWORD WINAPI Thread(LPVOID lpParam) { | |
| // Insert evil stuff | |
| ExitProcess(0); |
coldfusion39
/ main.cpp
Created
February 20, 2020 15:22
— forked from monoxgas/main.cpp
Adaptive DLL Hijacking - Patching LoadLibrary Return
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| BOOL PatchTheRet(HMODULE realModule) { | |
| // Get primary module info |
coldfusion39
/ _README.md
Created
February 18, 2020 02:07
— forked from jthuraisamy/_README.md
GospelRoom: Data Storage in UEFI NVRAM Variables
NewerOlder