decay88
decay88
/ PPID Spoof & BlockDLLs
Created
October 19, 2020 09:37
— forked from rasta-mouse/PPID Spoof & BlockDLLs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace BlockDllTest | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { |
decay88
/ NetLoader.cs
Created
August 7, 2020 01:55
— forked from Arno0x/NetLoader.cs
Partial rewrite of @Flangvik NetLoader. Supports proxy with authentication, XOR encrypted binaries, multiple arguments passing to binary.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| Completely based on @Flangvik netloader | |
| This partial rewrite of @Flangvik Netloader includes the following changes: | |
| - Allow loading of an XOR encrypted binary to bypass antiviruses | |
| To encrypt the initial binary you can use my Python transformFile.py script. | |
| Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor | |
decay88
/ GetFunctionPointer.cs
Created
March 9, 2020 14:46
— forked from harujoh/GetFunctionPointer.cs
関数ポインタと呼ばれし者たちの墓
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| using System.Runtime.CompilerServices; | |
| using System.Runtime.InteropServices; | |
| namespace ConsoleApp60 | |
| { | |
| class Program |
decay88
/ ImageFileExecutionOptions.ps1
Created
January 14, 2020 16:29
— forked from netbiosX/ImageFileExecutionOptions.ps1
Image File Execution Options Injection - Persistence Technique
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| ImageFileExecutionOptions v1.0 | |
| License: GPLv3 | |
| Author: @netbiosX | |
| #> | |
| # Image File Execution Options Injection Persistence Technique | |
| # https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/ | |
| function Persist-Debugger |
decay88
/ XTEA.cs
Created
September 26, 2019 14:41
— forked from InfectedBytes/XTEA.cs
XTEA encryption for C#
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Helper class for XTEA en/decryption of arbitrary data. | |
| * | |
| * Copyright (c) 2017, Henrik Heine | |
| */ | |
| using System; | |
| using System.IO; | |
| using System.Text; |
decay88
/ RunPE_x86_prototype.cs
Created
September 2, 2019 15:50
x86 RunPE prototype (not working atm)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.ComponentModel; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace ConsoleApp61 | |
| { | |
| // something is wrong with this runpe | |
| // probably has to do with the context | |
| // not sure |
decay88
/ slmgr-com-hijack.reg
Created
July 13, 2019 08:04
— forked from mgeeky/slmgr-com-hijack.reg
Example presenting how to Hijack COM object named "Scripting.Dictionary" used by slmgr.vbs (CreateObject("Scripting.Dictionary")) in order to obtain persistence or evade Command Line logging and AppLocker
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary] | |
| @="" | |
| [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] | |
| @="Scripting.Dictionary" |
decay88
/ GetDelegateForFunctionPointer.cs
Created
May 31, 2019 20:10
— forked from breezhang/GetDelegateForFunctionPointer.cs
Marshal --> ( Marshal.GetFunctionPointerForDelegate GetDelegateForFunctionPointer)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static partial class Util | |
| { | |
| const string kDelegateInvokeMethodName = "Invoke"; | |
| // http://www.codeproject.com/Tips/441743/A-look-at-marshalling-delegates-in-NET | |
| public static T GetDelegateForFunctionPointer<T>(IntPtr ptr, System.Runtime.InteropServices.CallingConvention call_conv) | |
| where T : class | |
| { | |
| Contract.Requires<ArgumentException>(typeof(T).IsSubclassOf(typeof(Delegate))); | |
| Contract.Requires<ArgumentNullException>(ptr != IntPtr.Zero); | |
| Contract.Requires<ArgumentException>(call_conv != System.Runtime.InteropServices.CallingConvention.ThisCall, |
decay88
/ DynamicWrapperCS.cs
Created
May 12, 2019 06:42
— forked from TheWover/DynamicWrapperCS.cs
Dynamic Wrapper 1.1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| using System.Runtime; | |
| using System.Text; | |
| using System.Runtime.InteropServices; | |
| using System.EnterpriseServices; | |
| using ComTypes = System.Runtime.InteropServices.ComTypes; | |
NewerOlder