paranoidrookie
🎯
xenoscr
/ Start-Hollow.ps1
Created
June 13, 2018 12:02
Process Hollowing with PowerShell - by FuzzySec
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Start-Hollow { | |
| <# | |
| .SYNOPSIS | |
| This is a proof-of-concept for process hollowing. There is nothing new here except | |
| maybe the use of NtCreateProcessEx which has some advantages in that it offers a | |
| convenient way to set a parent process and avoids the bothersome Get/SetThreadContext. | |
| On the flipside CreateRemoteThreadEx/NtCreateThreadEx are pretty suspicious API's. | |
| I wrote this POC mostly to educate myself on the mechanics of hollowing. It is possible | |
| to load the Hollow from an internal byte array straight into memory but I have not |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
mattifestation
/ LoadMethodScanner.ps1
Last active
April 8, 2025 14:47
A crude Load(byte[]) method scanner for UMCI bypass research
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Author: Matthew Graeber (@mattifestation) | |
| # Load dnlib with Add-Type first | |
| # dnlib can be obtained here: https://github.com/0xd4d/dnlib | |
| # Example: ls C:\ -Recurse | Get-AssemblyLoadReference | |
| filter Get-AssemblyLoadReference { | |
| param ( | |
| [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)] | |
| [Alias('FullName')] | |
| [String] | |
| [ValidateNotNullOrEmpty()] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo strUrl = WScript.Arguments.Item(0) > wget.vbs | |
| echo StrFile = WScript.Arguments.Item(1) >> wget.vbs | |
| echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs | |
| echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs | |
| echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs | |
| echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs | |
| echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs | |
| echo Err.Clear >> wget.vbs | |
| echo Set http = Nothing >> wget.vbs | |
| echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs |
NewerOlder