GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
Sunny Chakraborty sunnyc7
sunnyc7
/ env_var_spoofing_poc.cpp
Created
February 25, 2023 02:19
— forked from xpn/env_var_spoofing_poc.cpp
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
sunnyc7
/ checkaslrfiles.py
Created
December 29, 2021 21:32
— forked from wdormann/checkaslrfiles.py
Python script to check for PE files linked with /DYNAMICBASE, but are not actually ASLR compatible due to missing relocation table
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| '''checkaslrfiles.py: Check for files that opt into ASLR with /DYNAMICBASE, | |
| but do not have a relocation table to allow ASLR to function. | |
| usage: checkaslrfiles.py <dir> | |
| ex: checkaslr.py "C:\Program Files\" | |
| requires: pefile <https://github.com/erocarrera/pefile>, which should be | |
| installable via: pip install pefile | |
| ''' |
sunnyc7
/ latency.txt
Created
November 3, 2021 21:08
— forked from jboner/latency.txt
Latency Numbers Every Programmer Should Know
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Latency Comparison Numbers (~2012) | |
| ---------------------------------- | |
| L1 cache reference 0.5 ns | |
| Branch mispredict 5 ns | |
| L2 cache reference 7 ns 14x L1 cache | |
| Mutex lock/unlock 25 ns | |
| Main memory reference 100 ns 20x L2 cache, 200x L1 cache | |
| Compress 1K bytes with Zippy 3,000 ns 3 us | |
| Send 1K bytes over 1 Gbps network 10,000 ns 10 us | |
| Read 4K randomly from SSD* 150,000 ns 150 us ~1GB/sec SSD |
sunnyc7
/ DefaultWindows_Audit.xml
Created
July 29, 2021 00:41
— forked from mgraeber-rc/DefaultWindows_Audit.xml
Modified default window-only audit WDAC with WHQL rules removed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8"?> | |
| <SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.1.0</VersionEx> | |
| <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
| <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> |
sunnyc7
/ CIPolicyParser.ps1
Created
July 21, 2021 10:29
— forked from mattifestation/CIPolicyParser.ps1
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ensure System.Security assembly is loaded. | |
| Add-Type -AssemblyName System.Security | |
| function ConvertTo-CIPolicy { | |
| <# | |
| .SYNOPSIS | |
| Converts a binary file that contains a Code Integrity policy into XML format. | |
| Author: Matthew Graeber (@mattifestation) |
sunnyc7
/ TLGMetadataParser.psm1
Created
September 29, 2020 15:27
— forked from mattifestation/TLGMetadataParser.psm1
Retrieves TraceLogging metadata from a file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 5 | |
| <# | |
| The things you find on Google searching for specific GUIDs... | |
| Known Keyword friendly names: | |
| "UTC:::CATEGORYDEFINITION.MS.CRITICALDATA":"140737488355328" | |
| "UTC:::CATEGORYDEFINITION.MS.MEASURES":"70368744177664" | |
| "UTC:::CATEGORYDEFINITION.MS.TELEMETRY":"35184372088832" | |
| "UTC:::CATEGORYDEFINITION.MSWLAN.CRITICALDATA":"2147483648" |
sunnyc7
/ windows_hardening.cmd
Created
May 8, 2020 14:26
— forked from ricardojba/windows_hardening.cmd
A Windows hardening script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ::############################################################################################################### | |
| :: Credits and More info: https://gist.github.com/mackwage/08604751462126599d7e52f233490efe | |
| :: https://github.com/LOLBAS-Project/LOLBAS | |
| :: https://lolbas-project.github.io/ | |
| :: https://github.com/Disassembler0/Win10-Initial-Setup-Script | |
| :: https://github.com/cryps1s/DARKSURGEON/tree/master/configuration/configuration-scripts | |
| :: https://gist.github.com/alirobe/7f3b34ad89a159e6daa1#file-reclaimwindows10-ps1-L71 | |
| :: https://github.com/teusink/Home-Security-by-W10-Hardening | |
| :: | |
| ::############################################################################################################### |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Parser for chess games from Chess.com | |
| # Cleans everything between {} | |
| #ORIG:1.d4 {0:59} e6 {0:59} 2.Nc3 {0:59} Nf6 {0:59} 3.Bf4 {0:58} d5 {0:59} 4.f3 {0:58} a6 {0:58} 5.Qd2 {0:58} Bb4 {0:58} 6.O-O-O {0:57} c5 {0:57} 7.a3 {0:56} Ba5 {0:56} 8.dxc5 {0:55} Bc7 {0:51} 9.Bxc7 {0:54} Qxc7 {0:51} 10.g4 {0:54} Qxc5 {0:50} 11.h4 {0:53} Qf2 {0:44} 12.g5 {0:51} Nh5 {0:41} 13.Ne4 {0:51} dxe4 {0:37} 14.Qd8# {0:50} | |
| #CLEANED: 1.d4 e6 2.Nc3 Nf6 3.Bf4 d5 4.f3 a6 5.Qd2 Bb4 6.O-O-O c5 7.a3 Ba5 8.dxc5 Bc7 9.Bxc7 Qxc7 10.g4 Qxc5 11.h4 Qf2 12.g5 Nh5 13.Ne4 dxe4 14.Qd8# | |
| $game = '1.d4 {0:59} e6 {0:59} 2.Nc3 {0:59} Nf6 {0:59} 3.Bf4 {0:58} d5 {0:59} 4.f3 {0:58} a6 {0:58} 5.Qd2 {0:58} Bb4 {0:58} 6.O-O-O {0:57} c5 {0:57} 7.a3 {0:56} Ba5 {0:56} 8.dxc5 {0:55} Bc7 {0:51} 9.Bxc7 {0:54} Qxc7 {0:51} 10.g4 {0:54} Qxc5 {0:50} 11.h4 {0:53} Qf2 {0:44} 12.g5 {0:51} Nh5 {0:41} 13.Ne4 {0:51} dxe4 {0:37} 14.Qd8# {0:50}' | |
| $regex = '\{(.*?)\}' | |
| $cleanedgame = $txt -replace $regex, '' | |
| $cleanedgame |
sunnyc7
/ Get-InjectedThread.ps1
Created
May 6, 2020 03:52
— forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Get-InjectedThread | |
| { | |
| <# | |
| .SYNOPSIS | |
| Looks for threads that were created as a result of code injection. | |
| .DESCRIPTION | |
sunnyc7
/ _Instructions_Reproduce.md
Created
April 29, 2020 11:17
GhostLoader - AppDomainManager - Injection - 攻壳机动队