2010phenix

## load_xml.cpp
/**
  BSD 3-Clause License

  Copyright (c) 2019, TheWover, Odzhan. All rights reserved.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions are met:

  * Redistributions of source code must retain the above copyright notice, this
    list of conditions and the following disclaimer.

## runscript.c
/**
  BSD 3-Clause License

  Copyright (c) 2019, Odzhan. All rights reserved.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions are met:

  * Redistributions of source code must retain the above copyright notice, this
    list of conditions and the following disclaimer.

## tasks.cs
using System;
using System.IO;
using System.Text;
using System.IO.Compression;
using System.EnterpriseServices;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Cryptography;

/*

## Invoke-Psexec.ps1
function Invoke-PsExec {
    <#
    .SYNOPSIS
    This function is a rough port of Metasploit's psexec functionality.
    It utilizes Windows API calls to open up the service manager on
    a remote machine, creates/run a service with an associated binary
    path or command, and then cleans everything up.

    Either a -Command or a custom -ServiceEXE can be specified.
    For -Commands, a -ResultsFile can also be specified to retrieve the

## service.cs
/*
	Creates a basic Windows Service using .Net framework.

	Compile:
		c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs

	Create the service with name "Service":
		sc create Service type=own binpath= c:\Path\To\service.exe

	Start the service:

## malicious.cs
/*
Author: Arno0x0x, Twitter: @Arno0x0x

DO NOT COMPILE THIS SOURCE FILE !

Encode this source in base64:
base64 -w0 malicious.cs > malicious.b64

Then paste it in the code in "not_detected.cs" source file

## regasm.cs
/*
============== Compile ============
Create Your Strong Name Key -> key.snk

$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte

C:\Windows\Microsoft.NET\Framewor

## spawn-interactive-process.c
// spawn-interactive-process.cpp : Defines the entry point for the console application.
// Do not forget to link against wtsapi32.lib
// How to test this: use psexec from SysInternals, such as ```psexec -s c:\windows\system32\cmd.exe```
// to run CMD under NT AUTHORITY\SYSTEM account (you can confirm this by running whoami) and then
// run spawn-interactive-process (feel free to disable waiting for debugger). The result is a notepad process
// running under interactive user credentials and on the interactive desktop launched from a service running under
// system account.

#include <stdio.h>
#include <tchar.h>

## SystemCMD.cpp
#include "stdafx.h"
#include <windows.h>
#include <Winbase.h>
#include <Wtsapi32.h>
#include <Userenv.h>
#include <malloc.h>

#pragma comment(lib, "Wtsapi32.lib")
#pragma comment(lib, "Userenv.lib")

## getsystem_parent.cpp
#include "stdafx.h"

BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;
	/**
	BSD 3-Clause License

	Copyright (c) 2019, TheWover, Odzhan. All rights reserved.

	Redistribution and use in source and binary forms, with or without
	modification, are permitted provided that the following conditions are met:

	* Redistributions of source code must retain the above copyright notice, this
	list of conditions and the following disclaimer.
	/**
	BSD 3-Clause License

	Copyright (c) 2019, Odzhan. All rights reserved.

	Redistribution and use in source and binary forms, with or without
	modification, are permitted provided that the following conditions are met:

	* Redistributions of source code must retain the above copyright notice, this
	list of conditions and the following disclaimer.
	using System;
	using System.IO;
	using System.Text;
	using System.IO.Compression;
	using System.EnterpriseServices;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;
	using System.Security.Cryptography;

	/*
	function Invoke-PsExec {
	<#
	.SYNOPSIS
	This function is a rough port of Metasploit's psexec functionality.
	It utilizes Windows API calls to open up the service manager on
	a remote machine, creates/run a service with an associated binary
	path or command, and then cleans everything up.

	Either a -Command or a custom -ServiceEXE can be specified.
	For -Commands, a -ResultsFile can also be specified to retrieve the
	/*
	Creates a basic Windows Service using .Net framework.

	Compile:
	c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs

	Create the service with name "Service":
	sc create Service type=own binpath= c:\Path\To\service.exe

	Start the service:
	/*
	Author: Arno0x0x, Twitter: @Arno0x0x

	DO NOT COMPILE THIS SOURCE FILE !

	Encode this source in base64:
	base64 -w0 malicious.cs > malicious.b64

	Then paste it in the code in "not_detected.cs" source file
	/*
	============== Compile ============
	Create Your Strong Name Key -> key.snk

	$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
	$Content = [System.Convert]::FromBase64String($key)
	Set-Content key.snk -Value $Content -Encoding Byte

	C:\Windows\Microsoft.NET\Framewor
	// spawn-interactive-process.cpp : Defines the entry point for the console application.
	// Do not forget to link against wtsapi32.lib
	// How to test this: use psexec from SysInternals, such as ```psexec -s c:\windows\system32\cmd.exe```
	// to run CMD under NT AUTHORITY\SYSTEM account (you can confirm this by running whoami) and then
	// run spawn-interactive-process (feel free to disable waiting for debugger). The result is a notepad process
	// running under interactive user credentials and on the interactive desktop launched from a service running under
	// system account.

	#include <stdio.h>
	#include <tchar.h>
	#include "stdafx.h"
	#include <windows.h>
	#include <Winbase.h>
	#include <Wtsapi32.h>
	#include <Userenv.h>
	#include <malloc.h>

	#pragma comment(lib, "Wtsapi32.lib")
	#pragma comment(lib, "Userenv.lib")
	#include "stdafx.h"

	BOOL SetPrivilege(HANDLE hToken, LPCTSTR Privilege, BOOL bEnablePrivilege) {
	TOKEN_PRIVILEGES tp;
	LUID luid;
	TOKEN_PRIVILEGES tpPrevious;
	DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);

	if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE;