CaledoniaProject

## abandonedInprocServer32.cs
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Management;

namespace ComAbandonment
{
    public class ComAbandonment
    {

## windows_hardening.cmd
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"

## hyperdetect.c
//this requires being able to run at kernel mode and assumes you're using MSVC
//this also uses an unnamed structure for cr0_t, which is a nonstandard extension of the C language


//data structure for cr0
typedef union _cr0_t
{
	struct
	{
		uint64_t protection_enable : 1;

## Makefile
obj-m += tcp_svr_sample.o

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clea

## sedebug_rtlcreatethread.c
/*! @brief https://github.com/rapid7/meterpreter/blob/master/source/common/arch/win/remote_thread.c */
#include <windows.h>
#include <stdio.h>

typedef DWORD(WINAPI *prototype_RtlCreateUserThread)(
	HANDLE      ProcessHandle,
	PSECURITY_DESCRIPTOR  SecurityDescriptor,
	BOOL      CreateSuspended,
	ULONG     StackZeroBits,
	PULONG     StackReserved,

## AutoFunc.py
import idc
import idautils
import idaapi

FUNCTIONS_REGISTERS = {"g_log": "rcx", "g_log_error": "rdx"}


def get_string_for_function(call_func_addr, register):
    """
    :param start_addr: The function call address

## Get-LibraryMS.ps1
function Get-LibraryMS {
<#
    .SYNOPSIS

        Author: Jayden Zheng (@fuseyjz)

        Checks the %USERPROFILE% directory for any file with library-ms extension and extract the CLSID.
        In particular, <url> element with shell command.

        Blog: pending release

## mem-loader.asm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, zznop0x90@gmail.com
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license.  See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF

## TorBrowser_7.x_NoScript_bypass.py
#!/usr/bin/python
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer

PORT_NUMBER = 31337

class myHandler(BaseHTTPRequestHandler):

        #Handler for the GET requests
        def do_GET(self):
                self.send_response(200)

## checksvc.py
import os
import subprocess
import ctypes

# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

svcinfo = {}
nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
FNULL = open(os.devnull, 'w')
	using System;
	using System.Collections.Generic;
	using System.IO;
	using System.Linq;
	using System.Management;

	namespace ComAbandonment
	{
	public class ComAbandonment
	{
	::
	::#######################################################################
	::
	:: Change file associations to protect against common ransomware attacks
	:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
	:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
	:: ---------------------
	ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
	//this requires being able to run at kernel mode and assumes you're using MSVC
	//this also uses an unnamed structure for cr0_t, which is a nonstandard extension of the C language


	//data structure for cr0
	typedef union _cr0_t
	{
	struct
	{
	uint64_t protection_enable : 1;
	obj-m += tcp_svr_sample.o

	all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

	clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clea
	/! @brief https://github.com/rapid7/meterpreter/blob/master/source/common/arch/win/remote_thread.c /
	#include <windows.h>
	#include <stdio.h>

	typedef DWORD(WINAPI *prototype_RtlCreateUserThread)(
	HANDLE ProcessHandle,
	PSECURITY_DESCRIPTOR SecurityDescriptor,
	BOOL CreateSuspended,
	ULONG StackZeroBits,
	PULONG StackReserved,
	import idc
	import idautils
	import idaapi

	FUNCTIONS_REGISTERS = {"g_log": "rcx", "g_log_error": "rdx"}


	def get_string_for_function(call_func_addr, register):
	"""
	:param start_addr: The function call address
	function Get-LibraryMS {
	<#
	.SYNOPSIS

	Author: Jayden Zheng (@fuseyjz)

	Checks the %USERPROFILE% directory for any file with library-ms extension and extract the CLSID.
	In particular, <url> element with shell command.

	Blog: pending release
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	;;;
	;;; Copyright (C), zznop, zznop0x90@gmail.com
	;;;
	;;; This software may be modified and distributed under the terms
	;;; of the MIT license. See the LICENSE file for details.
	;;;
	;;; DESCRIPTION
	;;;
	;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF
	#!/usr/bin/python
	from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer

	PORT_NUMBER = 31337

	class myHandler(BaseHTTPRequestHandler):

	#Handler for the GET requests
	def do_GET(self):
	self.send_response(200)
	import os
	import subprocess
	import ctypes

	# See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/

	svcinfo = {}
	nonadmin = ['AU', 'AN', 'BG', 'BU', 'DG', 'WD', 'IU', 'LG']
	FNULL = open(os.devnull, 'w')