Skip to content

Instantly share code, notes, and snippets.

View Dump-GUY's full-sized avatar

Dump-GUY

View GitHub Profile
@Dump-GUY
Dump-GUY / HookIEX.ps1
Created April 4, 2024 02:29
PowerShell IEX Hooking via Harmony Library
# Harmony Reference: https://github.com/pardeike/Harmony
using assembly '.\net48\0Harmony.dll'
using namespace HarmonyLib
class HooK
{
static [bool] PreFix_IEX($scriptText)
{
[Console]::WriteLine("Original IEX Command: '$scriptText'")
return $true
@Dump-GUY
Dump-GUY / hint_calls.py
Created March 18, 2024 07:30
Modified version of Willi Ballenthin IDA Plugin hint_calls.py ported to support Python2/3 and IDA>=7.4 (tested IDA 7.7, 8.4)
'''
IDA plugin to display the calls and strings referenced by a function as hints.
Installation: put this file in your %IDADIR%/plugins/ directory.
Author: Willi Ballenthin <william.ballenthin@fireeye.com>
Licence: Apache 2.0
'''
import idc
import idaapi
import idautils
# Get IL code and pre-compiled native code disassembly of R2R Assembly methods
# Using AsmResolver + Iced + PowerShell
# More Info Here: https://docs.washi.dev/asmresolver/guides/peimage/ready-to-run.html
# Loading dependecies
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.PE.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\AsmResolver\net6.0\AsmResolver.DotNet.dll")) | Out-Null
[System.Reflection.Assembly]::LoadFrom([System.IO.Path]::GetFullPath(".\libs\Iced\netstandard2.1\Iced.dll")) | Out-Null
$filePath = [System.IO.Path]::GetFullPath(".\test_files\CompileDecoy_ReplaceReal_SC_Original.dll") # R2R Assembly Sample
# Recovering strings objects from .NET Heap
# Using clrMD "Microsoft.Diagnostics.Runtime.dll" - https://github.com/microsoft/clrmd
# Use 32-bit PowerShell to investigate 32-bit process and 64-bit PowerShell to investigate 64-bit process
[System.Reflection.Assembly]::LoadFile([System.IO.Path]::GetFullPath("Microsoft.Diagnostics.Runtime.dll")) | Out-Null
$processID = (Get-Process -Name "TestStrings_confused").Id
$dataTarget = [Microsoft.Diagnostics.Runtime.DataTarget]::AttachToProcess($processID, $false)
$clrInfo = $dataTarget.ClrVersions[0]
$clrRuntime = $clrInfo.CreateRuntime()
$objects = $clrRuntime.Heap.EnumerateObjects().Where{$_.Type.IsString}
from pprint import pprint
from dumpulator import Dumpulator
# ------------------Initialization ------------------
languages = {'0x436' : "Afrikaans_South_Africa", '0x041c' : "Albanian_Albania", '0x045e' : "Amharic_Ethiopia", '0x401' : "Arabic_Saudi_Arabia",
'0x1401' : "Arabic_Algeria", '0x3c01' : "Arabic_Bahrain", '0x0c01' : "Arabic_Egypt", '0x801' : "Arabic_Iraq", '0x2c01' : "Arabic_Jordan",
'0x3401' : "Arabic_Kuwait", '0x3001' : "Arabic_Lebanon", '0x1001' : "Arabic_Libya", '0x1801' : "Arabic_Morocco", '0x2001' : "Arabic_Oman",
'0x4001' : "Arabic_Qatar", '0x2801' : "Arabic_Syria", '0x1c01' : "Arabic_Tunisia", '0x3801' : "Arabic_UAE", '0x2401' : "Arabic_Yemen",
'0x042b' : "Armenian_Armenia", '0x044d' : "Assamese", '0x082c' : "Azeri_Cyrillic", '0x042c' : "Azeri_Latin", '0x042d' : "Basque",
'0x423' : "Belarusian", '0x445' : "Bengali_India", '0x845' : "Bengali_Bangladesh", '0x141A' : "Bosnian_BosniaHerzegovina", '0x402' : "Bulgarian",
# Simple show-off using PowerShell and Reflection to extract masslogger config
# Example Sample: https://bazaar.abuse.ch/sample/7187a6d2980e3696396c4fbce939eeeb3733b6afdf2e859a385f8d6b29e8cebc/
# Twitter Info: https://twitter.com/vinopaljiri/status/1593125307468623874
# get the class where config is initialized -> careful, by this we invoked the constructor and all fields are already populated but encrypted
$configClass = [System.Reflection.Assembly]::LoadFile("C:\Users\Inferno\Desktop\test\sample.exe").GetTypes() | ? {$_.Name -like "xmA"}
# class is static so we are not creating instance of it in Invoke
# by invoking this method, config gets decrypted so also its responsible fields (remember reflection Rocks :))
($configClass.GetMethods() | ? {$_.Name -like "Aak"}).Invoke($null, $null) | Out-Null
@Dump-GUY
Dump-GUY / ExtractAsyncRatConfig_PowerShell_Reflection.ps1
Last active November 7, 2022 20:48
Simple show-off using PowerShell and Reflection to extract AsyncRat config
# Simple show-off using PowerShell and Reflection to extract AsyncRat config
# Example Sample: https://bazaar.abuse.ch/sample/2a2d9b1e17cd900edcdf8d26a8ba95ba41ae276d4e0d2400e85602c51e0ab73b/
# Twitter Info: https://twitter.com/vinopaljiri/status/1589721140318339072
# get the class where config is initialized
$settingsClass = [System.Reflection.Assembly]::LoadFile("C:\showoff\AsyncRat.bin").GetTypes() | ?{$_.Name -like "Settings"}
# class is static so we are not creating instance of it in Invoke
# by invoking method that is responsible for populting fields we get them decrypted (remember reflection Rocks :))
($settingsClass.GetMethods() | ? {$_.Name -like "InitializeSettings"}).Invoke($null, $null) | Out-Null
@Dump-GUY
Dump-GUY / Program.cs
Last active June 21, 2024 21:08
Example of DynamicCompiler - dynamically compile C# code -> but it actually spawns csc.exe
using System;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.Linq;
namespace DynamicCompiler
{
internal class Program
{
public static void DynamicRun(string codes, string clazz, string method, string[] args)
@Dump-GUY
Dump-GUY / ImplMap2x64dbg.py
Last active November 7, 2022 20:39
Creates x64dbg script for setting breakpoints on defined ImplMap (PInvoke) methods of .NET executable
import dnfile, sys, os
def Main():
if(len(sys.argv) != 2 or sys.argv[1] == '-h' or sys.argv[1] == '--help'):
print("Description: Creates x64dbg script for setting breakpoints on defined ImplMap (PInvoke) methods of .NET executable")
print(f"Usage: {os.path.basename(sys.argv[0])} <filepath>\n")
sys.exit()
file_path = sys.argv[1]
script_path = file_path + "_x64dbg.txt"
rem USE AT OWN RISK AS IS WITHOUT WARRANTY OF ANY KIND !!!!!
rem https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference
rem To also disable Windows Defender Security Center include this
rem reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
rem 1 - Disable Real-time protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f