Skip to content

Instantly share code, notes, and snippets.

View N3mes1s's full-sized avatar

Giuseppe Massaro N3mes1s

92 followers · 24 following
View GitHub Profile
@N3mes1s
N3mes1s / Docker connect to remote server.md
Created January 18, 2021 13:06 — forked from kekru/Docker connect to remote server.md
Connect to another host with your docker client, without modifying your local Docker installation

Run commands on remote Docker host

This is how to connect to another host with your docker client, without modifying your local Docker installation or when you don't have a local Docker installation.

Enable Docker Remote API

First be sure to enable the Docker Remote API on the remote host.

This can easily be done with a container.
For HTTP connection use jarkt/docker-remote-api.

@N3mes1s
N3mes1s / Invoke-ExShellcode.ps1
Created May 13, 2019 15:21 — forked from Philts/Invoke-ExShellcode.ps1
<#
Lateral movement and shellcode injection via Excel 4.0 macros
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank - https://github.com/outflanknl/Excel4-DCOM
#>
function Invoke-ExShellcode
{
<#
@N3mes1s
N3mes1s / rpc_dump_rs5.txt
Created May 13, 2019 07:25 — forked from masthoon/rpc_dump_rs5.txt
RPC interfaces RS5
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
64
Interfaces :
Endpoints :
@N3mes1s
N3mes1s / dotnet-runtime-etw.py
Created May 7, 2019 12:38 — forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
import time
import etw
import etw.evntrace
import sys
import argparse
import threading
class RundownDotNetETW(etw.ETW):
def __init__(self, verbose, high_risk_only):
@N3mes1s
N3mes1s / Report3.md
Created April 30, 2018 09:54 — forked from aniketp/Report3.md
Report 3: Creating a stand-alone test program using atf-c(3) for Kyua

Report 3: Kyua test program for mkdir(2)

Explicit System Call Testing

The test application would trigger all Syscalls one by one, evaluating that the audit record contains all the expected parameters, e.g the arguments, valid argument types, return values etc. The testing will be done for various success and failure modes, with cross checking for appropriate error codes in case of failure mode.

Repository

AuditTestSuite

The Problem

@N3mes1s
N3mes1s / Detect-SquiblyTwo.ps1
Created April 18, 2018 22:21
detect squiblytwo using wmic original filename, format in cmdline and dll loading
### ref: https://twitter.com/dez_/status/986614411711442944
Write-Host "Current Pid: " $Pid
(Get-Process -Id $pid).priorityclass = "RealTime"
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 0.0001 WHERE TargetInstance ISA "Win32_Process"'
$action = {
$e = $Event.SourceEventArgs.NewEvent.TargetInstance
$fmt = 'ProcessStarted: (ID={0,5}, Parent={1,5}, cmdline={2}, ExecutablePath="{3}, Name={4}")'
$msg = $fmt -f $e.ProcessId, $e.ParentProcessId, $e.CommandLine, $e.ExecutablePath, $e.Name
@N3mes1s
N3mes1s / detect-threadSuspendps1
Created April 10, 2018 18:35
Detect Process that open another process's thread with THREAD_SUSPEND_RESUME access right
# mandatory https://github.com/zacbrown/PowerKrabsEtw for PowerKrabsEtw module
import-module .\PowerKrabsEtw
$trace = New-KrabsEtwUserTrace
$provider = New-KrabsEtwUserProvider -ProviderName "Microsoft-Windows-Kernel-Audit-API-Calls"
$filter = New-KrabsEtwCallbackFilter -EventId 6
Set-KrabsEtwCallbackFilter -UserProvider $provider -Filter $filter
Set-KrabsEtwUserProvider -Trace $trace -Provider $provider
Start-KrabsEtwUserTrace -Trace $trace | Where-Object { ($_.EtwProcessId -ne $_.TargetProcessId) -and ($_.DesiredAccess -bAnd 0x0002) }
@N3mes1s
N3mes1s / findstr-LaunchINFSection.ps1
Created March 9, 2018 08:11
Locate LaunchINFSection inside a pe using findstr.exe and Get-Exports
<#
You need to import module Get-Exports in the same powershell session
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-Exports.ps1
#>
#Import-Module .\Get-Exports.ps1
$dir = @("C:\\Windows\\System32\\","C:\\Windows\\SYSWOW64\\")
$export = "LaunchINFSection"
For ($i=0; $i -lt $dir.Length; $i++) {
Get-ChildItem $dir[$i] -Recurse | Where-Object {
$_.extension -eq ".dll"} | % {
@N3mes1s
N3mes1s / DataDrivenTest.wsc
Created November 7, 2017 06:57
Authoring Tests in Scripting Languages
<?xml version="1.0" ?>
<!-- Te.exe DataDrivenTest.wsc -->
<!-- C:\Program Files (x86)\Windows Kits\10\Testing\Runtimes\TAEF > ./TE.exe DataDrivenTest.wsc -->
<!-- Test Authoring and Execution Framework v5.8k for x64 -->
<!-- StartGroup: VBSampleTests::TestOne -->
<!-- Calling TestOne -->
<!-- EndGroup: VBSampleTests::TestOne [Passed] -->
<!-- Summary: Total=1, Passed=1, Failed=0, Blocked=0, Not Run=0, Skipped=0 -->
<?component error="true" debug="true"?>
<package>
@N3mes1s
N3mes1s / msbuildQueueAPC.csproj
Created August 30, 2017 14:50
MSBuild => CSC.exe Shellcode Inject using QueueUserAPC
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<-- x86 -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<!- x64 -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask