| import idautils | |
| import idaapi | |
| import idc | |
| def string_decrypt(data_ea, data_len): | |
| data = idc.GetManyBytes(data_ea, data_len) | |
| key = '89798798798g79er$' | |
| out = 'str_' | |
| for i in range(0 , len(data)): |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class TestClass | |
| { | |
| public TestClass() | |
| {} |
| /* | |
| * SharpPick aka InexorablePoSH | |
| * Description: Application to load and run powershell code via the .NET assemblies | |
| * License: 3-Clause BSD License. See Veil PowerTools Project | |
| * | |
| * This application is part of Veil PowerTools, a collection of offensive PowerShell | |
| * capabilities. Hope they help! | |
| * | |
| * This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe | |
| */ |
| #!/usr/local/bin/env python | |
| ######################################################################################################## | |
| ## | |
| ## Decrypts the AdWind configiration files! | |
| ## ** May also work for other files ** | |
| ## | |
| ## | |
| ## All credit to Michael Helwig for the original Java implementation: | |
| ## https://github.com/mhelwig/adwind-decryptor |
| After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-) | |
| These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs. | |
| Basic gist after running PS script statements: | |
| - Loads C# project from file or web URL | |
| - Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"] | |
| - Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] | |
| - Launch program (payload) |
| $path = "REGISTRY::HKEY_CLASSES_ROOT\CLSID\" | |
| Get-ChildItem -Path $path -Recurse | foreach { | |
| $CurrentKey = Get-ItemProperty -Path $_.PsPath | |
| if ($CurrentKey.PSChildName -match "Elevation") { | |
| $details = Get-ItemProperty -Path $CurrentKey.PSParentPath | |
| Out-File -FilePath ".\elevation.txt" -InputObject $details -Append | |
| } | |
| } |
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
| RDP Eavesdropping and Hijacking | |
| ******************************* | |
| I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings | |
| that is not very new... | |
| =========== | |
| Inspiration | |
| =========== | |
| As you may already know... |
| [version] | |
| Signature=$chicago$ | |
| AdvancedINF=2.5 | |
| [DefaultInstall_SingleUser] | |
| RegisterOCXs=RegisterOCXSection | |
| [RegisterOCXSection] | |
| C:\Users\test.PENTESTLAB\pentestlab.dll |
Time Travel refers to the ability to record a tab and later replay it ([WebReplay][wrr]). The technology is useful for local development, where you might want to: