chryzsh

$assemblies=(
	"System"
)

$source=@"
using System;
using Microsoft.Win32;
using System.Diagnostics;

namespace Helloworld

Philts

<#
    Lateral Movement Via MSACCESS TransformXML
    Author: Philip Tsukerman (@PhilipTsukerman)
    License: BSD 3-Clause
    Required Dependencies: None
    Optional Dependencies: None
#>

function Invoke-AccessXSLT {
<#

ghorsington

/*
 * EAT-based hooking for x86/x64.
 * 
 * Big thanks to ez (https://github.com/ezdiy/) for making this!
 * 
 * Creates "hooks" by modifying the module's export address table.
 * The procedure works in three main parts:
 * 
 * 1. Reading the module's PE file and getting all exported functions.
 * 2. Finding the right function to "hook" by simple address lookup

mattifestation

function Subvert-CLRAntiMalware {
<#
.SYNOPSIS

A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.

.DESCRIPTION

clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.

cobbr

function Start-DotNetEventCollection
{
    Param(
        [Parameter(Position = 0)]
        [Alias('PSPath')]
        [String] $TracePath = './dotNetTrace.etl',

        [Parameter(Position = 1)]
        [String] $TraceName = 'dotNetTrace'
    )

s3rb31

#include <windows.h>
#include <cstdio>

// credits: s3rb31

#define STATUS_SUCCESS 0x00000000

template<typename T>
T GetNTDLLProc(LPCSTR ProcName)
{

zznop

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, brandonkmiller@protonmail.com
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license.  See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF

mattifestation

logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets

# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass

# logman stop dotNetTrace -ets

# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe
# I got the process ID by running a procmon trace
$TargetProcessId = 8256

bohops

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj -->
  <Target Name="Hello">
   <ClassExample />
  </Target>
    <UsingTask
    TaskName="ClassExample"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >

xpn

#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;