mkdir C:/temp/
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://www.python.org/ftp/python/3.7.0/python-3.7.0.exe" -OutFile "c:/temp/python-3.7.0.exe"
c:/temp/python-3.7.0.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0
aaaddress1
/ x64FunctionPointer1.vba
Created
November 18, 2021 15:21
— forked from rmdavy/x64FunctionPointer1.vba
x64FunctionPointerExample2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As LongPtr, ByVal offsetinVft As LongPtr, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As LongPtr, ByRef retVAR As Variant) As Long | |
| Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr | |
| Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Const CC_STDCALL = 4 | |
| Private VType(0 To 63) As Integer, VPtr(0 To 63) As LongPtr | |
| Sub SayHello() | |
aaaddress1
/ memBruteforce.cpp
Last active
February 20, 2024 11:16
Windows 32-bit Shellcode Design without TEB & fs:30h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // memBruteforce.cpp by aaaddress1@chroot.org | |
| // brute search loaded moudules in memory | |
| // rewrite from https://www.exploit-db.com/exploits/45293 | |
| #include <Windows.h> | |
| #include <iostream> | |
| #pragma warning(disable:4996) | |
| bool isMemExist(size_t addr) { | |
| int retv; | |
| __asm { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Exception-Based AMSI Bypass | |
| // by aaaddress1@chroot.org | |
| #include <amsi.h> | |
| #include <iostream> | |
| #include <Windows.h> | |
| #pragma comment(lib, "amsi.lib") | |
| #pragma comment(lib, "ole32.lib") | |
| #pragma warning( disable : 4996 ) | |
| #define AMSIPROJECTNAME L"scanner" |
aaaddress1
/ clrHosting_v4.0.cpp
Last active
March 22, 2024 14:50
CLR Hosting: running dotNet binary in C/C++ & rewrite from .NET(4+) COM interface
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // CLR Hosting, by aaaddress1@chroot.org | |
| // | |
| // it's a new edition rewrite for .NET(4+) COM interface | |
| // original from github.com/etormadiv/HostingCLR | |
| // & blog.xpnsec.com/hiding-your-dotnet-etw | |
| // | |
| // this PoC supports the following .NET entry: | |
| // >>>> static void Main(string[] args); | |
| // | |
| #include <stdio.h> |
aaaddress1
/ win_iPython_ps1.md
Last active
June 23, 2021 11:03
Guide: Install iPython on Windows 10 via PowerShell
aaaddress1
/ dotnet-runtime-etw.py
Created
June 22, 2021 15:08
— forked from countercept/dotnet-runtime-etw.py
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import time | |
| import etw | |
| import etw.evntrace | |
| import sys | |
| import argparse | |
| import threading | |
| class RundownDotNetETW(etw.ETW): | |
| def __init__(self, verbose, high_risk_only): |
aaaddress1
/ etw_ClrTracker.cpp
Last active
June 22, 2021 09:05
use ETW (Event Tracing for Windows) to get notification of loaded CLR modules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // ETW CLR Tracker, by aaaddress1@chroot.org | |
| // rewrite from post "Hiding your .NET - ETW" | |
| // URL: https://blog.xpnsec.com/hiding-your-dotnet-etw/ | |
| #define AssemblyDCStart_V1 155 | |
| #define AssemblyLoad_V1 154 | |
| #define MethodLoadVerbose_V1 143 | |
| #include <windows.h> | |
| #include <stdio.h> | |
| #include <wbemidl.h> |
aaaddress1
/ stager.cc
Created
June 5, 2021 17:58
simple stager: using ncat to send shellcode payload, recv & execute.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // simple stager, by aaaddress1@chroot.org | |
| // using ncat to send shellcode payload, recv & execute. | |
| #include <WS2tcpip.h> | |
| #include <stdio.h> | |
| #include <shlobj.h> | |
| #include <Windows.h> | |
| #include <shlwapi.h> | |
| #include <winsock2.h> | |
| #pragma warning(disable:4996) | |
| #pragma comment(lib, "ws2_32.lib") |
aaaddress1
/ inputLockToZhTW.cpp
Created
June 2, 2021 13:26
swich IME (Input Method Editor) to Zh-TW chinese on specific window
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // [Experiment] swich IME to Traditional Chinese | |
| // $ g++ -m32 -static inputLockToZhTW.cpp && a | |
| // test on League of Legends (TW) client, but got ignored :( | |
| // by aaaddress1@chroot.org | |
| #include <windows.h> | |
| #include <iostream> | |
| int main(void) { | |
| for (char buf[64]; ; Sleep(150)) { | |
| GetWindowTextA(GetForegroundWindow(), buf, sizeof(buf)); | |
| // once found that LOL client is on the top, and send IME change requests |
aaaddress1
/ m1racles-poc.c
Created
June 1, 2021 14:10
— forked from marcan/m1racles-poc.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1. | |
| * | |
| * This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register. | |
| * | |
| * Please visit m1racles.com for more information. | |
| * | |
| * Licensed under the MIT license. | |
| */ |