Skip to content

Instantly share code, notes, and snippets.

bohops / Dynamic_PInvoke_Shellcode.cs
Last active September 25, 2023 17:44
View Dynamic_PInvoke_Shellcode.cs
//original runner by @Arno0x:
using System;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
namespace ShellcodeLoader
class Program
bohops / AccCheckConsole.txt
Last active January 20, 2022 03:20
AccChecker LOLBIN [AccCheckConsole.exe]
View AccCheckConsole.txt
- UI Accessibility Checker
- Verifies UI accessibility requirements
*LOLBIN Functionality/Steps
1) Go to "Custom Verification Routines" link in reference section and copy the sample verification C# code into Visual Studio.
2) Add proper assembly references (e.g. AccCheck.dll)
3) Insert your C# code under a target method such as Execute()
4) Compile to a .NET managed library (DLL)
5) Invoke the code
bohops /
Created September 4, 2021 17:09
Quick & Dirty Ping Monitor + Email Report
# Quick & Dirty Ping Monitor + Email Report
# -----------------------------------------
# Code Credits:
# - Ping Server In Python:
# - Simple Python Server Monitor:
# -----------------------------------------
# Basic Usage: python3
# Cron Usage:
# - Set for every hour to avoid overwhelming SMTP server thresholds
# - crontab -i
bohops / Application_Guard_WDAC_Policy.xml
Created July 21, 2021 03:17
Microsoft Defender Application Guard WDAC policy (for Edge). Converted using @mattifestation's ConvertTo-CIPolicy PowerShell Script []
View Application_Guard_WDAC_Policy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="" xmlns:xsi="" xmlns="urn:schemas-microsoft-com:sipolicy">
bohops / Unload_DotNet_DLLs.cs
Last active September 26, 2022 23:11
View Unload_DotNet_DLLs.cs
//Unload .NET runtime modules (DLLs) with DInvoke [by @theWover]
// License ->
MIT License
Copyright (c) 2020 TheWover
Permission is hereby granted, free of charge, to any person obtaining a copy
bohops / env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
Last active July 21, 2023 13:07
View env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
// I borrowed this great POC from Adam Chester [@_xpn_] to demonstrate spoofing for evading .NET 'Usage Logging'.
// This code will launch the target a suspended PowerShell.exe process, read PEB, update the ptr used to store environment variables, and resume the process
// Adam's original POC and blog for evading ETW with COMPlus_ETWEnabled can be found at these URLs:
// Applicable detection guidance (with a few possible tweaks) can be found here:
bohops / fsharp.fsscript
Created October 22, 2020 01:43 — forked from NickTyrer/fsharp.fsscript
fsi.exe inline execution
View fsharp.fsscript
#r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll"
open System.Management.Automation
open System.Management.Automation.Runspaces
open System
let runSpace = RunspaceFactory.CreateRunspace()
let pipeline = runSpace.CreatePipeline()
View ETW_Assembly_Load_Monitor.cs
//A Quick POC for monitoring .NET Assembly Load Events with ETW
// References:
// - Microsoft CLR Provider:
// - ETW Assembly Load Events:
// - Source Code Sample:
using Microsoft.Diagnostics.Tracing;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;
using System;
View Excel_VBA_Macro_JScript
Sub Workbook_Open()
End Sub
Function RunMe()
Dim ScriptEngine
Set ScriptEngine = CreateObject("MSScriptControl.ScriptControl")
ScriptEngine.Language = "JScript"
ScriptEngine.Eval ("var shell = new ActiveXObject('WScript.Shell');shell.Popup('text');")
End Function
bohops / SimpleExportExampleDll.cpp
Last active September 26, 2022 23:14
Simple Export Dll Example
View SimpleExportExampleDll.cpp
#include "pch.h"
#define EXPORT extern "C" __declspec(dllexport)
EXPORT void HelloWorld()
MessageBox(0, L"Hello World!", 0, 0);
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)