Skip to content

Instantly share code, notes, and snippets.

@bohops
bohops / Application_Guard_WDAC_Policy.xml
Created Jul 21, 2021
Microsoft Defender Application Guard WDAC policy (for Edge). Converted using @mattifestation's ConvertTo-CIPolicy PowerShell Script [https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e]
View Application_Guard_WDAC_Policy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.3.14</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
@bohops
bohops / Unload_DotNet_DLLs.cs
Last active Mar 16, 2021
Unload_DotNet_DLLs.cs
View Unload_DotNet_DLLs.cs
//Unload .NET runtime modules (DLLs) with DInvoke [by @theWover]
//https://github.com/TheWover/DInvoke
/*
// License -> https://github.com/TheWover/DInvoke/blob/main/LICENSE
MIT License
Copyright (c) 2020 TheWover
Permission is hereby granted, free of charge, to any person obtaining a copy
@bohops
bohops / env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
Last active Mar 19, 2021
env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
View env_var_spoofing_NGenAssemblyUsageLog_poc.cpp
// I borrowed this great POC from Adam Chester [@_xpn_] to demonstrate spoofing for evading .NET 'Usage Logging'.
// This code will launch the target a suspended PowerShell.exe process, read PEB, update the ptr used to store environment variables, and resume the process
// Adam's original POC and blog for evading ETW with COMPlus_ETWEnabled can be found at these URLs:
// https://gist.github.com/xpn/64e5b6f7ad370c343e3ab7e9f9e22503
// https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/
//
// Applicable detection guidance (with a few possible tweaks) can be found here:
// https://gist.github.com/Cyb3rWard0g/a4a115fd3ab518a0e593525a379adee3
//
@bohops
bohops / fsharp.fsscript
Created Oct 22, 2020 — forked from NickTyrer/fsharp.fsscript
fsi.exe inline execution
View fsharp.fsscript
#r @"C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll"
open System.Management.Automation
open System.Management.Automation.Runspaces
open System
let runSpace = RunspaceFactory.CreateRunspace()
runSpace.Open()
let pipeline = runSpace.CreatePipeline()
View ETW_Assembly_Load_Monitor.cs
//A Quick POC for monitoring .NET Assembly Load Events with ETW
// References:
// - Microsoft CLR Provider: https://docs.microsoft.com/en-us/dotnet/framework/performance/clr-etw-providers
// - ETW Assembly Load Events: https://docs.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events
// - Source Code Sample: https://github.com/microsoft/perfview/blob/master/src/TraceEvent/Samples/31_KernelAndClrMonitor.cs
using Microsoft.Diagnostics.Tracing;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;
using System;
View Excel_VBA_Macro_JScript
Sub Workbook_Open()
RunMe
End Sub
Function RunMe()
Dim ScriptEngine
Set ScriptEngine = CreateObject("MSScriptControl.ScriptControl")
ScriptEngine.Language = "JScript"
ScriptEngine.Eval ("var shell = new ActiveXObject('WScript.Shell');shell.Popup('text');")
End Function
@bohops
bohops / SimpleExportExampleDll.cpp
Last active Jun 12, 2020
Simple Export Dll Example
View SimpleExportExampleDll.cpp
#include "pch.h"
#define EXPORT extern "C" __declspec(dllexport)
EXPORT void HelloWorld()
{
MessageBox(0, L"Hello World!", 0, 0);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
@bohops
bohops / _Instructions_Reproduce.md
Created Apr 30, 2020
GhostLoader - AppDomainManager - Injection - 攻壳机动队
View _Instructions_Reproduce.md

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
View simple_msbuild.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<UsingTask TaskName="HelloWorld" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Fragment" Language="cs">
<![CDATA[Console.WriteLine(":-) CSHARP :-)");]]>
</Code>
</Task>
</UsingTask>
<Target Name="Build">
<HelloWorld />
@bohops
bohops / dsdbutil.exe
Last active Mar 29, 2020
yet another native AD database extraction utility
View dsdbutil.exe
DSDButil
========
- dsdbutil (dsdbutil.exe) is utility for performing maintenance on AD/LDS databases [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc753151(v%3Dws.11)]
- dsdbutil supports VSS snapshot creation
- dsdbutil can be used to extract the AD database (ntds.dit) for offline analysis (with secretsdump.py)
- Example #1: Using Snapshot GUID obtained from cmd output
dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"