Skip to content

Instantly share code, notes, and snippets.

View bohops's full-sized avatar

bohops

357 followers · 10 following
View GitHub Profile
@bohops
bohops / Build_In_Memory_CSharp_Project.txt
Last active September 26, 2022 08:48
After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)
These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.
Basic gist after running PS script statements:
- Loads C# project from file or web URL
- Create various tmp files
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]
@bohops
bohops / Unload_DotNet_DLLs.cs
Last active September 26, 2022 23:11
Unload_DotNet_DLLs.cs
//Unload .NET runtime modules (DLLs) with DInvoke [by @theWover]
//https://github.com/TheWover/DInvoke
/*
// License -> https://github.com/TheWover/DInvoke/blob/main/LICENSE
MIT License
Copyright (c) 2020 TheWover
Permission is hereby granted, free of charge, to any person obtaining a copy
@bohops
bohops / ETW_Assembly_Load_Monitor.cs
Last active September 26, 2022 23:12
//A Quick POC for monitoring .NET Assembly Load Events with ETW
// References:
// - Microsoft CLR Provider: https://docs.microsoft.com/en-us/dotnet/framework/performance/clr-etw-providers
// - ETW Assembly Load Events: https://docs.microsoft.com/en-us/dotnet/framework/performance/loader-etw-events
// - Source Code Sample: https://github.com/microsoft/perfview/blob/master/src/TraceEvent/Samples/31_KernelAndClrMonitor.cs
using Microsoft.Diagnostics.Tracing;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;
using System;
@bohops
bohops / Excel_VBA_Macro_JScript
Created September 2, 2020 20:41
Sub Workbook_Open()
RunMe
End Sub
Function RunMe()
Dim ScriptEngine
Set ScriptEngine = CreateObject("MSScriptControl.ScriptControl")
ScriptEngine.Language = "JScript"
ScriptEngine.Eval ("var shell = new ActiveXObject('WScript.Shell');shell.Popup('text');")
End Function
@bohops
bohops / SimpleExportExampleDll.cpp
Last active September 26, 2022 23:14
Simple Export Dll Example
#include "pch.h"
#define EXPORT extern "C" __declspec(dllexport)
EXPORT void HelloWorld()
{
MessageBox(0, L"Hello World!", 0, 0);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
@bohops
bohops / _Instructions_Reproduce.md
Created April 30, 2020 01:28
GhostLoader - AppDomainManager - Injection - 攻壳机动队

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
@bohops
bohops / simple_msbuild.csproj
Created August 17, 2019 17:06
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<UsingTask TaskName="HelloWorld" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Fragment" Language="cs">
<![CDATA[Console.WriteLine(":-) CSHARP :-)");]]>
</Code>
</Task>
</UsingTask>
<Target Name="Build">
<HelloWorld />
@bohops
bohops / poc.png
Created May 22, 2019 19:17
MSBuild - Property functions -
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@bohops
bohops / WSH_approved_list.txt
Created March 13, 2019 02:32
WldpIsClassInApprovedList approved classID for WLDP_HOST_ID_WSH hosts (which includes COM scriptlets)
041e868e-0c7d-48c6-965f-5fd576530e5b
0438c02b-eb9c-4e42-81ad-407f6cd6cde1
078b1f7d-c34c-4b13-a7c3-9663901650f1
0abb2961-2cc1-4f1d-be8e-9d330d06b77d
0d7237e6-930f-4682-ad0a-52ebffd3aee3
0d972387-817b-46e7-913f-e9993ff401eb
0e770b12-7221-4a5d-86ee-77310a5506bb
0fa57208-5100-4cd6-955c-fe69f8898973
1080a020-2b47-4da9-8095-dbc9cefffc04
10cf2e12-1681-4c53-adc0-932c84832cd8
@bohops
bohops / Abandoned_COM_PowerShell.txt
Created November 4, 2018 22:18
- Abandoned COM Discovery Script.
- Makes a few assumptions, needs refinement (e.g. doesn't account for all extensions)
function GetMissing($server){$clsids=@{};cd $env:windir'\system32\';$srv=gwmi Win32_COMSetting | ?{$_.$server -ne $null};$srv | ForEach {$clsids.add($_.ComponentId,$_.$server)};$clsids.Keys | foreach {$p=[Environment]::ExpandEnvironmentVariables($clsids[$_]);$p=$p.Replace('"','');if($p.Contains('.exe ')){$p=$p.Substring(0,$p.IndexOf('.exe'))+'.exe'};if($(test-path $p) -eq $False){$_+' | '+$server+' | '+$p}}};GetMissing('LocalServer');GetMissing('LocalServer32');GetMissing('InprocServer');GetMissing('InprocServer32')