This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-Token | |
{ | |
foreach($proc in (Get-Process)) | |
{ | |
if($proc.Id -ne 0 -and $proc.Id -ne 4) | |
{ | |
try | |
{ | |
$hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <iostream> | |
#include <atlbase.h> | |
#include <Wuapi.h> | |
#include <wuerror.h> | |
#include <list> | |
#include <fstream> | |
#include <MsXml.h> | |
#include "atlbase.h" | |
#include "atlstr.h" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/*************** | |
* Simple Process Hollowing in C# | |
* | |
* #Build Your Binaries | |
* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe | |
* | |
* @author: Michael Gorelik <smgorelik@gmail.com> | |
* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75 | |
* #Most of the code taken from here: @github: github.com/ambray |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Runtime.CompilerServices; | |
namespace OpinionatedCode.Collections | |
{ | |
public sealed class RedBlackTree<TKey, TValue> | |
{ | |
private readonly RedBlackTreeNode<TKey, TValue> _leaf = RedBlackTreeNode<TKey, TValue>.CreateLeaf(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
================================ Compile as a .Net DLL ============================== | |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs | |
*/ | |
using System.Windows.Forms; | |
namespace TestNamespace |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes. | |
*/ | |
#include <stdio.h> | |
#include <tchar.h> | |
#include <windows.h> | |
#include "Commctrl.h" | |
#include <string> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// CLR Hosting, by aaaddress1@chroot.org | |
// | |
// it's a new edition rewrite for .NET(4+) COM interface | |
// original from github.com/etormadiv/HostingCLR | |
// & blog.xpnsec.com/hiding-your-dotnet-etw | |
// | |
// this PoC supports the following .NET entry: | |
// >>>> static void Main(string[] args); | |
// | |
#include <stdio.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Exception-Based AMSI Bypass | |
// by aaaddress1@chroot.org | |
#include <amsi.h> | |
#include <iostream> | |
#include <Windows.h> | |
#pragma comment(lib, "amsi.lib") | |
#pragma comment(lib, "ole32.lib") | |
#pragma warning( disable : 4996 ) | |
#define AMSIPROJECTNAME L"scanner" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#ifndef PATCHLESS_AMSI_H | |
#define PATCHLESS_AMSI_H | |
#include <windows.h> | |
static const int AMSI_RESULT_CLEAN = 0; | |
PVOID g_amsiScanBufferPtr = nullptr; | |
unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;) | |
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work. | |
using System; | |
using System.Collections.Generic; | |
using System.Runtime.InteropServices; | |
namespace SCCMDecryptPOC | |
{ | |
internal class Program |
OlderNewer