bopin bopin2020

## Get-Token.ps1
function Get-Token
{
    foreach($proc in (Get-Process))
    {
        if($proc.Id -ne 0 -and $proc.Id -ne 4)
        {
            try
            {
                $hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION
            }

## windowsUpdataScan.cpp
#include <Windows.h>
#include <iostream>
#include <atlbase.h>
#include <Wuapi.h>
#include <wuerror.h>
#include <list>
#include <fstream>
#include <MsXml.h>
#include "atlbase.h"
#include "atlstr.h"

## Hollowing.cs

/***************
 * Simple Process Hollowing in C#
 *
 * #Build Your Binaries
 * 		c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
 *
 *  @author: Michael Gorelik <smgorelik@gmail.com>
 *  gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
 * #Most of the code taken from here: @github: github.com/ambray

## RedBlackTree.cs
using System;
using System.Collections.Generic;
using System.Runtime.CompilerServices;

namespace OpinionatedCode.Collections
{
    public sealed class RedBlackTree<TKey, TValue>
    {
        private readonly RedBlackTreeNode<TKey, TValue> _leaf = RedBlackTreeNode<TKey, TValue>.CreateLeaf();

## TestAssembly.cs
/*

================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

*/

using System.Windows.Forms;

namespace TestNamespace

## divide_and_conquer.c
/*
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
*/

#include <stdio.h>
#include <tchar.h>

#include <windows.h>
#include "Commctrl.h"
#include <string>

## clrHosting_v4.0.cpp
// CLR Hosting, by aaaddress1@chroot.org
//
// it's a new edition rewrite for .NET(4+) COM interface
// original from github.com/etormadiv/HostingCLR
//             & blog.xpnsec.com/hiding-your-dotnet-etw
//
// this PoC supports the following .NET entry:
// >>>> static void Main(string[] args);
//
#include <stdio.h>

## veh_AmsiBypass.cpp
// Exception-Based AMSI Bypass
// by aaaddress1@chroot.org
#include <amsi.h>
#include <iostream>
#include <Windows.h>
#pragma comment(lib, "amsi.lib")
#pragma comment(lib, "ole32.lib")
#pragma warning( disable : 4996 )

#define AMSIPROJECTNAME L"scanner"

## patchless_amsi.h
#ifndef PATCHLESS_AMSI_H
#define PATCHLESS_AMSI_H

#include <windows.h>

static const int AMSI_RESULT_CLEAN = 0;

PVOID g_amsiScanBufferPtr = nullptr;

unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {

## sccmdecryptpoc.cs
// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.

using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;

namespace SCCMDecryptPOC
{
    internal class Program
	function Get-Token
	{
	foreach($proc in (Get-Process))
	{
	if($proc.Id -ne 0 -and $proc.Id -ne 4)
	{
	try
	{
	$hProcess = OpenProcess -ProcessId $proc.Id -DesiredAccess PROCESS_QUERY_LIMITED_INFORMATION
	}
	#include <Windows.h>
	#include <iostream>
	#include <atlbase.h>
	#include <Wuapi.h>
	#include <wuerror.h>
	#include <list>
	#include <fstream>
	#include <MsXml.h>
	#include "atlbase.h"
	#include "atlstr.h"

	/***************
	* Simple Process Hollowing in C#
	*
	* #Build Your Binaries
	* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
	*
	* @author: Michael Gorelik <smgorelik@gmail.com>
	* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
	* #Most of the code taken from here: @github: github.com/ambray
	using System;
	using System.Collections.Generic;
	using System.Runtime.CompilerServices;

	namespace OpinionatedCode.Collections
	{
	public sealed class RedBlackTree<TKey, TValue>
	{
	private readonly RedBlackTreeNode<TKey, TValue> _leaf = RedBlackTreeNode<TKey, TValue>.CreateLeaf();
	/*

	================================ Compile as a .Net DLL ==============================
	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs

	*/

	using System.Windows.Forms;

	namespace TestNamespace
	/*
	This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
	*/

	#include <stdio.h>
	#include <tchar.h>

	#include <windows.h>
	#include "Commctrl.h"
	#include <string>
	// CLR Hosting, by aaaddress1@chroot.org
	//
	// it's a new edition rewrite for .NET(4+) COM interface
	// original from github.com/etormadiv/HostingCLR
	// & blog.xpnsec.com/hiding-your-dotnet-etw
	//
	// this PoC supports the following .NET entry:
	// >>>> static void Main(string[] args);
	//
	#include <stdio.h>
	// Exception-Based AMSI Bypass
	// by aaaddress1@chroot.org
	#include <amsi.h>
	#include <iostream>
	#include <Windows.h>
	#pragma comment(lib, "amsi.lib")
	#pragma comment(lib, "ole32.lib")
	#pragma warning( disable : 4996 )

	#define AMSIPROJECTNAME L"scanner"
	#ifndef PATCHLESS_AMSI_H
	#define PATCHLESS_AMSI_H

	#include <windows.h>

	static const int AMSI_RESULT_CLEAN = 0;

	PVOID g_amsiScanBufferPtr = nullptr;

	unsigned long long setBits(unsigned long long dw, int lowBit, int bits, unsigned long long newValue) {
	// Twitter thread: https://twitter.com/_xpn_/status/1543682652066258946 (was a bit bored ;)
	// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.

	using System;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;

	namespace SCCMDecryptPOC
	{
	internal class Program