This concept is very much like .jar or .war archives in Java.
NOTE: The built
.pyzzipapp can run on both Python 2 & 3 but you can only build.pyzzipapps with Python 3.5 or later.
꿀보 kernullist
kernullist
/ go-sharp-loader.go
Created
August 6, 2020 06:32
— forked from ropnop/go-sharp-loader.go
Example Go file embedding multiple .NET executables
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| /* | |
| Example Go program with multiple .NET Binaries embedded | |
| This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with: | |
| $ go get -u github.com/gobuffalo/packr/packr | |
| Place all your EXEs are in a "binaries" folder |
kernullist
/ driversipolicy.xml
Created
March 9, 2020 22:33
— forked from mattifestation/driversipolicy.xml
Recovered code integrity policy from %windir%\System32\CodeIntegrity\driversipolicy.p7b
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.17689.0</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID> | |
| <BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:Unsigned System Integrity Policy</Option> | |
| </Rule> |
kernullist
/ CIPolicyParser.ps1
Created
October 24, 2019 23:22
— forked from mattifestation/CIPolicyParser.ps1
Functions to recover information from binary Windows Defender Application Control (WDAC) Code Integrity policies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Ensure System.Security assembly is loaded. | |
| Add-Type -AssemblyName System.Security | |
| function ConvertTo-CIPolicy { | |
| <# | |
| .SYNOPSIS | |
| Converts a binary file that contains a Code Integrity policy into XML format. | |
| Author: Matthew Graeber (@mattifestation) |
kernullist
/ zipapp.md
Created
October 22, 2019 05:18
— forked from lukassup/zipapp.md
Python zipapp
kernullist
/ inject.c
Created
October 6, 2019 22:54
— forked from hfiref0x/inject.c
Process Doppelgänging
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Ref = src | |
| // https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf | |
| // | |
| // Credits: | |
| // Vyacheslav Rusakov @swwwolf | |
| // Tom Bonner @thomas_bonner | |
| // | |
| #include <Windows.h> |
kernullist
/ HowToDetectTechniqueX_Demos.ps1
Created
September 8, 2019 22:17
— forked from mattifestation/HowToDetectTechniqueX_Demos.ps1
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Attack validations | |
| wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe | |
| Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe | |
| $CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator | |
| Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' } | |
| $CimSession | Remove-CimSession | |
| winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword |
kernullist
/ SignatureVerificationAttack.ps1
Created
February 8, 2019 01:01
— forked from mattifestation/SignatureVerificationAttack.ps1
Demos from my DerbyCon keynote
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Host.Runspace.LanguageMode | |
| Get-AuthenticodeSignature -FilePath C:\Demo\bypass_test.psm1 | |
| Get-AuthenticodeSignature -FilePath C:\Demo\notepad_backdoored.exe | |
| # Try to execute the script. Add-Type will fail. | |
| Import-Module C:\Demo\bypass_test.psm1 | |
| $VerifyHashFunc = 'HKLM:\SOFTWARE\Microsoft\Cryptography' + | |
| '\OID\EncodingType 0\CryptSIPDllVerifyIndirectData' |
kernullist
/ CorruptCLRGlobal.ps1
Created
December 10, 2018 00:17
— forked from mattifestation/CorruptCLRGlobal.ps1
A PoC function to corrupt the g_amsiContext global variable in clr.dll in .NET Framework Early Access build 3694
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Subvert-CLRAntiMalware { | |
| <# | |
| .SYNOPSIS | |
| A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694. | |
| .DESCRIPTION | |
| clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open. |
kernullist
/ execute.c
Created
November 5, 2018 23:48
— forked from dzeban/execute.c
jprobes for execve and execveat
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <unistd.h> | |
| int main(int argc, char *argv[]) | |
| { | |
| char *newargv[] = { NULL, "-l", NULL }; | |
| char *newenviron[] = { NULL }; | |
| newargv[0] = argv[1]; |
kernullist
/ jprobe_etn_io.c
Created
November 5, 2018 23:43
— forked from dzeban/jprobe_etn_io.c
jprobes example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Here's a sample kernel module showing the use of jprobes to dump | |
| * the arguments of third-party network driver for Bercut ETN. | |
| * | |
| * For more information on theory of operation of jprobes, see | |
| * Documentation/kprobes.txt | |
| * | |
| * Build and insert the kernel module as done in the kprobe example. | |
| * You will see the trace data in /var/log/messages and on the | |
| * console whenever do_fork() is invoked to create a new process. |
NewerOlder