Skip to content

Instantly share code, notes, and snippets.

View mgeeky's full-sized avatar
💭
Wanna sip a sencha?

Mariusz Banach mgeeky

💭
Wanna sip a sencha?
  • Binary-Offensive.com
  • Poland
  • X @mariuszbit
View GitHub Profile
@mgeeky
mgeeky / DInjectQueuerAPC.cs
Created June 27, 2023 22:40 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
View DInjectQueuerAPC.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@mgeeky
mgeeky / Cleanup-ClickOnce.ps1
Last active October 16, 2023 16:31
Cleanup-ClickOnce.ps1 - Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. Attempts to remove both installed and online-only deployments.
View Cleanup-ClickOnce.ps1
#
# Simple Powershell script that removes ClickOnce deployments entirely from file system and registry.
# Attempts to remove both installed and online-only deployments.
#
# Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com>
#
# Usage:
# PS> . .\Cleanup-ClickOnce.ps1
# PS> Cleanup-ClickOnce -Name MyAppName
#
@mgeeky
mgeeky / Dynamic_PInvoke_Shellcode.cs
Created June 22, 2023 19:19 — forked from bohops/Dynamic_PInvoke_Shellcode.cs
Dynamic_PInvoke_Shellcode.cs
View Dynamic_PInvoke_Shellcode.cs
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs
using System;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
namespace ShellcodeLoader
{
class Program
@mgeeky
mgeeky / Application_Guard_WDAC_Policy.xml
Created June 22, 2023 19:18 — forked from bohops/Application_Guard_WDAC_Policy.xml
Microsoft Defender Application Guard WDAC policy (for Edge). Converted using @mattifestation's ConvertTo-CIPolicy PowerShell Script [https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e]
View Application_Guard_WDAC_Policy.xml
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.3.14</VersionEx>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID>
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID>
<Rules>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
@mgeeky
mgeeky / README-setup-tunnel-as-systemd-service.md
Created June 20, 2023 10:53 — forked from drmalex07/README-setup-tunnel-as-systemd-service.md
Setup a secure (SSH) tunnel as a systemd service. #systemd #ssh #ssh-tunnel #ssh-forward
View README-setup-tunnel-as-systemd-service.md

README

Create a template service file at /etc/systemd/system/secure-tunnel@.service. The template parameter will correspond to the name of target host:

[Unit]
Description=Setup a secure tunnel to %I
After=network.target
@mgeeky
mgeeky / _Instructions_Reproduce.md
Created June 6, 2023 21:10 — forked from leoloobeek/_Instructions_Reproduce.md
GhostLoader - AppDomainManager - Injection - 攻壳机动队
View _Instructions_Reproduce.md

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
@mgeeky
mgeeky / _notes.md
Created June 6, 2023 21:09 — forked from djhohnstein/_notes.md
AppDomainManager Injection
View _notes.md

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@mgeeky
mgeeky / HInvoke.cs
Created May 18, 2023 00:18 — forked from dr4k0nia/HInvoke.cs
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
View HInvoke.cs
using System.Linq;
using System.Reflection;
namespace HashInvoke;
public class HInvoke
{
public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null)
{
// Get the System assembly and go trough all its types hash their name
@mgeeky
mgeeky / Source.cpp
Created May 9, 2023 22:12 — forked from alfarom256/Source.cpp
Thread Execution via NtCreateWorkerFactory
View Source.cpp
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // LARGE_INTEGER
@mgeeky
mgeeky / urbandoor.cs
Created April 11, 2023 08:23 — forked from monoxgas/urbandoor.cs
Minimal PoC code for Kerberos Unlock LPE (CVE-2023-21817)
View urbandoor.cs
using NtApiDotNet;
using NtApiDotNet.Ndr.Marshal;
using NtApiDotNet.Win32;
using NtApiDotNet.Win32.Rpc.Transport;
using NtApiDotNet.Win32.Security.Authentication;
using NtApiDotNet.Win32.Security.Authentication.Kerberos;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Client;
using NtApiDotNet.Win32.Security.Authentication.Kerberos.Server;
using NtApiDotNet.Win32.Security.Authentication.Logon;
using System;