Create a template service file at /etc/systemd/system/secure-tunnel@.service. The template parameter will correspond to the name
of target host:
[Unit]
Description=Setup a secure tunnel to %I
After=network.target
mgeeky
/ vdm_lua_extract.py
Created
March 25, 2024 18:54
— forked from HackingLZ/vdm_lua_extract.py
VDM Lua Extractor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### Original script and research by commial | |
| ### https://github.com/commial/experiments/tree/master/windows-defender | |
| ### Set LUADec_Path to binary | |
| ### https://github.com/viruscamp/luadec | |
| import struct | |
| import argparse | |
| import sys | |
| import os | |
| import io | |
| import subprocess |
mgeeky
/ DInjectQueuerAPC.cs
Created
June 27, 2023 22:40
— forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
mgeeky
/ Cleanup-ClickOnce.ps1
Last active
March 18, 2024 16:05
Cleanup-ClickOnce.ps1 - Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. Attempts to remove both installed and online-only deployments.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. | |
| # Attempts to remove both installed and online-only deployments. | |
| # | |
| # Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com> | |
| # | |
| # Usage: | |
| # PS> . .\Cleanup-ClickOnce.ps1 | |
| # PS> Cleanup-ClickOnce -Name MyAppName | |
| # |
mgeeky
/ Dynamic_PInvoke_Shellcode.cs
Created
June 22, 2023 19:19
— forked from bohops/Dynamic_PInvoke_Shellcode.cs
Dynamic_PInvoke_Shellcode.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs | |
| using System; | |
| using System.Runtime.InteropServices; | |
| using System.Reflection; | |
| using System.Reflection.Emit; | |
| namespace ShellcodeLoader | |
| { | |
| class Program |
mgeeky
/ Application_Guard_WDAC_Policy.xml
Created
June 22, 2023 19:18
— forked from bohops/Application_Guard_WDAC_Policy.xml
Microsoft Defender Application Guard WDAC policy (for Edge). Converted using @mattifestation's ConvertTo-CIPolicy PowerShell Script [https://gist.github.com/mattifestation/92e545bf1ee5b68eeb71d254cec2f78e]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0"?> | |
| <SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
| <VersionEx>10.0.3.14</VersionEx> | |
| <PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
| <PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
| <BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
| <Rules> | |
| <Rule> | |
| <Option>Enabled:UMCI</Option> | |
| </Rule> |
mgeeky
/ README-setup-tunnel-as-systemd-service.md
Created
June 20, 2023 10:53
— forked from drmalex07/README-setup-tunnel-as-systemd-service.md
Setup a secure (SSH) tunnel as a systemd service. #systemd #ssh #ssh-tunnel #ssh-forward
mgeeky
/ _Instructions_Reproduce.md
Created
June 6, 2023 21:10
— forked from leoloobeek/_Instructions_Reproduce.md
GhostLoader - AppDomainManager - Injection - 攻壳机动队
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
mgeeky
/ _notes.md
Created
June 6, 2023 21:09
— forked from djhohnstein/_notes.md
AppDomainManager Injection
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
mgeeky
/ HInvoke.cs
Created
May 18, 2023 00:18
— forked from dr4k0nia/HInvoke.cs
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System.Linq; | |
| using System.Reflection; | |
| namespace HashInvoke; | |
| public class HInvoke | |
| { | |
| public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null) | |
| { | |
| // Get the System assembly and go trough all its types hash their name |
mgeeky
/ Source.cpp
Created
May 9, 2023 22:12
— forked from alfarom256/Source.cpp
Thread Execution via NtCreateWorkerFactory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <winternl.h> | |
| #include <stdio.h> | |
| #define WORKER_FACTORY_FULL_ACCESS 0xf00ff | |
| // https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52 | |
| typedef enum _WORKERFACTORYINFOCLASS | |
| { | |
| WorkerFactoryTimeout, // LARGE_INTEGER |
NewerOlder