Skip to content

Instantly share code, notes, and snippets.

View mgeeky's full-sized avatar
Wanna sip a sencha?

Mariusz Banach mgeeky

Wanna sip a sencha?
  • Poland
  • X @mariuszbit
View GitHub Profile
mgeeky /
Created March 25, 2024 18:54 — forked from HackingLZ/
VDM Lua Extractor
### Original script and research by commial
### Set LUADec_Path to binary
import struct
import argparse
import sys
import os
import io
import subprocess
mgeeky / DInjectQueuerAPC.cs
Created June 27, 2023 22:40 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
public class Program
mgeeky / Cleanup-ClickOnce.ps1
Last active March 18, 2024 16:05
Cleanup-ClickOnce.ps1 - Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. Attempts to remove both installed and online-only deployments.
# Simple Powershell script that removes ClickOnce deployments entirely from file system and registry.
# Attempts to remove both installed and online-only deployments.
# Authored: Mariusz Banach / mgeeky, <mb [at]>
# Usage:
# PS> . .\Cleanup-ClickOnce.ps1
# PS> Cleanup-ClickOnce -Name MyAppName
mgeeky / Dynamic_PInvoke_Shellcode.cs
Created June 22, 2023 19:19 — forked from bohops/Dynamic_PInvoke_Shellcode.cs
//original runner by @Arno0x:
using System;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
namespace ShellcodeLoader
class Program
mgeeky / Application_Guard_WDAC_Policy.xml
Created June 22, 2023 19:18 — forked from bohops/Application_Guard_WDAC_Policy.xml
Microsoft Defender Application Guard WDAC policy (for Edge). Converted using @mattifestation's ConvertTo-CIPolicy PowerShell Script []
<?xml version="1.0"?>
<SiPolicy xmlns:xsd="" xmlns:xsi="" xmlns="urn:schemas-microsoft-com:sipolicy">
mgeeky /
Created June 20, 2023 10:53 — forked from drmalex07/
Setup a secure (SSH) tunnel as a systemd service. #systemd #ssh #ssh-tunnel #ssh-forward


Create a template service file at /etc/systemd/system/secure-tunnel@.service. The template parameter will correspond to the name of target host:

Description=Setup a secure tunnel to %I
mgeeky /
Created June 6, 2023 21:10 — forked from leoloobeek/
GhostLoader - AppDomainManager - Injection - 攻壳机动队

GhostLoader Steps :)

1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
mgeeky /
Created June 6, 2023 21:09 — forked from djhohnstein/
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

mgeeky / HInvoke.cs
Created May 18, 2023 00:18 — forked from dr4k0nia/HInvoke.cs
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post:…
using System.Linq;
using System.Reflection;
namespace HashInvoke;
public class HInvoke
public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null)
// Get the System assembly and go trough all its types hash their name
mgeeky / Source.cpp
Created May 9, 2023 22:12 — forked from alfarom256/Source.cpp
Thread Execution via NtCreateWorkerFactory
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
WorkerFactoryTimeout, // LARGE_INTEGER