Skip to content

Instantly share code, notes, and snippets.

View mgeeky's full-sized avatar
💭
Wanna sip a sencha?

Mariusz Banach mgeeky

💭
Wanna sip a sencha?
2.3k followers · 95 following
  • Binary-Offensive.com
  • Poland
  • X @mariuszbit
View GitHub Profile
@mgeeky
mgeeky / vdm_lua_extract.py
Created March 25, 2024 18:54 — forked from HackingLZ/vdm_lua_extract.py
VDM Lua Extractor
### Original script and research by commial
### https://github.com/commial/experiments/tree/master/windows-defender
### Set LUADec_Path to binary
### https://github.com/viruscamp/luadec
import struct
import argparse
import sys
import os
import io
import subprocess
@mgeeky
mgeeky / _notes.md
Created June 6, 2023 21:09 — forked from djhohnstein/_notes.md
AppDomainManager Injection

Let's turn Any .NET Application into an LOL Bin

We can do this by experimenting with .config files.

Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name

In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.

We do this by directing the application to read a config file we provide.

@mgeeky
mgeeky / Source.cpp
Created May 9, 2023 22:12 — forked from alfarom256/Source.cpp
Thread Execution via NtCreateWorkerFactory
#include <Windows.h>
#include <winternl.h>
#include <stdio.h>
#define WORKER_FACTORY_FULL_ACCESS 0xf00ff
// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
WorkerFactoryTimeout, // LARGE_INTEGER
@mgeeky
mgeeky / HInvoke.cs
Created May 18, 2023 00:18 — forked from dr4k0nia/HInvoke.cs
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
using System.Linq;
using System.Reflection;
namespace HashInvoke;
public class HInvoke
{
public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null)
{
// Get the System assembly and go trough all its types hash their name
@mgeeky
mgeeky / Update_Notes.md
Created April 30, 2020 21:41
You have found THE coolest gist :) Come to DerbyCon to learn more. Loading .NET Assemblies into Script Hosts - Abusing System32||SysWow64\Tasks writable property

Using Hard Links to point back to attacker controlled location.

mklink /h C:\Windows\System32\Tasks\tasks.dll C:\Tools\Tasks.dll
Hardlink created for C:\Windows\System32\Tasks\tasks.dll <<===>> C:\Tools\Tasks.dll

This can redirect the search to an arbitrary location and evade tools that are looking for filemods in a particular location.

xref: https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

@mgeeky
mgeeky / README-setup-tunnel-as-systemd-service.md
Created June 20, 2023 10:53 — forked from drmalex07/README-setup-tunnel-as-systemd-service.md
Setup a secure (SSH) tunnel as a systemd service. #systemd #ssh #ssh-tunnel #ssh-forward

README

Create a template service file at /etc/systemd/system/secure-tunnel@.service. The template parameter will correspond to the name of target host:

[Unit]
Description=Setup a secure tunnel to %I
After=network.target
@mgeeky
mgeeky / bh_split2.py
Created May 25, 2021 09:56 — forked from Acebond/bh_split2.py
Split large SharpHound datasets (JSON files) into smaller files that can more easily be imported into BloodHound. Especially useful due to the Electron memory limitations.
#!/usr/bin/python3
# Based on https://gist.github.com/deltronzero/7c23bacf97b4b61c7a2f2950ef6f35d8
# pip install simplejson
import simplejson
import sys
def splitfile(file_name, object_limit):
print(f"[*] Loading {file_name}")
with open(file_name) as f:
data = simplejson.load(f)
@mgeeky
mgeeky / Dynamic_PInvoke_Shellcode.cs
Created June 22, 2023 19:19 — forked from bohops/Dynamic_PInvoke_Shellcode.cs
Dynamic_PInvoke_Shellcode.cs
//original runner by @Arno0x: https://github.com/Arno0x/CSharpScripts/blob/master/shellcodeLauncher.cs
using System;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
namespace ShellcodeLoader
{
class Program
@mgeeky
mgeeky / How to use a function pointer in VBA.md
Created October 22, 2021 09:16 — forked from sancarn/How to use a function pointer in VBA.md
How to use a function pointer in VBA by Akihito Yamashiro

VB6 and VBA come with no support for function pointers.

Also, when you wish to execute a function in a dll using the Declare function, you can only call functions created by the Steadcall calling conversation.

These constraints can be avoided by using the DispCallFunc API. The DispCallFunc is widely used in VB6 when erasing the history of IE. Although the DispCallFunc is known as API for calling the IUnknown interface, in fact, you can also perform other functions other than COM by passing the NULL to the first argument.

As explained in the http://msdn.microsoft.com/en-us/library/ms221473(v=vs.85).aspx , the DispCallFunc argument is as follows.

@mgeeky
mgeeky / FreshyCalls-VBA.vba
Created January 12, 2023 00:44 — forked from X-C3LL/FreshyCalls-VBA.vba
Retrieving SSN for syscalling in VBA following FreshyCalls technique
' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)
'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/
Private Type LARGE_INTEGER