Skip to content

Instantly share code, notes, and snippets.

Ryan Hanson ryhanson

View GitHub Profile
@ryhanson
ryhanson / ResetASProtectTrial.cs
Created Feb 26, 2017
Proof of concept console application that bypasses program trials protected by ASProtect.
View ResetASProtectTrial.cs
using Microsoft.Win32;
using System;
using System.IO;
using System.Runtime.InteropServices;
using System.Threading;
namespace ResetASProtectTrial
{
class Program
{
View keybase.md

Keybase proof

I hereby claim:

  • I am ryhanson on github.
  • I am ryhanson (https://keybase.io/ryhanson) on keybase.
  • I have a public key whose fingerprint is E56C 181A CBB5 18C7 6E34 8220 8B5F 9F48 F531 54B7

To claim this, I am signing this object:

@ryhanson
ryhanson / ExcelXLL.md
Last active Apr 5, 2019
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method
View ExcelXLL.md

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

You can’t perform that action at this time.