Skip to content

Instantly share code, notes, and snippets.

View theguly's full-sized avatar

guly theguly

49 followers · 8 following
View GitHub Profile
@EvanMcBroom
EvanMcBroom / perfect-loaders.md
Created September 30, 2023 14:06
Perfect Loader Implementations

Perfect Loader Implementations

Thank you to SpecterOps for supporting this research and to Lee and Sarah for proofreading and editing! Crossposted on the SpecterOps Blog.

TLDR: You may use fuse-loader or perfect-loader as examples for extending an OS's native loader to support in-memory libraries.

Some software applications require the ability to load dynamic libraries from the memory of the application's own process. The majority of desktop OSes do not support this use case, so a number of developers have reimplemented the process of loading a library to overcome this limitation.

@mgeeky
mgeeky / Cleanup-ClickOnce.ps1
Last active March 18, 2024 16:05
Cleanup-ClickOnce.ps1 - Simple Powershell script that removes ClickOnce deployments entirely from file system and registry. Attempts to remove both installed and online-only deployments.
#
# Simple Powershell script that removes ClickOnce deployments entirely from file system and registry.
# Attempts to remove both installed and online-only deployments.
#
# Authored: Mariusz Banach / mgeeky, <mb [at] binary-offensive.com>
#
# Usage:
# PS> . .\Cleanup-ClickOnce.ps1
# PS> Cleanup-ClickOnce -Name MyAppName
#
@eversinc33
eversinc33 / fakeAmsiDll.cpp
Created June 6, 2023 17:36
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <stdio.h>
#include <stdlib.h>
#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)
// generated with sharpdllproxy.
@mvelazc0
mvelazc0 / attack_range.yml
Created March 23, 2023 15:14
general:
cloud_provider: aws
attack_range_password: AW^@#^%&^#@##
use_prebuilt_images_with_packer: '0'
key_name: yourkey-001423
ip_whitelist: 8.8.8.8 #your public ip address
attack_range_name: test-range
aws:
private_key_path: /Users/your/key-001423.key
region: us-west-2
@susMdT
susMdT / Program.cs
Created February 24, 2023 02:57
C# Amsi bypass with hardware breakpint
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
// CCOB IS THE GOAT
@julianxhokaxhiu
julianxhokaxhiu / create-iso.sh
Created October 31, 2022 12:31
Simple bash script to create a Bootable ISO from macOS Ventura Install Image from Mac App Store
#!/usr/bin/env bash
#===========================================================================
# Works only with the official image available in the Mac App Store.
# Make sure you download the official installer before running this script.
#===========================================================================
# Change this at your desire. Sometimes this works out of the box, sometimes not.
# Default size: ~16 GB
DISK_SIZE="15361m"
@X-C3LL
X-C3LL / FreshyCalls-VBA.vba
Created September 4, 2022 23:51
Retrieving SSN for syscalling in VBA following FreshyCalls technique
' Proof of Concept: retrieving SSN for syscalling in VBA
' Author: Juan Manuel Fernandez (@TheXC3LL)
'Based on:
'https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
'https://www.crummie5.club/freshycalls/
Private Type LARGE_INTEGER
@dr4k0nia
dr4k0nia / HInvoke.cs
Last active September 12, 2023 17:09
A very minimalistic approach of calling .net runtime functions or accessing properties using only hashes as identifiers. It does not leave any strings or import references since we dynamically resolve the required member from the mscorlib assembly on runtime. Read the blog post: https://dr4k0nia.github.io/dotnet/coding/2022/08/10/HInvoke-and-avo…
using System.Linq;
using System.Reflection;
namespace HashInvoke;
public class HInvoke
{
public static T InvokeMethod<T>(uint classID, uint methodID, object[]? args = null)
{
// Get the System assembly and go trough all its types hash their name
@gmurdocca
gmurdocca / socat_caesar_dpi.md
Last active January 22, 2024 05:08
Circumventing Deep Packet Inspection with Socat and rot13

Circumventing Deep Packet Inspection with Socat and rot13

I have a Linux virtual machine inside a customer's private network. For security, this VM is reachable only via VPN + Citrix + Windows + a Windows SSH client (eg PuTTY). I am tasked to ensure this Citrix design is secure, and users can not access their Linux VM's or other resources on the internal private network in any way outside of using Citrix.

The VM can access the internet. This task should be easy. The VM's internet gateway allows it to connect anywhere on the internet to TCP ports 80, 443, and 8090 only. Connecting to an internet bastion box on one of these ports works and I can send and receive clear text data using netcat. I plan to use good old SSH, listening on tcp/8090 on the bastion, with a reverse port forward configured to expose sshd on the VM to the public, to show their Citrix gateway can be circumvented.

Rejected by Deep Packet Inspection

I hit an immediate snag. The moment I try to establish an SSH or SSL connection over o

@Cracked5pider
Cracked5pider / ReflectedDll.c
Last active January 20, 2022 14:01
Get output from injected reflected dll
//===============================================================================================//
// This is a stub for the actuall functionality of the DLL.
//===============================================================================================//
#include "ReflectiveLoader.h"
#include <stdio.h>
// Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
// defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
// DllMain and use the LoadRemoteLibraryR() API to inject this DLL.