Skip to content

Instantly share code, notes, and snippets.

Mr-Un1k0d3r / run.c
Created Aug 11, 2021
spawn an invisible process
View run.c
// To compile: gcc64.exe run.c -o run.exe
// To run: run.exe cmd.exe "/c whoami"
#include <Windows.h>
#include <stdio.h>
int main(int argc, char **argv) {
CHAR cDesktop[] = "hiddendesktop";
View system32_exports.txt
This file has been truncated, but you can view the full file.
[*] - C:\Windows\System32\1028\VsGraphicsResources.dll
[?] 64-bit Image!
[>] Time Stamp: 12/31/1969 19:00:00
[>] Function Count:
[>] Named Functions:
[>] Ordinal Base:
[>] Function Array RVA: 0x
rvrsh3ll / DInjectQueuerAPC.cs
Created Nov 20, 2020 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
View DInjectQueuerAPC.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
public class Program
ropnop / go-sharp-loader.go
Created Aug 5, 2020
Example Go file embedding multiple .NET executables
View go-sharp-loader.go
package main
Example Go program with multiple .NET Binaries embedded
This requires packr ( and the utility. Install with:
$ go get -u
Place all your EXEs are in a "binaries" folder
TheWover / EtwpTest.cs
Created May 6, 2020
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
View EtwpTest.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace EtwpTest
class Program
static void Main(string[] args)
TheWover / Find-Assemblies.ps1
Last active Aug 2, 2021
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
View Find-Assemblies.ps1
HelpMessage="Directory to search for .NET Assemblies in.")]
HelpMessage="Whether or not to search recursively.")]
[switch]$Recurse = $false,
HelpMessage="Whether or not to include DLLs in the search.")]
[switch]$DLLs = $false,
monoxgas / main.cpp
Created Feb 12, 2020
Adaptive DLL Hijacking - Patching LoadLibrary Return
View main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
BOOL PatchTheRet(HMODULE realModule) {
// Get primary module info
monoxgas / main.cpp
Created Feb 12, 2020
Adapative DLL Hijacking - Stability Hooking
View main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
// Insert evil stuff
khr0x40sh / Get-VBACHRObfuscatedString.ps1
Created Nov 19, 2019
Takes a string and applies CHR(ascii int) & for each character in string
View Get-VBACHRObfuscatedString.ps1
Param([string]$string = "C:\windows\syswow64\windowspowershell\v1.0\powershell.exe -exec Bypass -nop ping"
$result = ""
$strA = $string.ToCharArray()
for($i = 0; $i -lt $strA.Length; $i++)
$x = [byte]$strA[$i]
$result += "Chr (" + $x.ToString() + ") & "
Neo23x0 /
Last active Oct 7, 2021
Learning Aid - Top Base64 Encodings Table

Learning Aid - Top Base64 Encodings Table

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16)
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)